This article covers the steps to ingest your Azure Activity logs into Chronicle.
Configure a Storage Account
Complete the following steps to configure a Storage account:
- In the Azure console, search for "Storage accounts."
2. Click Create.
3. Select the Subscription, Resource Group, region, performance (recommend Standard), and Redundancy (recommend GRS or LRS) needed for the account, enter a name for the new Storage Account.
4. Click Review + create, review the overview of the account and click Create.
5. On the Storage Account Overview page, select Access keys from the left navigation of the window.
6. Click Show keys and make a note of the shared key for the storage account.
7. Select Endpoints from the left navigation of the window.
8. Make a note of the Blob service endpoint.
(https://<storageaccountname>.blob.core.windows.net/)
Configure Azure Activity Logging
Complete the following steps to configure Azure Activity logging:
- In the Azure console, search for "Monitor."
- Click the Activity log link in the left navigation of the page.
- Click the Export Activity Logs at the top of the window.
4. Click Add diagnostic Setting.
5. Select all the categories you wish to export to Chronicle.
6. Under Destination details, select Archive to a storage account.
7. Select the subscription and storage account you created in the previous step.
8. Click Save.
Configure a feed in Chronicle
Complete the following steps to configure a feed in Chronicle to ingest the Azure logs:
- Go to Chronicle settings and click Feeds.
- Click Add New.
3. Select Microsoft Azure Blob Storage for Source Type.
4. Select Microsoft Defender for Endpoint for Log Type.
5. Click Next.
6. Under Azure URI, enter the Blob Service endpoint value you recorded earlier, suffixed with insights-activity-log.
(For example, https://acme-azure-chronicle.blob.core.windows.net/insights-activity-log/)
7. Under URI Source Type, select Directories including subdirectories.
8. Under Shared key, enter the shared key value you captured earlier.
9. Click Next and Finish.
Sample Logs
The following are the logs that Azure sends to the Chronicle.
{ "DeploymentUnit": "neu-prd02-leave-01-ri", "EventId": 162, "EventName": "AzureBackupActivityLog",
"properties": {"Entity Name":"devo-psd-portal-4","Job Id":"21f63050-bff6-406f-8e31-2ebcc928fc00",
"Start Time":"2023-07-13 17:42:23Z"}, "time": "2023-07-13T18:33:50.8775538Z",
"resourceId": "/SUBSCRIPTIONS/5003BEFF-5446-4820-AC0E-3C35569F63F9/RESOURCEGROUPS/CRUCIBLE/PROVIDERS/MICROSOFT.RECOVERYSERVICES/VAULTS/DIVA",
"category": "Administrative", "correlationId": "e0227482-d0ae-4d15-b3fe-ff5006129235",
"operationId": "1b18ef15-3081-4639-c711-3492751bf1d5", "ResultDescription": "Backup Succeeded",
"resultType": "Succeeded", "operationName": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/backup/action",
"operationVersion": "null", "durationMs": 0, "level": "Informational", "location":
"eastus", "identity": "{\"claims\":{\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"Microsoft.RecoveryServices\"}}",
"Authorization": "null", "Claims": "{\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"Microsoft.RecoveryServices\"}",
"eventName": "Backup"}
Comments
0 comments
Please sign in to leave a comment.