Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Introduction

Microsoft Azure, often referred to as Azure is a cloud computing platform run by Microsoft. It offers access, management, and the development of applications and services through global data centers. It also provides a range of capabilities, including software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS).

Snare Central is offering a convenient way to collect logs generated by a variety of Azure cloud services and store them in the Snare Central Archive for reporting, analysis and compliance.

This setup guide will cover the basic required setup for the SNARE - Azure cloud log collection to work. Security related setup, charges you may incur, and other intricacies related to Microsoft Azure will not be covered in detail in this guide.

Overview

All applications, whether on-premises or in the cloud, must include logging since it aids in security implementation and debugging. Azure provides services in order collect cloud platform logs to ensure optimal application performance.

Snare Central can be configured to collect activity and resource or diagnostic logs from Log Analytics API.

image-20240115-092102.png

Snare Central needs to request authentication keys from Microsoft Entra ID in order to connect to the Log Analytics API. Once authentication is accepted and the required API permission(s) were setup, Snare Central will be able query the target activity and diagnostic logs using the same API.

Types of Azure platform logs

Below are the types of logs that can be collected from Azure (Snare Central supports the collection some log types, see details here for the supported log types).

Microsoft Entra logs

  • Microsoft Entra logs contain the history of sign-in activity and an audit trail of changes made in Microsoft Entra ID for a particular tenant.

  • Types of activity logs in Microsoft Entra ID: Sign-in logs and Audit logs

Activity logs

  • It provides insight into the operations on each Azure resource and use to determine what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription.

  • There's a single activity log for each Azure subscription.

Resource logs

  • Resource logs provide an insight into operations that were performed within an Azure resource, known as the data plane. Examples include getting a secret from a key vault or making a request to a database.

  • Log contents vary according to the Azure service and resource type.

  • Logs aren't collected until they're routed to a destination, to be enabled and configured via Diagnostic settings. While some Azure resource may have some special type of logs (e.g. Azure NSG - Flow logs)

Snare Central and Log Analytics API communication

In order for the Snare Central to properly communicate and collect Azure logs using Log Analytics API, these things need to be created and setup first on Azure environment:

  • Register Snare Central in Microsoft Entra ID.

  • Setting up application Access control (IAM)

  • Create Log Analytics workspace.

  • Export activity and diagnostic logs towards Log Analytics workspace.

Register Snare Central in Microsoft Entra ID

To allow Snare Central to access the Log Analytics API, Snare Central must be registered in Microsoft Entra ID formerly known as Azure Active Directory (AD). This allows the Snare Central to establish an identity and specify the needed permission levels for the API access.

The Log Analytics API uses Microsoft Entra ID to provide authentication services that you can use to setup the necessary permission rights for Snare Central to access them.

 3 important steps when registering an application:

Step 1: App registration

  • Create a dedicated application for Snare Central inside Microsoft Entra ID.

  • Follow steps 1~5 on this user guide, last output screen should look like this:

    az-app-reg.png

  • Target output:
    Application (client) ID - Generated by Microsoft Entra ID, Snare Central will use this value when requesting consent from tenant admins and when requesting app-only tokens from Microsoft Entra ID. Make sure to save this value, it will be used during Snare Central’s Azure Cloud log collection configuration.

Step 2: Key or client secret generation

  • Generate the necessary client secret that will be used by Snare Central’s authentication towards Log Analytics API.

  • Follow steps 6~10 on the same user guide, last output screen should look like this:

    image-20240223-030403.png

  • Target output:
    Client Secret: Make sure to copy and save the text in the “Value” column for the generated credential. Microsoft Entra ID only displays this value at the time of its generation, it will be masked after that. Also, it will be used during Snare Central’s Azure Cloud log collection configuration.
    Note: A user is allowed to create and use multiple client credentials.

Step 3: Setting up APIs permissions

  • Configure and setup the required permissions for Log Analytics API connection and interaction with Snare Central.

  • Follow steps 2~7 on this user guide, step 1 is not needed it was already done during App registration and Key or client secret generation.
    Last output screen should look like this:

    image-20240223-031407.png

  • Target output: Permission is set Data.Read, Type is Delegated and Admin consent required is set to No.

Setting up application Access control (IAM)

To access resources under your subscription, you must assign a role to the application (previously created during App registration). Since Snare Central was associated with the said application, the role assigned to the application will be the basis of Snare Central’s access control towards the Azure subscription.

Without this step, Snare Central will not be able to proceed with its connection and collection towards Azure and you may encounter error: The provided credentials have insufficient access to perform the requested operation if not properly done.

 Setting up application’s Access Control

Setting up application’s Access Control

  • Configure the required access control by following the steps below.

  • Go to the Azure portral then search for Subscriptions.

    image-20240223-074453.png

  • Select and click the target subscription, at the subscription’s main page, go and click the Access Control (IAM).

    image-20240223-074720.png

  • Go to Role assignments, then click Add role assignment.

    image-20240223-074925.png

  • Then select Reader then Next, click the Select Member then search for the name of the application (previously created during App registration) then click Select.

    image-20240223-074004.png

  • Click Review + assign and wait for change on Role Assignment to reflect.

    image-20240223-075346.png

  • Target output: Previously created application should have a Reader access control for all resources under your subscription.

Create Log Analytics workspace

When Azure collects logs and data, the information is stored in a workspace. A workspace has a unique workspace ID and resource ID. After you've created a workspace, you can configure the Azure resource(s) to send the activity logs and diagnostic logs to the created workspace.

Snare Central can query and collect logs from the created workspace using the Log Analytics API.

 Creating a Log Analytic workspace

Creating a workspace

  • Note(s):

    • To create a Log Analytics workspace, you need an Azure account with an active subscription.

    • A user may opt to skip this step if the user already has a Log Analytics workspace.

  • Follow steps 1~7 on this user guide.

  • Target output: Workspace resource and unique GUID assign for it - The unique GUID assigned to the workspace will be used during Azure cloud log configuration on Snare Central.

Export activity and diagnostic logs towards Log Analytics workspace.

 Export activity and diagnostic logs.

Export activity logs towards Log Analytics workspace

  • This setting allows the activity logs to be dumped into a target log analytics workspace for Snare Central to query and collect those logs using the Log Analytics API.

  • Follow steps below for the required settings:

    • Go to the Azure portral then search for Monitor.

      image-20240226-033537.png

    • At Monitor page, look for Activity log then click it, then click Export Activity Logs.

      image-20240226-033802.png

    • Click Add diagnostic setting, then fill up the necessary info, then select the target Log Categories and select Send to Log Analytics workspace and select the target Log analytics workspace (which was previously created) then Save.

      image-20240226-061826.png

    • Wait for 1-2 minutes for the settings to reflect on Azure side.

  • Target output: All Azure activity logs is expected to be dumped into the selected Log Analytics workspace and Snare Central should be able to collect those activity logs.

Export diagnostic logs towards Log Analytics workspace

  • This setting allows a resource specific log(s) to be dumped into a target log analytics workspace for Snare Central to query and collect those logs using the Log Analytics API.

  • Follow steps below for the required settings:

    • Go to the Azure portral then search for the target resource, example: Firewall.

      image-20240226-055843.png

    • Click the target resource and go its Diagnostic Settings

      image-20240226-060132.png

    • Click Add diagnostic setting, then fill up the necessary info, then select the target Log Categories and select Send to Log Analytics workspace, choose Azure diagnostics and select the target Log analytics workspace (which was previously created) then Save.

      image-20240226-061539.png

  • Target output: All logs for the selected Azure resource is expected to be dumped into the selected Log Analytics workspace and Snare Central should be able to collect those activity logs.

  • Note: User needs to repeat the above steps for all the resource that needs log collection.

  • No labels