Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Introduction

Microsoft Azure, often referred to as Azure is a cloud computing platform run by Microsoft. It offers access, management, and the development of applications and services through global data centers. It also provides a range of capabilities, including software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS).

Snare Central is offering a convenient way to collect logs generated by a variety of Azure cloud services and store them in the Snare Central Archive for reporting, analysis and compliance.

This setup guide will cover the basic required setup for the SNARE - Azure cloud log collection to work. Security related setup, charges you may incur, and other intricacies related to Microsoft Azure will not be covered in detail in this guide.

Overview

Logging is a crucial component of all applications, both in the cloud and on-premises, helping with troubleshooting and implementing security of compliance standards. Azure provides services in order collect cloud platform logs to ensure optimal application performance.

Snare Central can be configured to collect activity and resource or diagnostic logs from Log Analytics API.

image-20240115-092102.png

Snare Central needs to request authentication keys from Microsoft Entra ID in order to connect to the Log Analytics API. Once authentication is accepted and the required API permission(s) were setup, Snare Central will be able query the target activity and diagnostic logs using the same API.

Snare Central and Log Analytics API communication

In order for the Snare Central to properly communicate and collect Azure logs using Log Analytics API, these things need to be created and setup first on Azure side:

  • Register Snare Central in Microsoft Entra ID.

  • Create and setup Log Analytics workspace.

  • Export activity and diagnostic logs to a Log Analytics workspace.

Register Snare Central in Microsoft Entra ID

To allow Snare Central to access the Log Analytics API, Snare Central must be registered in Microsoft Entra ID formerly known as Azure Active Directory (AD). This allows the Snare Central to establish an identity and specify the needed permission levels for the API access.

The Log Analytics API use Microsoft Entra ID to provide authentication services that you can use to setup necessary permission rights for the Snare Central to access them.

 3 important steps when registering an application:

Step 1: App registration

  • Create a dedicated application for Snare Central inside Microsoft Entra ID.

  • Follow steps 1~5 on this user guide, last output screen should look like this:

    az-app-reg.png

  • Target output:
    Application (client) ID - Generated by Microsoft Entra ID, Snare Central will use this value when requesting consent from tenant admins and when requesting app-only tokens from Microsoft Entra ID. Make sure to save this value, it will be used to setup Snare Central’s connection towards Log Analytics API.

Step 2: Key or client secret generation

  • Generate the necessary client secret that will be used by Snare Central’s authentication towards Log Analytics API.

  • Follow steps 6~10 on the same user guide, last output screen should look like this:

    image-20240223-030403.png

  • Target output:
    Client Secret: Make sure to copy and save the text in the “Value” column for the generated credential. Microsoft Entra ID only displays this value at the time of its generation, it will be masked after that. Also, this value will be used to setup Snare Central’s connection towards Log Analytics API.
    Note: A user is allowed to create and use multiple client credentials.

Step 3: Setting up APIs permissions

  • Configure and setup the required permissions for Log Analytics API connection and interaction with Snare Central.

  • Follow steps 2~7(step 1 was already done on App registration and Key or client secret generation) on this userguide, last output screen should look like this:

    image-20240223-031407.png

  • Target output: Permission is set Data.Read, Type is Delegated and Admin consent required is set to No.

About Azure logs

Azure Monitor Logs

Logs are recorded system events and can contain different types of data, be structured or free-form text, and they contain a timestamp. Azure Monitor stores structured and unstructured log data of all types in Azure Monitor Logs. It is also a feature of Azure Monitor that collects and organizes log and performance data from monitored resources.

Azure Platform Logs

Azure Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. They are automatically generated although you need to configure certain platform logs to be forwarded to one or more destinations to be retained.

Azure Monitor Logs can be exported into a Log Analytics workspaces for querying and analysis. Snare Central can connect to the Log Analytics Workspace to collect the

Log Analytics workspaces

Azure Monitor Logs stores the data that it collects in one or more Log Analytics workspaces. You must create at least one workspace to use Azure Monitor Logs.

A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services. Each workspace has its own data repository and configuration but might combine data from multiple services.

Azure Monitor Log Analytics API

The Log Analytics Query API is a REST API that you can use to query the full set of data collected by Azure Monitor logs. You can use the same query language that's used throughout the service. Use this API to retrieve data, build new visualizations of your data, and extend the capabilities of Log Analytics.

Azure Platform Logs

Types of platform logs

Microsoft Entra logs

  • Microsoft Entra logs contain the history of sign-in activity and an audit trail of changes made in Microsoft Entra ID for a particular tenant.

  • The features of Microsoft Entra monitoring, and health provide a comprehensive view of identity related activity in your environment.

  • Types of activity logs in Microsoft Entra ID:

    • Audit logs provide you with records of system activities for compliance, including the history of every task performed in your tenant.

    • Sign-in logs capture the sign-in attempts of your users and client applications.

Activity logs

  • Formerly known as operational logs and audit logs.

  • It provides insight into the operations on each Azure resource and use to determine what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription.

  • There's a single activity log for each Azure subscription.

Resource logs

  • Resource logs were previously referred to as diagnostic logs.

  • Resource logs provide an insight into operations that were performed within an Azure resource, known as the data plane. Examples include getting a secret from a key vault or making a request to a database.

  • The contents of resource logs vary according to the Azure service and resource type.

  • Logs aren't collected until they're routed to a destination, to be enabled and configured via Diagnostic settings. While some Azure resource may have some special type of logs (e.g. Azure NSG - Flow logs)

Notes

https://learn.microsoft.com/en-us/azure/azure-monitor/logs/api/overview

https://azure.microsoft.com/en-us/pricing/details/monitor/

https://learn.microsoft.com/en-us/azure/azure-monitor/logs/api/overview?source=recommendations

  • No labels