How to Collect and Analyze Azure Security Logs

  • Article

Approximately 2 months ago, Mahesh Nayak, a Senior Program Manager in the Azure security team published whitepaper titled Microsoft Azure Security and Audit Log Management. This has been a very popular topic for many customers who have recently moved to Azure and are looking to collect and analyze the security logs for their cloud based applications and VMs.  In addition, many customers also frequently ask during introduction meetings on how they can detect threats, policy violations, achieve regulatory compliance or search for potential network, host or user anomalies in their deployments.  So, I thought I would post a quick introduction to the broader community to share the availability of this information that we regularly update on the Azure Trust Center.

At a high level, it is quite easy and simple to begin collecting logs using Windows Event Forwarding (WEF) or the more advanced Azure Diagnostics when you have deployed Windows based VMs using IaaS in Azure.  In addition, Azure Diagnostics can be configured to collect logs and events from PaaS role instances. When using IaaS based VMs, you simply configure and enable the desired security events the same way you enable Windows Servers to log audits in your on premise datacenter.  You have several configuration options of course all depending on whether your machines are joined to the domain or you whether you need to use local policy configuration as well.  For web applications, you can also enable IIS logging if that is your primary application and deployment in Azure.  Security data can always be stored in storage accounts in supported geo locations of your choice to meet your data sovereignty requirements.

Last, but not least, many customers also frequently ask how they can export the logs to other systems and potential SIEMs.  The whitepaper provides the necessary guidance and options for not only downloading all the stored blobs from Azure storage and the operations logs, but also how you can view and use the access and usage reports from Azure Active Directory.

Would you like to learn more and configure your public cloud environment the same way you have enabled logging in your on premise datacenter(s)?  Download and check out the Microsoft Azure Security and Audit Log Management whitepaper and you will be collecting the logs and able to analyze them in a very short period of time!

We would look forward to your feedback and stay tuned for future updates on this blog in the near future!

 

David B. Cross

Engineering Director, Azure Security