If you're having trouble at any stage please contact us at firstname.lastname@example.org.
Using Azure services you might be running some Virtual Machines with Windows or Linux OS. In case you do you might want to get their OS Security Events as Windows Security Events. In case you do the below post will guide you on how to set your Azure environment to collect the events, and the SkyFormation Azure Connector to ingest them and forward to any SIEM.
Please note that the Security Events ingested by the SkyFormation Azure Connector will be ingested as a generic event and forwarded to your SIEM of choice as-is for the SIEM to perform its Security Events parsing and modeling.
How it works
- You configure the Azure Security Center to collect Security Events from the VMs of your choice
- The Security Events collected are stored in Azure workspace of your choice
- SkyFormation Azure Connector you on-boarded will automatically collect the entire events collected into the Azure workspace and forward them to the SIEM configured in SkyFormation for the specific connector.
- Configure Azure Security Center to Collect the Security Events from the relevant VMs
- Open your Azure "Security Center" page from the Azure portal
- Go to the "Security Policy" page
In this page you will see your Azure subscription where you can choose the
subscription(s) you would like to start collecting "Security Events" from its VMs.
In our example we will choose the subscription named "Pay as You Go" and set the "Security
Events" to be collected automatically from all its VMs. Note that in our example the
"AUTOMATIC PROVISION" status is Off in our subscription, which indicate the "Security
Events" will not be collected automatically for all VMs in the subscription.
- Click on the subscription you want to configure for automatic data collection of "Security Events"
- Turn-on the "Automatic provisioning of monitoring agent"
Please note that this will install Azure agent on all the VMs in the subscription, which will
start collecting the ''Security Events" . If you only want to collect "Security Events" from
specific VMs you can choose the specific resource(s) in the previous page under the relevant
- Choose the workspace to store the collected events
SkyFormation Azure Connector will ingest all the events from any workspace available at
the Azure connector monitored, hence choosing a Workspace other then the default
"Security Center" one is only for your internal Azure administrative needs.
- Click "Save"
You are done with the Azure configuration. Azure will now provision its agents to all the VMs in the subscription you configured, and start collecting existing/historical and any future "Security Events".
- Configure your SkyFormation Azure Connector to Ingest the new "Security Events"
As stated below, the SkyFormation Azure Connector will ingest all the events from any workspace in the monitored Azure account. So make sure that you on-boarded a SkyFormation Azure Connector that monitor the specific Azure account.
To make sure all is configured correctly, wait for 15 minutes and look in your SIEM attached in SkyFormation app to the specific SkyFormation Azure Connector if "Security Events" are streaming in.