Azure AD and events - automated insight with AIMS

AIMS can now get login- and audit-data from Azure AD, and pair this information with administrative- and security-events that occurs on your Azure subscription.

AIMS will also use its machine-learning to create baselines for the 4 different event-types, meaning that if there is a sudden change of activity on either event-type, AIMS will be able to detect this and correlate the information to any impacts detected. For instance, an admin event to reduce the size of a VM could impact the performance of an application hosted on that VM. An increase in security events combined with failed logins can indicate hacking attempts. 

By combining this event agent with the Azure monitor agent, you will have a very powerful tool that can

  • Detect bottlenecks, and see if it is related to available resources, config change, security issue or new deployment
  • If an admin event correlates with the performance issue, you can see when and who did the change
  • Control cost by having control over all deployments and config changes in Azure
  • Get early warnings about potential security issues, and correlate with Azure usage, performance and logins.
  • Get information about security and user settings on Azure resources, and see if any of these correlates to security events, increased traffic or performance issues.

The bullets above only list a few of the interesting capabilities available by applying machine learning to these data. Also, each event coming from Azure is logged as an event in AIMS, so you will have all the details on the event like eventtype, resource affected, user, IP, location action and more.

The agent is written in Javascript, so it can be hosted pretty much anywhere. It will consume events from a dedicated Event Hub that the user sets up. The user needs to enable diagnostics for Azure AD and Azure Monitor, and pipe the events to the selected Event Hub.

For information on how to install the Azure Event Hub agent, please see the following support page.