...
In order for Snare Central to properly communicate to and collect Azure logs using from the Log Analytics API, these things the following steps need to be created and setup first completed in the Azure environment:
Register Snare Central in Microsoft Entra ID.
Create Log Analytics workspace
Setting Set up the workspace Access Control (IAM)
Export activity and diagnostic logs towards to a Log Analytics workspace.
Register Snare Central in Microsoft Entra ID
...
| Expand |
|---|
| title | 3 important steps when registering an application: |
|---|
|
Step 1: App registration Create a dedicated application for Snare Central inside Microsoft Entra ID. Follow steps 1~5 on in this Azure user guide, last output screen should look like this:  Target output:
Application (client) ID - Generated by Microsoft Entra ID, Snare Central will use this value when requesting consent from tenant admins and when requesting app-only tokens from Microsoft Entra ID. Make sure to save this value, it will be used during Snare Central’s Azure Cloud log collection configuration.
Step 2: Key or client secret generation Generate the necessary client secret that will be used by Snare Central’s authentication towards Log Analytics API. Follow steps 6~10 on in the same Azure user guide, last output screen should look like this:  Target output:
Client Secret: Make sure to copy and save the text in the “Value” column for the generated credential. Microsoft Entra ID only displays this value at the time of its generation, it will be masked after that. Also, it will be used during Snare Central’s Azure Cloud log collection configuration.
Note: A user is allowed to create and use multiple client credentials.
Step 3: Setting up APIs permissions Configure and setup the required permissions for Log Analytics API connection and interaction with Snare Central. Follow steps 2~7 on in this Azure user guide, step 1 is not needed, since it was already done during App registration and Key or client secret generation.
Last output screen should look like this:  Target output: Permission is set Data.Read, Type is Delegated and Admin consent required is set to No.
|
...
| Expand |
|---|
| title | Creating a Log Analytic workspace |
|---|
|
Creating a workspace Note(s): To create a Log Analytics workspace, you need an Azure account with an active subscription. A user may opt to skip this step if the user already has a Log Analytics workspace.
Follow steps 1~7 on in this user guide. Target output: Workspace resource and unique GUID assign assigned for it - The unique GUID assigned to the workspace will be used during Azure cloud log configuration on Snare Central. 
|
...
Set up the workspace Access Control (IAM)
| Expand |
|---|
| title | Setting up workspace’s Access Control (IAM) |
|---|
|
Setting up Access Control (IAM) Note: Without this setup, Snare Central will not be able to proceed with its connection and collection towards Azure, and Snare Central will encounter an error "The provided credentials have insufficient access to perform the requested operation" if not properly done. Configure the required access control by following the steps below. Go to the Azure portral then search for Log Analytics workspace.  Select and click the previously created Log Analytics workspace, at the Log Analytics workspace’s main page, go and click the Access Control (IAM).  Click Add Role assignment then select Reader role then click Members.  At Members page, click + Select Members then search for the name of the application (which was previously created during App registration) then click Select.  Click Review + assign and wait for the modification on Role Assignment to reflect on Role Assignments list. To check the configured Role Assignment, just simply go to the Access Control (IAM) page, then Role Assignments, look for the configured Role Assignment, it should be present on the list under Reader role. 
|
Export activity and diagnostic logs
...
to a Log Analytics workspace.
| Expand |
|---|
| title | Exporting activity and diagnostic logs towards to a workspace |
|---|
|
Export activity logs towards to a Log Analytics workspace This setting allows the activity logs to be dumped into a target log analytics workspace for Snare Central to query and collect those logs using the Log Analytics API. Follow steps below for the required settings. Go to the Azure portralportal then search for Monitor.  At On Monitor page, look for click Activity log then click it, then click Export Activity Logs.  Click Add diagnostic setting, then fill up the necessary infodetails, then select the target Log Categories and select Send to Log Analytics workspace and select the target Log analytics workspace (which was previously created) then Save.  Wait for 1-2 minutes for the settings to reflect on Azure side. Target output: All Azure activity logs is are expected to be dumped into the selected Log Analytics workspace and Snare Central should be able to collect those activity logs.
Export diagnostic logs towards to the Log Analytics workspace This setting allows a resource specific log(s) to be dumped into a target log analytics workspace for Snare Central to query and collect those logs using the Log Analytics API. Follow steps below for the required settings. Go to the Azure portral then search for the target resource, example: Firewall.  Click the target resource and go to its Diagnostic Settings.  Click Add diagnostic setting, then fill up the necessary infodetails, then select the target Log Categories and select Send to Log Analytics workspace, choose Azure diagnostics and select the target Log analytics workspace (which was previously created) then Save.  Target output: All logs for the selected Azure resource is are expected to be dumped into the selected Log Analytics workspace and Snare Central should be able to collect those activity logs. Note: User needs to repeat the above steps for all the resource resources that needs need log collection.
|
Setting Up Snare Central - Azure Cloud Log Collection
Starting from Snare Central v8.6.0, Azure Cloud Log Collection functionality will be is available as long as you have the proper license for it.
...