Azure Log Integration SIEM configuration steps


NOTE:
This blog post is outdated and some of the steps may not work correctly. If you have problems, please let us know at the Azure Log Integration forum

This document provides screen shots of audit logs and Azure Security Center alerts integrated with the following partner solutions:

  • Splunk
  • HP ArcSight
  • IBM QRadar

The machine that Azure log integration services is installed on is called the Azlog Integrator. Your SIEM agent (the Splunk Universal Forwarder, HP ArcSight Windows Event Collector agent, or IBM QRadar WinCollect) is also installed on the Azlog Integrator. Azure log integration puts the Windows Event logs in the Forwarder Events channel.

Make sure that your standard SIEM connector installed on the machine is configured to pick events from the Forwarded Events folder and pipe them to your SIEM instance. Review the SIEM specific documentation for configuration details.

Splunk

For information on forwarding data from Microsoft Windows to Splunk, refer to Splunk’s documentation.

The following example shows events coming from ComputerName Iaas_azsiemdemo.

image

Integration of Azure Audit Logs in Splunk

Use Splunk Universal Forwarder to point to c:\Users\azlog\AzureResourceManagerJson as below

splunk add monitor C:\Users\azlog\AzureResourceManagerJson

splunk restart

The following screen shot shows logs in Splunk.

image

Integration of Security Center alerts in Splunk

Use Splunk Universal Forwarder to point to C:\Users\azlog\AzureSecurityCenterJson as below:

splunk add monitor C:\Users\azlog\AzureSecurityCenterJson

splunk restart

The following screen shot shows Security Center alerts in Splunk.

image

HP ArcSight

For information on forwarding data from Microsoft Windows to HP ArcSight, refer to ArcSight’s documentation.

The following example shows Windows events coming from Azure VMs into ArcSight.

image

Integration of Azure Diagnostic Logs in ArcSight

1. Create a SmartMessage Receiver.

If you do not have a SmartMessage Receiver, create one in ArcSight Logger selecting Configuration. Under Configuration, select Receivers.

clip_image010

2. Select Add.

clip_image012

3. In this example, under Add Receiver, let’s use SmartMessage Receiver for the Name and Type. Select Next.

clip_image014

4. Under Edit Receiver, choose settings below and select Save.

clip_image016

5. On the Windows machine with the Azure SIEM Integration Service, launch the ArcSight SmartConnector installation wizard and select Next.

clip_image018

6. On the Choose Install Folder page, identify path to where you want to install and select Next.

clip_image020

7. On the Choose Install Set page, select Custom and then Next.

clip_image022

8. On the Choose Product Components page, choose settings below and select Next.

clip_image024

9. On the Choose Shortcut Folder page, choose settings below and select Next.

clip_image026

10. On the Pre-Installation Summary page, select Install.

clip_image028

11. On the Connector Setup page, select Add a Connector and select Next.

clip_image030

12. On the next Connector Setup page, choose ArcSight FlexConnector JSON Folder Follower and select Next.

clip_image032

13. On the next Connector Setup page, set the Folder Location to the path where JSON logs are being written to (for example, c:\Users\azlog\AzureResourceManagerJson)and set the Configuration File Name Prefix to AzureRM. Select Next.

clip_image034

14. On the next page, select ArcSight Logger SmartMessage(encrypted) and select Next.

clip_image036

15. On the next page, enter the ArcSight Logger machine’s IP address, the Receiver Name of the SmartMessage receiver (for example, SmartMessage Receiver) and select Next.

clip_image038

16. On the next page, fill in information about the connector machine (example information shown) and select Next.

clip_image040

17. The next page may be shown to import the certificate from the ArcSight Logger machine. Select Next.

clip_image042

18. Review the summary on the next Connector Setup summary page and select Next.

clip_image044

19. On the next page select Install as a serviceand select Next.

clip_image046

20. On the next page, leave the defaults as is and select Next.

clip_image048

21. Review the summary on the next page and select Next.

clip_image050

22. On the next page, select Exit and select Next.

clip_image052

23. You should now see the Install Complete page. Select Done.

clip_image054

After the installation wizard is complete, copy the AzureRM.jsonparser.properties file (downloaded as part of Azure log integration) to \Program Files\ArcSightSmartConnectors\current\user\agent\flexagent\AzureRM.jsonparser.properties. The contents of AzureRM.jsonparser.properties can be modified as needed to change the mapping of Azure Resource Manager log entries to ArcSight events. See HP’s Flex Connector documentation for the format of this file.

At this point, the ArcSight ArcSight FlexConnector JSON Folder Follower service should be stopped. If not, stop it from the Services Control Panel application or from the command line using command :

net stop "ArcSight ArcSight FlexConnector JSON Folder Follower

Note:
The exact service name may be different if non-default options were chosen during setup.

Stopping the service should ensure that the AzureRM.jsonparser.properties file is picked up.

Now, start the service from the Services Control Panel or from the command line using this command:

net start "ArcSight ArcSight FlexConnector JSON Folder Follower

Events should now be flowing to the ArcSight logger. Following is a screenshot of Azure Audit logs in ArcSight:

clip_image056

IBM QRadar

Integrate Windows Event Logs into QRadar

Azure Log integration collects Windows VM logs into the Windows Forwarded Event Channel. This is documented in the topic Getting Started with Azure Log Integration.  You will need to further install and configure the IBM QRadar Wincollect agent on the Azure Log Integration machine to integrate events from the Windows Forwarded Event channel into QRadar. To do this refer to the IBM QRadar Wincollect documentation at:

http://public.dhe.ibm.com/software/security/products/qradar/documents/iTeam_addendum/b_wincollect.pdf

Integrate Azure Activity Logs and Azure Security Center Alerts into QRadar

To integrate Azure Activity logs and Azure Security Center Alerts over Syslog to QRadar, please visit this blog post.


Comments (0)

Skip to main content