Getting Azure logs into your SIEM

When running different resources in Microsoft Azure, these resources together with Azure Resource Manager creates logfiles of different events. A resource could be a virtual machine, SQL database or storage account for example. These resources are provided by the resource manager which also creates events based on actions on these resources. An event could be write, delete or update for example.

The Azure Resource Manager

This video explains how the Azure Resource Group model works:

A short explanation of the resource provider can be found at https://azure.microsoft.com/en-us/documentation/articles/resource-group-overview/ and if you’re running workloads in classic mode you can find an explanation of the differences at https://azure.microsoft.com/en-us/documentation/articles/resource-manager-deployment-model/.

Enabling logging to storage account

To get the logfiles to your SIEM system you’ll need to enable logging to either a storage account or an event hub. A storage account is easier to manage and will let you use the Azure Log integrator. If you look at your resources, in the pictures I have a virtual machine and a web app, you can enable logging to a storage account.

log-mgmt-01
Enabling diagnostics logging from a virtual machine to a storage account. Note the various levels of logging you can select.
log-mgmt-02
Logging to a storage account from a web app.

Your workloads will start saving their logfiles to your storage account when you’ve saved the settings.

Getting the logs from Azure to your SIEM

That was the easy part. Now getting the logs from Azure storage to your SIEM requires some wizardry. Thank god for the Azure Log Integrator then, to the rescue!

Tom Shinder did a great job writing a guide getting started over at https://azure.microsoft.com/en-us/documentation/articles/security-azure-log-integration-get-started/. If you don’t like that one there another one: https://blogs.msdn.microsoft.com/azuresecurity/2016/07/21/microsoft-azure-log-integration-preview/.

Once you’ve configured your integration VM you’ll need to configure your SIEM. There’s a guide available for various systems available at https://blogs.msdn.microsoft.com/azuresecurity/2016/08/23/azure-log-siem-configuration-steps/.

 

Leave a Reply

Your email address will not be published. Required fields are marked *