If you're having trouble at any stage please contact us at support@skyformation.com. 

Preface

Using Azure services you might be running some Virtual Machines with Windows or Linux OS. In case you do you might want to get their OS Security Events as Windows Security Events. In case you do the below post will guide you on how to set your Azure environment to collect the events, and the SkyFormation Azure Connector to ingest them and forward to any SIEM. 

Please note that the Security Events ingested by the SkyFormation Azure Connector will be ingested as a generic event and forwarded to your SIEM of choice as-is for the SIEM to perform its Security Events parsing and modeling.

How it works

• You configure the Azure Security Center to collect Security Events from the VMs of your choice
• The Security Events collected are stored in Azure workspace of your choice
• SkyFormation Azure Connector you on-boarded will automatically collect the entire events collected into the Azure workspace and forward them to the SIEM configured in SkyFormation for the specific connector.

Prerequisite

- Configure Azure Security Center to Collect the Security Events from the relevant VMs

•   Open your Azure "Security Center" page from the Azure portal

• Go to the "Security Policy" page

        In this page you will see your Azure subscription where you can choose the
        subscription(s) you would like to start collecting "Security Events" from its VMs. 

        In our example we will choose the subscription named "Pay as You Go" and set the "Security
        Events" to be collected automatically from all its VMs. Note that in our example the 
        "AUTOMATIC PROVISION" status is Off in our subscription, which indicate the "Security
        Events" will not be collected automatically for all VMs in the subscription. 

• Click on the subscription you want to configure for automatic data collection of "Security Events"

• Turn-on the "Automatic provisioning of monitoring agent"

         Please note that this will install Azure agent on all the VMs in the subscription, which will
         start collecting the ''Security Events" . If you only want to collect "Security Events" from
         specific VMs you can choose the specific resource(s) in the previous page under the relevant
         subscription.

• Choose the workspace to store the collected events

         SkyFormation Azure Connector will ingest all the events from any workspace available at
         the Azure connector monitored, hence choosing a Workspace other then the default
         "Security Center" one is only for your internal Azure administrative needs.

• Click "Save"

You are done with the Azure configuration. Azure will now provision its agents to all the VMs in the subscription you configured, and start collecting existing/historical and any future "Security Events".

- Configure your SkyFormation Azure Connector to Ingest the new "Security Events" 

As stated below, the SkyFormation Azure Connector will ingest all the events from any workspace in the monitored Azure account. So make sure that you on-boarded a SkyFormation Azure Connector that monitor the specific Azure account.

For further instructions on how to add a SkyFormation Azure Connector refer to:
Adding Azure Connector To SkyFormation Platform

To make sure all is configured correctly, wait for 15 minutes and look in your SIEM attached in SkyFormation app to the specific SkyFormation Azure Connector if "Security Events" are streaming in.

DONE !