SIEM, Log Management, Security, Compliance, Server Monitoring and Uptime Monitoring Software

How To Download Azure AD Audit Logs and Monitor Sign-In Events

October 14th, 2022

In this article I am going to show you how to schedule Azure Active Directory Audit Log entry downloads, save the downloaded log entries to an on-premise database, get notified when any user fails to login 3 times within 5 minutes then, finally, send an email notification that includes the user's name in the email subject with Corner Bowl Server Manager.

Table of Contents

How to Configure your Azure Portal for Remote Access

Before Server Manager can monitor Azure Active Directory Audit Logs the target Azure Portal must be configured to allow the log entries to be downloaded by Server Manager.

How to Schedule Azure AD Audit Log Downloads

Next, we need to download the latest entries so we can create a Failed Logon Monitor that is based off of a already existing failed logon log entry.

How to Configure the Azure AD Sign-Ins Failed Logon Monitor

To limit the log entries to failed logon events, we need to create and apply a Failed Logon Filter to the log monitor rule.

If you prefer to assign this monitor to the Azure Active Directory Audit Log Consolidation Template, you can apply this log monitor rule to the consolidation template rather than creating a stand-alone log monitor template.
October 14th, 2022