If you're having trouble at any stage please contact us at support@skyformation.com.
NOTE
If you need to collect Azure Active Directory (AAD) event as well you should use to the SkyFormation for Office 365 connector for that. The AAD access events (e.g. login failed, login success) are collected as well as anomaly and risk events.
Preface
Azure is a suite of cloud services platform, provides Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) services. Azure helps organizations consume compute power and needed services, all without the need to buy or manage hardware.
But at the same time, the IaaS and SaaS public services presents the organization with new security challenges.
The main challenges and needs are to:
- Get and retain full audit of activities in Azure account
- Retrieve the Azure account activities as admin login to Azure console, Azure compute changes and data flows, events from Azure services and many more.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations
What is it
SkyFormation Cloud Connector for Azure, is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from multiple audit sources in the Azure account, unify the events into a common application events format, enrich the events with needed detection context and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for Azure retrieves the events from the Azure service through its APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information
- Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
Azure National Clouds support
Azure National Clouds (aka Sovereign clouds) are physically isolated instances of Azure. These regions of Azure are designed to make sure that data residency, sovereignty, and compliance requirements are honored within geographical boundaries.
The SkyFormation for Azure connector supports the entire available Azure National Clouds.
To configure your SkyFormation for Azure connector to support any of the National Clouds please see the needed step at our Azure connector guide:
Adding Azure Connector To SkyFormation Platform
Azure Audit Sources & Events Supported
For general information on Azure audit sources and logs please visit:
https://docs.microsoft.com/en-us/azure/security/azure-log-audit
IMPORTANT AUDIT COVERAGE CHECK TO DO:
The availability of the Azure services including services as security & compliance and audit services depends on the Azure region in many cases. To verify what Azure audit sources and coverage will be available for you using the SkyFormation Azure connector, please:
- Open this link https://azure.microsoft.com/en-us/regions/services/ and go to the "Monitoring + Management" section.
- In the "Monitoring + Management" section look for the availability of the following monitoring services at the Azure regions you are using:
- Log Analytics
- Security & Compliance
- Protection & Recovery
- If the services mentioned above are not available at any of the Azure regions you are using, audit logs and event from the service will most likely not be available.
| Service/ Module Covered |
Event included | Endpoint/API | Notes |
|---|---|---|---|
| Administrative | Administrative activities from different modules |
|
This category contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of the types of events you would see in this category include “create virtual machine” and “delete network security group” |
| Azure Virtual Machines | VM events (e.g. VM started) |
Support both Windows/Linux VM related events |
|
| Azure Networking Resources | VNETs, Subnets, NSG, Route Tables etc | Activity Log |
|
| Azure OS Logs | OS events (e.g. Windows OS events) |
Log Analytics |
Events are collected by a dedicated Windows/Linux agent and attached to a Log Analytics workspace which will then be used by the SkyFormation connector to get the events from. See more information on how to use the Azure agent at: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent |
| Azure HDInsight | Hadoop events | Log Analytics (aka OMS Workspace) |
See: https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-hadoop-oms-log-analytics-tutorial |
| Azure App Insights | Insights on Azure Apps | Log Analytics (aka OMS Workspace) |
To forward the Azure App Insights events to a Log Analytics workspace (which will then be used by SkyFormation Azure connector to collect the events from) please refer to: |
| Azure Key Vault | Key vault events | See: https://docs.microsoft.com/en-us/azure/security/security-azure-log-integration-keyvault-eventhub | |
| Azure Diagnostics Events | Diagnostic Events from multiple services | Diagnostic from many services as: Application Gateways, Azure Automation, Azure Batch,Customer Insights, Content Delivery Network (CDN), CosmosDB, Data Lake Analytics, Data Lake Store, Event Hubs,Key Vault, Load Balancer, |
|
| Azure Storage Analytics | Activities in Blob, Queue, and Table services | Storage Analytics | Activities as blob downloaded, table created etc |
| Azure Monitor (Resource Monitor) | Event Hubs |
To forward the Azure Monitor events to an EventHubs (which will then be used by SkyFormation Azure connector to collect the events) please refer to: Data collected by the Azure monitor:
For more information on the events collected by the Azure Monitor see: |
|
| Subscription Monitoring | Event Hubs |
Included as part of the Azure Monitor data collected (see above) |
|
| IIS | Event Hubs |
Included as part of the Azure Monitor data collected (see above) See more information at: |
|
| Azure Kubernetes Service (AKS) | Master components events |
See: https://docs.microsoft.com/en-us/azure/aks/view-master-logs |
|
| Kublets events |
Unknown |
See: https://docs.microsoft.com/en-us/azure/aks/kubelet-logs |
|
| Real-time container logs |
Unknown |
See: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-live-logs |
|
| Azure SQL DB | SQL DB events |
or |
See: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing |
| Web Application Firewall (WAF) | Event Hubs |
Included as part of the Azure Monitor data collected (see above) For more information on the WAF data collected see: |
|
| Azure Security Center | Security center alerts | Azure Security Center Alerts | |
| Azure NSG Flow Logs | NSG Flow Logs | Storage Services |
Once the NSG flow logs are enabled (see: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-powershell ) SkyFormation Azure connector will automatically discover the related watchers and flow logs and start collecting the logs. |
| Microsoft Graph Security API | Security alerts from the entire Microsoft security products |
|
|
| Azure API Management | Log Analytics (aka OMS Workspace) |
To get the events configure the audit via App Insights. See: can be configured via App Insights : https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-app-insights |
|
| Azure Service Health | Service Health incidents | Activity Log | This category contains the record of any service health incidents that have occurred in Azure. An example of the type of event you would see in this category is “SQL Azure in East US is experiencing downtime.” |
| Azure Service Alert | Activation of Azure Alerts | Activity Log | This category contains the record of all activations of Azure alerts. An example of the type of event you would see in this category is “CPU % on myVM has been over 80 for the past 5 minutes.” |
| Azure Autoscale Events | Autoscale events | Activity Log | This category contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. An example of the type of event you would see in this category is “Autoscale scale up action failed.” |
| Azure Recommendation | Recommendation | Activity Log | This category contains recommendation events from certain resource types, such as web sites and SQL servers. These events offer recommendations for how to better utilize your resources. |
| Microsoft Defender ATP events | Security Events |
Comments
0 comments
Please sign in to leave a comment.