If you're having trouble at any stage please contact us at support@skyformation.com.
NOTE
If you need to collect Azure Active Directory (AAD) event as well you should use to the SkyFormation for Office 365 connector for that. The AAD access events (e.g. login failed, login success) are collected as well as anomaly and risk events.
Preface
Azure is a suite of cloud services platform, provides Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) services. Azure helps organizations consume compute power and needed services, all without the need to buy or manage hardware.
Azure National Clouds support
Azure National Clouds (aka Sovereign clouds) are physically isolated instances of Azure. These regions of Azure are designed to make sure that data residency, sovereignty, and compliance requirements are honored within geographical boundaries.
The SkyFormation for Azure connector supports the entire available Azure National Clouds.
To configure your SkyFormation for Azure connector to support any of the National Clouds please see the needed step at our Azure connector guide:
Adding Azure Connector To SkyFormation Platform
Azure Audit Sources & Events Supported
For general information on Azure audit sources and logs please visit:
https://docs.microsoft.com/en-us/azure/security/azure-log-audit
IMPORTANT AUDIT COVERAGE CHECK TO DO:
The availability of the Azure services including services as security & compliance and audit services depends on the Azure region in many cases. To verify what Azure audit sources and coverage will be available for you using the SkyFormation Azure connector, please:
- Open this link https://azure.microsoft.com/en-us/regions/services/ and go to the "Monitoring + Management" section.
- In the "Monitoring + Management" section look for the availability of the following monitoring services at the Azure regions you are using:
- Log Analytics
- Security & Compliance
- Protection & Recovery
- If the services mentioned above are not available at any of the Azure regions you are using, audit logs and event from the service will most likely not be available.
Azure Log Analytics
Once the Azure Connector is configured, it will discover all Log Analytics deployed in the subscriptions that the Azure AD app was given permissions to query.
Log Analytics KQL query (reference) can be used to reduce the scope of the data that is collected from each ALA.
Verify your KQL query via Azure ALA UI.
Make sure that the query does NOT limit to a certain time frame (i.e. via " | TimeGenerated" filter) as this is automatically added to the query suffix on each sync. the connector performs.
| Service/ Module Covered |
Event included | Endpoint/API | Notes |
|---|---|---|---|
| Security Alerts | Security Alerts generated across MS platform |
Added in CC version 2.4.254 Alerts generated from * Azure Security Center |
|
| Administrative | Administrative activities from different modules |
|
This category contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of the types of events you would see in this category include “create virtual machine” and “delete network security group” |
| Azure Virtual Machines | VM events (e.g. VM started) |
Support both Windows/Linux VM related events |
|
| Azure Networking Resources | VNETs, Subnets, NSG, Route Tables etc | Activity Log |
|
| Azure OS Logs | OS events (e.g. Windows OS events) |
Log Analytics |
Events are collected by a dedicated Windows/Linux agent and attached to a Log Analytics workspace which will then be used by the SkyFormation connector to get the events from. See more information on how to use the Azure agent at: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent |
| Azure HDInsight | Hadoop events | Log Analytics (aka OMS Workspace) |
See: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-oms-log-analytics-tutorial |
| Azure App Insights | Insights on Azure Apps | Log Analytics (aka OMS Workspace) |
To forward the Azure App Insights events to a Log Analytics workspace (which will then be used by SkyFormation Azure connector to collect the events from) please refer to: |
| Azure Key Vault | Key vault events | See: https://docs.microsoft.com/en-us/azure/security/security-azure-log-integration-keyvault-eventhub | |
| Azure Diagnostics Events | Diagnostic Events from multiple services | Diagnostic from many services as: Application Gateways, Azure Automation, Azure Batch,Customer Insights, Content Delivery Network (CDN), CosmosDB, Data Lake Analytics, Data Lake Store, Event Hubs,Key Vault, Load Balancer, |
|
| Azure Storage Analytics | Activities in Blob, Queue, and Table services | Storage Analytics | Activities as blob downloaded, table created etc |
| Azure Monitor (Resource Monitor) | Event Hubs |
To forward the Azure Monitor events to an EventHubs (which will then be used by SkyFormation Azure connector to collect the events) please refer to: Data collected by the Azure monitor:
For more information on the events collected by the Azure Monitor see: |
|
| Subscription Monitoring | Event Hubs |
Included as part of the Azure Monitor data collected (see above) |
|
| IIS | Event Hubs |
Included as part of the Azure Monitor data collected (see above) See more information at: |
|
| Azure Kubernetes Service (AKS) | Master components events |
See: https://docs.microsoft.com/en-us/azure/aks/view-master-logs |
|
| Kublets events |
Unknown |
See: https://docs.microsoft.com/en-us/azure/aks/kubelet-logs |
|
| Real-time container logs |
Unknown |
See: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-live-logs |
|
| Azure SQL DB | SQL DB events |
or |
See: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing |
| Web Application Firewall (WAF) | Event Hubs |
Included as part of the Azure Monitor data collected (see above) For more information on the WAF data collected see: |
|
| Azure Security Center | Security center alerts | Azure Security Center Alerts | |
| Azure NSG Flow Logs | NSG Flow Logs | Storage Services |
Once the NSG flow logs are enabled (see: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-powershell ) SkyFormation Azure connector will automatically discover the related watchers and flow logs and start collecting the logs. |
| Microsoft Graph Security API | Security alerts from the entire Microsoft security products |
|
|
| Azure API Management | Log Analytics (aka OMS Workspace) |
To get the events configure the audit via App Insights. See: can be configured via App Insights : https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-app-insights |
|
| Azure Service Health | Service Health incidents | Activity Log | This category contains the record of any service health incidents that have occurred in Azure. An example of the type of event you would see in this category is “SQL Azure in East US is experiencing downtime.” |
| Azure Service Alert | Activation of Azure Alerts | Activity Log | This category contains the record of all activations of Azure alerts. An example of the type of event you would see in this category is “CPU % on myVM has been over 80 for the past 5 minutes.” |
| Azure Autoscale Events | Autoscale events | Activity Log | This category contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. An example of the type of event you would see in this category is “Autoscale scale up action failed.” |
| Azure Recommendation | Recommendation | Activity Log | This category contains recommendation events from certain resource types, such as web sites and SQL servers. These events offer recommendations for how to better utilize your resources. |
| Microsoft Defender ATP events | Security Events |
Comments
0 comments
Please sign in to leave a comment.