1. Overview
This topic describes the steps for collecting the Azure Log Analytics logs from Azure and sending the logs to Google SecOps.
2. Prerequisites
A. You need Microsoft Operational Insights/Workspaces/write permissions to the resource group where you want to create the Log Analytics workspace.
B. Azure AD Premium P1 or P2 license is required.
3. Steps for Configuration
A. Create Resource Group
B. Create Log Analytics workspace
C. Create Storage Account
D. Configuring Data Export in Log Analytics Workspace.
A. Create Resource Group
Step 1. Sign in to the Azure portal.
Step 2. Select Resource groups.
Step 3. Select Create.
Step 4. Enter the following values:
- Subscription: Select your Azure subscription.
- Resource group: Enter a new resource group name.
- Region: Select an Azure location, such as Central US.
Step 5. Select Review + Create.
Step 6. Select Create. It takes a few seconds to create a resource group.
Step 7. Select Refresh from the top menu to refresh the resource group list, and then select the newly created resource group to open it. Or select Notification (the bell icon) from the top, and then select Go to resource group to open the newly created resource group.
B. Create Log Analytics workspace
Use the Log Analytics workspaces menu to create a workspace.
Step 1. In the Azure portal, enter Log Analytics in the search box. As you begin typing, the list filters based on your input. Select Log Analytics workspaces.
Step 2. Select Add.
Step 3. Select a Subscription from the dropdown.
Step 4. Use an existing Resource Group or create a New one.
Step 5. Provide a name for the New Log Analytics Workspace, such as <DefaultLAWorkspace>. This name must be unique per resource group.
Step 6. Select an available Region.
Step 7. Select Review + Create to review the settings. Then select Create to create the workspace. A default pricing tier of pay-as-you-go is applied. No charges will be incurred until you start collecting enough data.
C. Create Storage Account
To create an Azure storage account with the Azure portal, follow these steps:
Step 1. From the left portal menu, select Storage accounts to display a list of your storage accounts. If the portal menu isn't visible, select the menu button to toggle it on.
Step 2. On the Storage accounts page, select Create.
Step 3. Enter the following values:
- Subscription: Select your Azure subscription.
- Resource group: Select your New Resource Group name.
- Storage account name: Provide New name of the Storage Account.
- Region: Select an Azure location, such as Central US.
- Primary service: Select ‘Azure Blob Storage or Azure Data Lake Storage Gen 2’
- Performance: Select option ‘Standard’
- Redundancy: Select option ‘Geo-redundant storage (GRS)’
Note: Once Storage Account is Created, copy the Endpoint URL and Secret Key which will be useful while creating Chronicle Feed.
Endpoint URL: Go to > Storage account > Settings > Endpoints > Blob service
Secret Key: Go to > Storage account > Security + networking > Access Keys > Key
Secret Key will be changing every time click on the Show Option
D. Configuring Data Export in Log Analytics Workspace.
Step 1. Navigate to Log Analytics Workspace.
Step 2. Search for the Name of the Workspace which is created earlier.
Step 3. Go to Data Export > Click ‘New Export Rule’.
Step 4. Provide New name of the Rule name.
Step 5. In the Source tab, choose the Table name that you want to send the logs to.
Step 6. In the Destination tab, choose the Subscription and Storage Account and Click Next.
Step 7. Now click ‘Review + Create’ to create rule.
Once the Rule is created in the Data Export, Containers will be created in the Storage Account when the logs are generated from the Table.
Note: The Chronicle Feed needs to be created, once the Containers are created in the Data Export.
Configuring FEED in Chronicle
From the Google SecOps menu, select SIEM Settings, and then click Feeds.
1. Click Add New.
2. In the Feed name field, Enter a name for the feed.
3. In the Source type list, select Microsoft Azure Blob Storage.
4. Select the Log type as Azure Log Analytics Workspace.
5. Click Next. The Add feed window appears.
6. Retrieve the information to fill in the following fields:
- Azure URI: Now need to include the container name along with the Endpoint URL.
Example: https://storage_account_name.blob.core.windows.net/container_name
https://teststorage.blob.core.windows.net/am-laquerylogs
- URI IS A: Choose ‘Directory which includes subdirectories’
- SOURCE DELETION OPTION: Choose ‘Never delete files’
- Shared Key: Paste the Access Key
7. Click Next. The Finalize screen appears.
Review Feed configuration, and then click Submit.
Comments
0 comments
Please sign in to leave a comment.