Versions Compared

Old Version 2

changes.mady.by.user Marlon Morales

Saved on

compared with

New Version Current

changes.mady.by.user Svetlana Sheptiy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel6
include
outlinefalse
indent
exclude
typelist
class
printablefalse

Introduction

Microsoft Azure, often referred to as Azure is a cloud computing platform run by Microsoft. It offers access, management, and the development of applications and services through global data centers. It also provides a range of capabilities, including software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS).

...

This setup guide will cover the basic required setup for the SNARE - Azure cloud log collection to work. Security related setup, charges you may incur, and other intricacies related to Microsoft Azure will not be covered in detail in this guide.

Overview

Logging is a crucial component of all All applications, both whether on-premises or in the cloud and on-premises, helping with troubleshooting and implementing security of compliance standards, must include logging since it aids in security implementation and debugging. Azure provides services in order to collect cloud platform logs to ensure optimal application performance.

Snare Central can be configured to collect activity and resource or diagnostic logs from Azure using Log Analytics API.

...

Snare Central needs to request authentication keys from Microsoft Entra ID in order to connect to the Log Analytics API. Once authentication is accepted and the required API permission(s) were , required API permissions are granted, and access control is setup, Snare Central will be able to query the target activity and diagnostic logs using the same API.

About Azure platform logs

Below are the types of logs that can be collected from Azure (Snare Central supports the collection some log types, see details here for the supported log types).

Microsoft Entra logs

  • Microsoft Entra logs contain the history of sign-in activity and an audit trail of changes made in Microsoft Entra ID for a particular tenant.

  • Types of activity logs in Microsoft Entra ID: Sign-in logs and Audit logs

Activity logs

  • It provides insight into the operations on each Azure resource and use to determine what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription.

  • There's a single activity log for each Azure subscription.

Resource logs

  • Resource logs provide an insight into operations that were performed within an Azure resource, known as the data plane. Examples include getting a secret from a key vault or making a request to a database.

  • Log contents vary according to the Azure service and resource type.

  • Logs aren't collected until they're routed to a destination, to be enabled and configured via Diagnostic settings. While some Azure resource may have some special type of logs (e.g. Azure NSG - Flow logs)

Snare Central and Log Analytics API communication

In order for the Snare Central to properly communicate to and collect Azure logs using from the Log Analytics API, these things the following steps need to be created and setup first on Azure sidecompleted in Azure environment:

  • Register Snare Central in Microsoft Entra ID.

  • Create and setup Log Analytics workspace.workspace

  • Set up the workspace Access Control (IAM)

  • Export activity and diagnostic logs to a Log Analytics workspace.

Register Snare Central in Microsoft Entra ID

To allow Snare Central to access the Log Analytics API, Snare Central must be registered in Microsoft Entra ID formerly known as Azure Active Directory (AD). This allows the Snare Central to establish an identity and specify the needed permission levels for the API access.

The Log Analytics API use uses Microsoft Entra ID to provide authentication services that you can use to setup the necessary permission rights for the Snare Central to access them.

Expand
title3 important steps when registering an application:

Step 1: App registration

  • Create a dedicated application for Snare Central inside Microsoft Entra ID.

  • Follow steps 1~5 on in this Azure user guide, last output screen should look like this:

    az-app-reg.png

  • Target output:
    Application (client) ID - Generated by Microsoft Entra ID, Snare Central will use this value when requesting consent from tenant admins and when requesting app-only tokens from Microsoft Entra ID. Make sure to save this value, it will be used to setup during Snare Central’s connection towards Log Analytics APIAzure Cloud log collection configuration.

Step 2: Key or client secret generation

  • Generate the necessary client secret that will be used by Snare Central’s authentication towards Log Analytics API.

  • Follow steps 6~10 on in the same Azure user guide, last output screen should look like this:

    image-20240223-030403.png

  • Target output:
    Client Secret: Make sure to copy and save the text in the “Value” column for the generated credential. Microsoft Entra ID only displays this value at the time of its generation, it will be masked after that. Also, this value it will be used to setup during Snare Central’s connection towards Log Analytics APIAzure Cloud log collection configuration.
    Note: A user is allowed to create and use multiple client credentials.

Step 3: Setting up APIs permissions

  • Configure and setup the required permissions for Log Analytics API connection and interaction with Snare Central.

  • Follow steps 2~7 (in this Azure user guide, step 1 is not needed, since it was already done on during App registration and Key or client secret generation) on this userguide, last .
    Last output screen should look like this:

    image-20240223-031407.pngImage Removedimage-20240301-041123.pngImage Added

  • Target output: Permission is set Data.Read, Type is Delegated and Admin consent required is set to No.

About Azure logs

Azure Monitor Logs

Logs are recorded system events and can contain different types of data, be structured or free-form text, and they contain a timestamp. Azure Monitor stores structured and unstructured log data of all types in Azure Monitor Logs. It is also a feature of Azure Monitor that collects and organizes log and performance data from monitored resources.

Azure Platform Logs

Azure Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. They are automatically generated although you need to configure certain platform logs to be forwarded to one or more destinations to be retained.

Azure Monitor Logs can be exported into a Log Analytics workspaces for querying and analysis. Snare Central can connect to the Log Analytics Workspace to collect the

Log Analytics workspaces

Azure Monitor Logs stores the data that it collects in one or more Log Analytics workspaces. You must create at least one workspace to use Azure Monitor Logs.

A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services. Each workspace has its own data repository and configuration but might combine data from multiple services.

Azure Monitor Log Analytics API

The Log Analytics Query API is a REST API that you can use to query the full set of data collected by Azure Monitor logs. You can use the same query language that's used throughout the service. Use this API to retrieve data, build new visualizations of your data, and extend the capabilities of Log Analytics.

Azure Platform Logs

Types of platform logs

Microsoft Entra logs

  • Microsoft Entra logs contain the history of sign-in activity and an audit trail of changes made in Microsoft Entra ID for a particular tenant.

  • The features of Microsoft Entra monitoring, and health provide a comprehensive view of identity related activity in your environment.

  • Types of activity logs in Microsoft Entra ID:

    • Audit logs provide you with records of system activities for compliance, including the history of every task performed in your tenant.

    • Sign-in logs capture the sign-in attempts of your users and client applications.

Activity logs

  • Formerly known as operational logs and audit logs.

  • It provides insight into the operations on each Azure resource and use to determine what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription.

  • There's a single activity log for each Azure subscription.

Resource logs

  • Resource logs were previously referred to as diagnostic logs.

  • Resource logs provide an insight into operations that were performed within an Azure resource, known as the data plane. Examples include getting a secret from a key vault or making a request to a database.

  • The contents of resource logs vary according to the Azure service and resource type.

  • Logs aren't collected until they're routed to a destination, to be enabled and configured via Diagnostic settings. While some Azure resource may have some special type of logs (e.g. Azure NSG - Flow logs)

Notes

https://learn.microsoft.com/en-us/azure/azure-monitor/logs/api/overview

https://azure.microsoft.com/en-us/pricing/details/monitor/

...

Create Log Analytics workspace

When Azure collects logs and data, the information is stored in a workspace. A workspace has a unique workspace ID and resource ID. After you've created a workspace, you can configure the Azure resource(s) to send the activity logs and diagnostic logs to the created workspace.

Snare Central can query and collect logs from the created workspace using the Log Analytics API.

Expand
titleCreating a Log Analytic workspace

Creating a workspace

  • Note(s):

    • To create a Log Analytics workspace, you need an Azure account with an active subscription.

    • A user may opt to skip this step if the user already has a Log Analytics workspace.

  • Follow steps 1~7 in this user guide.

  • Target output: Workspace resource and unique GUID assigned for it - The unique GUID assigned to the workspace will be used during Azure cloud log configuration on Snare Central.

    image-20240301-010739.pngImage Added

Set up the workspace Access Control (IAM)

Expand
titleSetting up workspace’s Access Control (IAM)

Setting up Access Control (IAM)

  • Note: Without this setup, Snare Central will not be able to proceed with its connection and collection towards Azure, and Snare Central will encounter an error "The provided credentials have insufficient access to perform the requested operation" if not properly done.

  • Configure the required access control by following the steps below.

  • Go to the Azure portral then search for Log Analytics workspace.

    image-20240229-025326.pngImage Added

  • Select and click the previously created Log Analytics workspace, at the Log Analytics workspace’s main page, go and click the Access Control (IAM).

    image-20240229-025714.pngImage Added

  • Click Add Role assignment then select Reader role then click Members.

    image-20240229-030050.pngImage Added

  • At Members page, click + Select Members then search for the name of the application (which was previously created during App registration) then click Select.

    image-20240229-030318.pngImage Added

  • Click Review + assign and wait for the modification on Role Assignment to reflect on Role Assignments list.

  • To check the configured Role Assignment, go to the Access Control (IAM) page, then Role Assignments, look for the configured Role Assignment, it should be present on the list under Reader role.

    image-20240229-031005.pngImage Added

Export activity and diagnostic logs to a Log Analytics workspace.

Expand
titleExporting activity and diagnostic logs to a workspace

Export activity logs to a Log Analytics workspace

  • This setting allows the activity logs to be dumped into a target log analytics workspace for Snare Central to query and collect those logs using the Log Analytics API.

  • Follow steps below for the required settings.

  • Go to the Azure portal then search for Monitor.

    image-20240226-033537.pngImage Added

  • On Monitor page, click Activity log, then click Export Activity Logs.

    image-20240226-033802.pngImage Added

  • Click Add diagnostic setting, fill the necessary details, then select the target Log Categories and select Send to Log Analytics workspace and select the target Log analytics workspace (which was previously created) then Save.

    image-20240226-061826.pngImage Added

  • Wait for 1-2 minutes for the settings to reflect on Azure side.

  • Target output: All Azure activity logs are expected to be dumped into the selected Log Analytics workspace and Snare Central should be able to collect those activity logs.

Export diagnostic logs to the Log Analytics workspace

  • This setting allows a resource specific log(s) to be dumped into a target log analytics workspace for Snare Central to query and collect those logs using the Log Analytics API.

  • Follow steps below for the required settings.

  • Go to the Azure portral then search for the target resource, example: Firewall.

    image-20240226-055843.pngImage Added

  • Click the target resource and go to its Diagnostic Settings.

    image-20240301-045947.pngImage Added

  • Click Add diagnostic setting, fill the necessary details, then select the target Log Categories and select Send to Log Analytics workspace, choose Azure diagnostics and select the target Log analytics workspace (which was previously created) then Save.

    image-20240226-061539.pngImage Added

  • Target output: All logs for the selected Azure resource are expected to be dumped into the selected Log Analytics workspace and Snare Central should be able to collect those activity logs.

  • Note: User needs to repeat the above steps for all the resources that need log collection.

Setting Up Snare Central - Azure Cloud Log Collection

Starting from Snare Central v8.6.0, Azure Cloud Log Collection functionality is available as long as you have the proper license for it.

This capability requires a license with either Office 365 Logs Collection (IA_CLOUD_O365) or Cloud Logs Collection (IA_CLOUD) license features.

This guide will help you setup up your Snare Central and start collecting supported Azure activity and resource logs in no-time by simply using the intuitive Cloud Log Collection Configuration Web UI of Snare Central.

Info

For more info about the supported Azure Log types, see: Supported Azure Log Types.

Expand
titleStep by Step Guide for Setting Up Snare Central - Azure Cloud Log Collection

Step 1. Go to Snare Central and navigate to System > Administrative Tools > Cloud Log Collection Configuration.

image-20240226-085125.pngImage Added

Step 2. Select Azure Cloud and Click ADD CLOUD COLLECTION button.

image-20240226-073826.pngImage Added

Step 3. Input all the necessary Azure Cloud Collection Configuration Information and click Test Connection Button to check if the configuration is correct and can properly connect to the Log Analytics API.

  • Name: Any name to easily identify this Azure Cloud Log Collector.

  • Enabled: Can be toggled ON/OFF. This will determine if the Azure Cloud Collector will be enabled and start log collection (This can also be toggled ON/OFF easily later after setup).

  • Supported Logs: Identifies the target log type/s to be collected collector, see supported log types here.

  • Fetch Interval: Log collection interval (in millisecond) for each log collection request, should not be less than 120000 or greater than 900000.

  • Domain: Fetch the Primary domain value on the main page of the Azure portal site.

    Image Added

  • Tenant ID: Fetch the Tenant ID value on the same Azure portal site.

  • Organization ID: The organization or company name or you can fetch the Name value on the same Azure portal site.

  • Subscription ID: Fetch the user’s subscription ID using this user guide.

    image-20240226-072816.pngImage Added

  • Workspace ID: Fetch the Workspace ID that was generated during Log Analytics workspace creation.

    image-20240226-071927.pngImage Added

  • Client ID: Fetch the Application (client) ID that was generated during App registration.

    image-20240226-070923.pngImage Added

  • Client Secret: Fetch the “Value” that was generated during Key or client secret generation.

    image-20240226-071054.pngImage Added

  • Additional Notes

    • For optional field(s) and information about the collector you may use to Note part of the Azure Cloud Log Collector.

      image-20240226-080828.pngImage Added

    • Test Connection can be used to check whether the input configuration parameters are correct or not.

      image-20240226-080747.pngImage Added

Step 4. Click ADD button, then you should be able to see the added Azure Cloud Log Collector under the Azure Cloud Collection List.

image-20240226-075244.pngImage Added

Updating/Deleting - Azure Cloud Log Collection Configuration

If you want to update or delete an existing Azure Cloud - Log Collector that were previously configured, you can simply use the Snare Central’s Cloud Log Collection Configuration Web UI and follow the simple steps below.

Expand
titleStep by Step Guide for Updating Snare Central - Azure Cloud Log Collection

Step 1. Go to Snare Central and navigate to System > Administrative Tools > Cloud Log Collection Configuration.

image-20240226-085125.pngImage Added

Step 2. Select Azure Cloud and Click the Azure Cloud Log Collector that you want to update.
Collector details panel will open on the right-hand side.
Click the Edit icon on the top right of the details panel.

image-20240226-080314.pngImage Added

Step 3. In the Edit screen, you can update the configuration and optionally do a Test Connection to check if the updated configuration can successfully connect to the Log Analytics API, then simply click the SAVE button to save the updated configuration.

image-20240226-080542.pngImage Added

Expand
titleStep by Step Guide for Deleting Snare Central - Azure Cloud Log Collection

Step 1. Go to Snare Central and navigate to System > Administrative Tools > Cloud Log Collection Configuration.

image-20240226-085125.pngImage Added

Step 2. Select Azure Cloud and Click the Azure Cloud Collector that you want to delete.
Collector details panel will open on the right-hand side.

image-20240226-083721.pngImage Added


Click the Delete icon on the top right of the details panel.

Troubleshooting Guide

This guide will be your resource for resolving common issues and challenges that you may encounter with Azure - Cloud Log Collection.

  1. Azure Cloud icon is gray in System > Administrative Tools > Cloud Log Collection Configuration Web UI.

Expand
titlePossible Cause and Resolution

When Azure Cloud icon in Cloud Log Providers list is gray, it is possible that Snare Central does not have IA_CLOUD or IA_CLOUD_O365 license.

image-20240229-063028.pngImage Added

 

You can check it via navigating to Status > Snare Health Checker or simply click the heart icon in the lower left corner of Snare Central and scroll down to Snare Central License and select Show Details to view the License Information.

image-20240229-063649.pngImage Added

 

If there are no IA_CLOUD or IA_CLOUD_O365 in the License Information, then you needed the correct license with IA_CLOUD or IA_CLOUD_O365. Once you have the correct license, click License Page button.

image-20240301-062304.pngImage Added

 

In the License Update page, click Browse button and navigate to the correct license then click Load License button.

Image Added

Wait for a while then navigate to System > Administrative Tools > Cloud Log Collection Configuration and you should be able to see Azure Cloud icon is now green and you should be able to Add Azure Cloud Collection.

image-20240229-064012.pngImage Added

  1. Azure Cloud Log Collector icon is gray, and the Status is Not Running (Disabled by configuration)

Expand
titlePossible Cause and Resolution

When your configured Azure Cloud Log Collector icon is gray, it is possible that the log collector is disabled during configuration or toggled off.

image-20240229-071315.pngImage Added

Select the Azure Cloud Log Collector and check if Status: Not Running (Disabled by configuration)

image-20240229-071627.pngImage Added

To enable Azure Cloud Log Collector, simply toggle on the Enable button beside its name in Cloud Log Providers or the one in the upper right corner beside the Edit icon, then click Confirm in the pop-up dialog box.

image-20240229-071540.pngImage Added

Once toggled to ON, the configured Azure Cloud Log Collector icon should be green and enabled. Snare Central will now start collecting Azure activity and platform Logs (assuming that the configuration parameters were valid and working).

  1. Azure Cloud Log Collector icon is red, and the Status is Not Running (Could not generate access token for ….)

Expand
titlePossible Cause and Resolution

When the Azure Cloud Log Collector icon is red and Status is Not Running (Could not generate access token for ….), it is possible that the Client ID or Client Secret is invalid or expired.

image-20240229-072149.pngImage Added

Go to Azure portal site and check if Tenant ID is correct or if the Client ID and Client Secret is not yet expired or check if the value entered in the Snare Central cloud collection configuration is correct.
See App Registration guide above, for the identification of Client ID and Client Secret.

If the value entered in the Snare Central Configuration is incorrect, you can simply edit it by clicking the Edit icon on the upper left corner.

image-20240229-072346.pngImage Added

  1. Azure Cloud Log Collector icon is red, and the Status is Not Running (The provided credentials have insufficient access …)

Expand
titlePossible Cause and Resolution

When the Azure Cloud Log Collector icon is red and Status: Not Running (The provided credentials have insufficient access …), it is possible that the Log Analytics API permission is not properly set, or the Log Analytics workspace’s access control was not properly configured.

image-20240229-080954.pngImage Added

Go to the Azure portal site, check the assigned application at Application Registration, and verify if the permissions were properly set. See App Registration guide above, to identify whether API has the correct permission.

image-20240229-074816.pngImage Added

If the permission is correct, then check the Log Analytics workspace’s access control to see if it's properly configured. See Setting up workspace Access Control guide, to identify whether access control is properly configured or not.

image-20240229-075731.pngImage Added

Update and configure the necessary API permission and workspace’s access control then re-enable the collector by Disabling and Enabling Azure Cloud Log Collector again after 5 minutes (it may take a while for the new settings to reflect on the entire Azure environment).

image-20240229-081148.pngImage Added

  1. Azure Cloud Log Collector icon is red, and the Status is Not Running (The workspace could not be found for logtype ...)

Expand
titlePossible Cause and Resolution

When the Azure Cloud Log Collector icon is red and Status: Not Running (The workspace could not be found for logtype ...), it is possible that the configured Workspace ID is incorrect or does not exist.

image-20240301-004550.pngImage Added

Go to Azure portal site and search for the target Log Analytics workspace and check if the Workspace ID value entered in the Snare Central cloud collection configuration is correct.

image-20240301-010828.pngImage Added

If the Workspace ID value entered in the Snare Central Configuration is incorrect, you can simply edit and update it by clicking the Edit icon on the upper left corner.

If Log Analytics workspace does not exist, then you need to create a new Log Analytic workspace (See Create Log Analytics workspace guide), setup the necessary access control (See Setting up workspace Access Control guide) and edit the Workspace ID on the collector’s configuration.

image-20240301-005620.pngImage Added

  1. Azure Cloud Log Collector icon is red, and the Status is Not Running (Cannot connect to microsoft API, please check the IP configuration …)

Expand
titlePossible Cause and Resolution

When the Azure Cloud Log Collector icon is red and the Status is Status: Not Running (Cannot connect to microsoft API, please check the IP configuration of the Snare Central.), it is possible that the IP Configuration is incorrect.

image-20240301-011948.pngImage Added

Go to Snare Central and navigate to System > Administrative Tools > Configuration Wizard > IP Address Configuration then check if the IP Configuration parameters were correct (most of the time the problem lies on the Domain Name Server(s)).

Image Added

After updating the necessary IP Configuration parameter/s, re-enable the collector by Disabling and Enabling Azure Cloud Log Collector again after 1 minutes.

image-20240301-012238.pngImage Added

  1. Azure Cloud Log Collector icon is red, and the Status is Not Running (Cannot connect to proxy server, ….)

Expand
titlePossible Cause and Resolution

When the Azure Cloud Log Collector icon is red and the Status is Status: Not Running (Cannot connect to proxy server, ….), it is possible that the proxy was enabled in the Snare Central with incorrect settings.

image-20240301-013617.pngImage Added

Go to Snare Central and navigate to System > Administrative Tools > Configuration Wizard > Network Services then Proxy Settings, check the following:

  • Check if the value of Proxy address and Proxy port were correct.

    image-20240301-064432.pngImage Added

  • If proxy address and port were correct, check if the proxy server is up and running.

  • If proxy server is OK, check the Snare Central’s firewall settings here, System > Administrative Tools > Configuration Wizard > Firewall Setup (example: if target proxy port was allowed or not), same goes with the firewall settings of the proxy server and port; check if they were properly configured.

After updating the necessary Proxy Settings or configuring the proper firewall settings, re-enable the collector by Disabling and Enabling Azure Cloud Log Collector again after 1 minute.

image-20240301-042308.pngImage Added

  1. Azure Cloud Log Collector icon is red, and the Status is Not Running (Invalid proxy credentials...)

Expand
titlePossible Cause and Resolution

When the Azure Cloud Log Collector icon is red and the Status is Status: Not Running (Invalid proxy credentials, please re-configure these parameters.), it is possible that the proxy was enabled in the Snare Central with incorrect settings.

image-20240301-023744.pngImage Added

Go to Snare Central and navigate to System > Administrative Tools > Configuration Wizard > Network Services then Proxy Settings, check the following.

  • Check if the value of Proxy user and Proxy password were correct.

    image-20240301-063810.pngImage Added

  1. Azure Cloud Log Collector icon is red, and the Status is Not Running (Invalid proxy type…)

Expand
titlePossible Cause and Resolution

When the Azure Cloud Log Collector icon is red and the Status is Status: Not Running (Invalid proxy type, please re-configure 'type' based on the actual proxy server type.), it is possible that the proxy was enabled in the Snare Central with incorrect settings.

image-20240301-024648.pngImage Added

Go to Snare Central and navigate to System > Administrative Tools > Configuration Wizard > Network Services then Proxy Settings, check the following:

  • Check if the value of Proxy type is correct.

    image-20240301-063843.pngImage Added

     

After updating the necessary Proxy Settings or configuring the proper firewall settings, re-enable the collector by Disabling and Enabling Azure Cloud Log Collector again after 1 minute.

image-20240301-043216.pngImage Added