Unit 5: Export logs to a third-party security information and event management (SIEM) system
Organizations often use third-party SIEM tools to centralize security monitoring across cloud and on-premises environments. Microsoft Entra ID and Azure services support this by exporting logs through Azure Monitor, which acts as the unified logging pipeline.
Azure Monitor as the central logging pipeline
Since the introduction of Azure Monitor, Microsoft has consolidated logging across Azure services into a single, standardized pipeline.
Key points
- Most major Azure services now send logs to Azure Monitor, including:
- Azure Resource Manager.
- Microsoft Defender for Cloud.
- Microsoft Entra ID (via diagnostic settings).
- Azure Monitor supports:
- Multiple diagnostic settings per resource.
- Routing logs to different destinations simultaneously.
- This design simplifies:
- Large-scale log management.
- Centralized security monitoring.
Recommended SIEM integration architecture
Microsoft recommends integrating third-party SIEM tools using Azure Event Hubs.
Why Azure Event Hubs?
Azure Event Hubs provides a:
- Scalable log ingestion endpoint.
- Centralized destination for logs from multiple Azure services.
- Decoupled architecture that allows multiple consumers.
Recommended flow
- Azure services generate logs.
- Logs are sent to Azure Monitor.
- Azure Monitor routes logs to Azure Event Hubs.
- Third-party SIEM tools consume logs from Event Hubs.
This is the Microsoft-recommended approach for SIEM integration going forward.
SIEM partner integrations
Microsoft has partnered with major SIEM vendors to build native connectors that consume logs from Azure Event Hubs.
Supported SIEM integrations
| SIEM Tool | Recommended integration |
|---|
| Splunk | Azure Monitor Add-On for Splunk |
| IBM QRadar | Microsoft Azure DSM + Azure Event Hubs Protocol |
| ArcSight | ArcSight Azure Event Hubs Smart Connector |
These connectors are designed to:
- Consume Azure Monitor log data.
- Parse Azure security logs correctly.
- Scale with enterprise workloads.
Azure Log Integration tool (AzLog)
What was AzLog?
- Azure Log Integration (AzLog) was an older tool used to:
- Collect logs from multiple Azure services.
- Normalize and forward them to SIEM tools.
- It existed before Azure Monitor.
- Azure services previously exposed logs in inconsistent ways:
- Storage accounts.
- APIs.
- Custom outputs.
Current status of AzLog
- AzLog is still supported for existing customers.
- Microsoft recommends migrating away from AzLog where possible.
- Azure Monitor now replaces most AzLog functionality.
SIEM integration recommendations
Use the table below to determine the correct approach based on your SIEM tool and current state.
Migration guidance
| SIEM Tool | Currently using AzLog | Evaluating SIEM integration |
|---|
| Splunk | Migrate to Azure Monitor Add-On for Splunk | Use Azure Monitor Add-On for Splunk |
| IBM QRadar | Migrate to Azure DSM + Event Hubs Protocol | Use Azure DSM + Event Hubs Protocol |
| ArcSight | Use ArcSight Azure Event Hubs Smart Connector | Use ArcSight Azure Event Hubs Smart Connector |
Only SIEM tools that were officially supported by AzLog are included here.
Integration roadmap and current gaps
Azure Monitor does not yet cover all AzLog capabilities. Microsoft has identified the following gaps and roadmap items.
Known gaps
- Microsoft Entra logs
- Some Entra logs were directly integrated with AzLog but are not fully available in Azure Monitor yet.
- Azure VM guest OS logs
- AzLog could forward Windows Security Events.
- Azure Monitor agents (Windows & Linux) can collect OS logs.
- End-to-end SIEM integration for these logs is complex.
- End-to-end automation
- AzLog provided scripts for automated setup.
- Azure Monitor supports scripting diagnostic settings.
- Azure Policy is being developed to enforce log routing at scale.
Integration with other SIEM tools
AzLog supported exporting standardized JSON logs to disk, enabling integration with SIEM tools that were not officially supported.
Current recommendation
- For SIEM tools not listed (for example, LogRhythm):
- Work directly with the SIEM vendor.
- Use Azure Monitor → Event Hubs as the ingestion mechanism.
- Build or use an Event Hubs–based connector.
Security and scalability considerations
- Centralizing logs through Azure Monitor:
- Improves visibility.
- Reduces configuration complexity.
- Event Hub–based integration:
- Scales across large Azure environments.
- Supports multiple consumers.
- Moving SIEM integration to Azure Monitor:
- Aligns with Microsoft’s long-term security architecture.
- Enables consistent, manageable security operations.
Exam-focused summary (Unit 5)
- Azure Monitor is the central logging pipeline.
- Microsoft recommends Azure Event Hubs for SIEM integration.
- Major SIEMs (Splunk, QRadar, ArcSight) have native connectors.
- AzLog is legacy and should be migrated away from.
- Azure Monitor does not yet cover all AzLog scenarios.
- Third-party SIEM tools should integrate via Event Hubs.
- This approach enables secure, scalable log export.