Automating Azure Resource Diagnostics Log Forwarding Between Tenants with PowerShell

As a Managed Security Service Provider (MSSP), there is often a need to collect and forward logs from customer tenants to the MSSP's Sentinel instance for comprehensive security monitoring and analysis. When customers acquire new businesses or operate multiple Azure tenants, they need a streamlined approach to manage security operations across all tenants. This involves consolidating logs into a single Sentinel instance to maintain a unified security posture and simplify management. 

Current Challenges:

Forwarding logs across tenants can be done manually by setting up logging for each resource individually, like Storage accounts, Key Vaults, etc. using Lighthouse. However, this method is cumbersome. Automation through Azure Policy would be ideal, but it is not feasible in this case because Azure Policy is tied to managed identities. These identities are confined to a single tenant and cannot be used to push logs to another tenant. 

In this article, we will explore how we can forward the Azure resources diagnostics logs from one tenant to another tenant Sentinel instance using PowerShell script.

High Level Architecture:

Approach:

1. Resources Creation
   This section describes the creation of resources necessary for log forwarding to Log Analytic Workspace.

   1. Lighthouse Enablement
      Refer to the below links to learn more about Lighthouse configuration for Sentinel:
      • Managing Microsoft Sentinel across multiple tenants using Lighthouse | Microsoft Community Hub
      • Manage Microsoft Sentinel workspaces at scale - Azure Lighthouse | Microsoft Learn
        
        
   2. Create Multitenant SPN
      1. On the customer tenant, create the multitenant application registration and sets up a client secret for it. 
      2. An admin on the customer side provisions a service principal in its tenant. This service principal is based on the multitenant application that the provider created. 
         

      3. The customer applies role-based access control (RBAC) roles to this new service principal so that it's authorized to enable the diagnostic settings on customer tenant and able to forward the logs to MSSP log analytic workspace. 

         Required Permission: Monitoring Contributor at Customer Tenant & Log Analytic Contributor at MSSP Tenant
         
         

   3. Access Delegation
      • Provide the Monitoring contributor role for the multitenant SPN created on step 1.2 on customer tenants to enable the logging of diagnostic settings for all the required scope of azure resources on subscription level using the azure lighthouse delegation. 
        
        
      • Delegate Log Analytic Contributor Role in the MSSP tenant to the multitenant SPN created on step 1.2 using the azure lighthouse delegation to forward the logs to Microsoft Sentinel on MSSP tenant.
        
        

2. Logging Configuration
   PowerShell Script: PowerShell script used to enable logging on Azure resources across all subscriptions in the customer tenant.

   The solution involves the following components:

   - Master PowerShell Script (Mainfile.ps1): This script lists and executes child scripts for different Azure resources depending on logging requirement. 
   - Child PowerShell Scripts: Individual scripts for enabling diagnostic settings on specific Azure resources (e.g., Child_AzureActivity.ps1, Child_KeyVault.ps1, etc.). 
   - Configuration Script (Config.ps1): Contains SPN details, diagnostic settings, and destination Sentinel instance details. 
   
   

   1. Master PowerShell Scripts Details:
      mainfile.ps1

      This file contains the list of child Azure resource PowerShell scripts that need to be executed one by one. Comment on the child file name where logging is not required. 
      
      

   2. Logging Configuration PowerShell Scripts Details:
      Config.ps1

      This file holds SPN details like Tenant ID, Client ID, Client Secrets and diagnostic settings name and destination sentinel instance details along with logging category for each resource logs.  

      Change the values according to the environment and as per requirement. 
      
      

   3. Child PowerShell Scripts Details:
      
      • Child_AzureActivity.ps1
      • Child_KeyvVault.ps1
      • Child_NSG.ps1
      • Child_AzureSQL.ps1
      • Child_AzureFirewall.ps1
      • Child_PublicIPDDOS.ps1
      • Child_WAF_AppGateway.ps1
      • Child_WAF_FrontDoor.ps1
      • Child_WAF_PolicyDiagnostics.ps1
      • Child_AKS.ps1
      • Child_StorageAccount.ps1

       

      Execution: Run the main PowerShell script at scheduling interval, which executes the child scripts to enable diagnostic settings for various resources such as Azure Activity, Azure Firewall, Azure Key Vault, etc. 

      Main file executes the child PowerShell scripts one by one as configured. Below is the logic of how the child file works:

      1. Import the config.ps1 file to gather information about SPN & destination Sentinel instance & logging information.
      2. Login to tenant using the SPN.
      3. Get the list of subscriptions in the tenant.
      4. Get the list of resources details (Ex.: NSG or Key vault) from each subscription one by one.
      5. Check if the diagnostic setting is enabled for the resource with certain key words.
      6. If enabled, it will skip and go to the next resource.
         If it is not enabled, it will enable the logging and forward the logs to the MSSP Sentinel.

    

3. Expected Result & Log Verification
   

   Once the script is executed successfully, logging configuration will be enabled on Azure activity & Azure resources diagnostic settings and log will be shipped to destination Sentinel in different tenant. 

   On MSSP Microsoft Sentinel, verify the logs have been collected properly in AzureActivity & AzureDiagnostics table.

Sample PowerShell scripts:

scripts/Enabling cross tenant logging using PowerShell script at main · SanthoshSecurity/scripts