When running different resources in Microsoft Azure, these resources together with Azure Resource Manager creates logfiles of different events. A resource could be a virtual machine, SQL database or storage account for example. These resources are provided by the resource manager which also creates events based on actions on these resources. An event could be write, delete or update for example.
The Azure Resource Manager
This video explains how the Azure Resource Group model works:
A short explanation of the resource provider can be found at https://azure.microsoft.com/en-us/documentation/articles/resource-group-overview/ and if you’re running workloads in classic mode you can find an explanation of the differences at https://azure.microsoft.com/en-us/documentation/articles/resource-manager-deployment-model/.
Enabling logging to storage account
To get the logfiles to your SIEM system you’ll need to enable logging to either a storage account or an event hub. A storage account is easier to manage and will let you use the Azure Log integrator. If you look at your resources, in the pictures I have a virtual machine and a web app, you can enable logging to a storage account.
Your workloads will start saving their logfiles to your storage account when you’ve saved the settings.
Getting the logs from Azure to your SIEM
That was the easy part. Now getting the logs from Azure storage to your SIEM requires some wizardry. Thank god for the Azure Log Integrator then, to the rescue!
Tom Shinder did a great job writing a guide getting started over at https://azure.microsoft.com/en-us/documentation/articles/security-azure-log-integration-get-started/. If you don’t like that one there another one: https://blogs.msdn.microsoft.com/azuresecurity/2016/07/21/microsoft-azure-log-integration-preview/.
Once you’ve configured your integration VM you’ll need to configure your SIEM. There’s a guide available for various systems available at https://blogs.msdn.microsoft.com/azuresecurity/2016/08/23/azure-log-siem-configuration-steps/.