One of the very common questions regarding Azure identity security is the ability to send Audit Log and Sign-In Log from Azure AD to Log Analytics for adversary monitoring and alert. This was not a direct path previously which you’d need an automated ETL (Extract-Transform-Load) job (e.g Automation Account, Azure Function or Logic App) to pull AAD data from storage account or Event Hub to a Log Analytics workspace.
The direct path has been a wish for a long time since identity threat is raised pretty much. Today Microsoft just rolled out Log Analytic integration capability to let you export data from Azure AD to a Log Analytics workspace.
With the capability, you can query Sign-In activities when doing security incident. Moreover, Kusto query-based alert is also beneficial to your identity security monitoring.
This feature was mentioned in the most recent Microsoft Ignite 2018 as recorded below:
To capture Sign-In Log, you must have Azure AD Premium feature enabled.
If you’d like to understand Sign-In log schema, get started from here.