Connect to Microsoft Azure for log data collection
Stay organized with collections
Save and categorize content based on your preferences.
The Security Command Center curated detections, threat investigation, and Cloud Infrastructure Entitlement Management (CIEM)
capabilities for Microsoft Azure require the ingestion of Microsoft Azure logs
using the Security Operations console ingestion pipeline. The Microsoft Azure log
types required for ingestion differ based on what you are configuring:
CIEM requires data from the Azure Cloud Services (AZURE_ACTIVITY)
log type.
Curated detections require data from multiple log types.
To learn more about the different Microsoft Azure log types, see
Supported devices and required log types.
Curated detections
Curated detections in the Enterprise tier of Security Command Center help identify threats in
Microsoft Azure environments using both event and context data.
These rule sets require the following data to function as designed. You must ingest
Azure data from each of these data sources to have maximum rule coverage.
For information about the type of log data that customers with Security Command Center
Enterprise can ingest directly to the Google SecOps tenant, see
Google SecOps log data collection.
Configure Microsoft Azure log ingestion for CIEM
To generate CIEM findings for your Microsoft Azure environment,
the CIEM capabilities require data from Azure activity logs for
each Azure subscription or management group that needs to be analyzed.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["| Enterprise [service tier](/security-command-center/docs/service-tiers)\n|\n| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThe Security Command Center curated detections, threat investigation, and Cloud Infrastructure Entitlement Management (CIEM)\ncapabilities for Microsoft Azure require the ingestion of Microsoft Azure logs\nusing the Security Operations console ingestion pipeline. The Microsoft Azure log\ntypes required for ingestion differ based on what you are configuring:\n\n- CIEM requires data from the Azure Cloud Services (AZURE_ACTIVITY) log type.\n- Curated detections require data from multiple log types. To learn more about the different Microsoft Azure log types, see [Supported devices and required log types](/chronicle/docs/detection/cloud-threats-category#azure-supported-devices).\n\nCurated detections\n\nCurated detections in the Enterprise tier of Security Command Center help identify threats in\nMicrosoft Azure environments using both event and context data.\n\nThese rule sets require the following data to function as designed. You must ingest\nAzure data from each of these data sources to have maximum rule coverage.\n\n- [Azure cloud services](https://azure.microsoft.com/en-us/free/cloud-services/)\n- [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/), previously Azure Active Directory\n- [Microsoft Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs), previously Azure AD audit logs\n- [Microsoft Defender for Cloud](https://www.microsoft.com/en-us/security/business/cloud-security/microsoft-defender-cloud)\n- [Microsoft Graph API Activity](https://learn.microsoft.com/en-us/graph/use-the-api)\n\nFor more information, see the following in the Google SecOps\ndocumentation:\n\n- [Supported devices and required log types for Azure](/chronicle/docs/detection/cloud-threats-category#azure-supported-devices): information about the data\n required by each rule set.\n\n- [Ingest Azure and Microsoft Entra ID data](/chronicle/docs/detection/cloud-threats-category#ingest-azure) and [Create an Azure Event Hub feed](/chronicle/docs/administration/create-azure-feed): steps to collect Azure and Microsoft\n Entra ID log data.\n\n- [Curated detections for Azure data](/chronicle/docs/detection/cloud-threats-category#azure-curated-detections): summary of the Azure rule sets\n in the Cloud Threats Category curated detections.\n\n- [Use curated detections to identify threats](/chronicle/docs/detection/use-curated-detections): how to use curated detections in Google SecOps.\n\nFor information about the type of log data that customers with Security Command Center\nEnterprise can ingest directly to the Google SecOps tenant, see\n[Google SecOps log data collection](/security-command-center/docs/service-tiers#microsoft-logs).\n\nConfigure Microsoft Azure log ingestion for CIEM\n\nTo generate CIEM findings for your Microsoft Azure environment,\nthe CIEM capabilities require data from Azure activity logs for\neach Azure subscription or management group that needs to be analyzed.\n\nBefore you begin\n\nTo export activity logs for your Azure subscriptions or management groups, [configure a Microsoft Azure storage account](/chronicle/docs/ingestion/cloud/ingest-azure-activity-logs#configure_a_storage_account).\n\nConfigure Microsoft Azure log ingestion for management groups\n\n1. To configure Azure activity logging for management groups, use the\n [Management group API](https://learn.microsoft.com/en-us/rest/api/monitor/management-group-diagnostic-settings/create-or-update).\n\n | **Note:** The Microsoft Azure portal does not support configuring diagnostic settings for management groups.\n2. To ingest exported activity logs from the storage account, [configure a feed in Security Operations console](/chronicle/docs/ingestion/cloud/ingest-azure-activity-logs#configure_a_feed_in_to_ingest_the_azure_logs).\n\n3. Set an **Ingestion label** for the feed by setting **Label** to `CIEM` and the **Value** to `TRUE`.\n\nConfigure Microsoft Azure log ingestion for subscriptions\n\n1. To configure Azure activity logging for subscriptions, do the following:\n\n 1. In the Azure console, search for **Monitor.**\n 2. In the left navigation pane, click the **Activity log** link.\n 3. Click **Export Activity Logs**.\n 4. Perform the following actions for each subscription or management group for which logs need to be exported:\n 1. In the **subscription** menu, select the Microsoft Azure subscription from which you want to export activity logs.\n 2. Click **Add diagnostic setting.**\n 3. Enter a name for the diagnostic setting.\n 4. In **Log categories** , select **Administrative**.\n 5. In **Destination details** , select **Archive to a storage account**.\n 6. Select the subscription and storage account that you created, and click **Save**.\n2. To ingest exported activity logs from the storage account, [configure a feed in Security Operations console](/chronicle/docs/ingestion/cloud/ingest-azure-activity-logs#configure_a_feed_in_to_ingest_the_azure_logs).\n\n3. Set an **Ingestion label** for the feed by setting **Label** to `CIEM` and the **Value** to `TRUE`.\n\nWhat's next\n\n- To enable CIEM, see [Enable the CIEM detection service](/security-command-center/docs/enable-ciem-detection).\n- To learn more about CIEM features, see [Overview of CIEM](/security-command-center/docs/concepts-ciem)."]]
