Home
%3CLINGO-SUB%20id%3D%22lingo-sub-718542%22%20slang%3D%22en-US%22%3ERe%3A%20The%20Azure%20Security%20Architect%20Map%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-718542%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20mind%20map%20Stephan.%20Would%20love%20to%20see%20Azure%20PKI%20service%20to%20be%20included%20in%20Keys%2C%20certs%20when%20available.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-770928%22%20slang%3D%22en-US%22%3ERe%3A%20The%20Azure%20Security%20Architect%20Map%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-770928%22%20slang%3D%22en-US%22%3E%3CP%3EAwsome....%20So%20detailed...%20Thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-810104%22%20slang%3D%22en-US%22%3ERe%3A%20The%20Azure%20Security%20Architect%20Map%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-810104%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F277009%22%20target%3D%22_blank%22%3E%40stephaneey%3C%2FA%3E%26nbsp%3B.%20Awesome%20Diagram.%20Would%20you%20know%20what%20is%20the%20best%20way%20to%20collect%20Azure%20VM%20(windows%20to%20start%20with)%20logs%20to%20SIEM%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESupport%20told%20me%20to%20install%20MMA%20agent%20on%20VM%20and%20send%20it%20to%20Log%20Analytics%20but%20not%20sure%20how%20I%20could%20then%20stream%20it%20to%20Event%20Hub.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20send%20Windows%20Security%20Logs%20to%20SIEM%20basically.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20that%20the%20recommended%20approach%3F%20Thank%20you.%20Appreciate%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-810507%22%20slang%3D%22en-US%22%3ERe%3A%20The%20Azure%20Security%20Architect%20Map%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-810507%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F394258%22%20target%3D%22_blank%22%3E%40fn6Dragon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20guess%20there%20is%20no%20black%20or%20white%20answer%20here.%20It%20all%20depends%20on%20what%20your%20company%20has%20in%20terms%20of%20existing%20tools%20and%20whether%20or%20not%20they%20want%20to%20leverage%20Cloud-native%20solutions.%20In%20terms%20of%20incident%20detection%2Fresponse%2C%20Azure%20Sentinel%20is%20now%20pushed%20by%20Microsoft%20although%20at%20the%20time%20of%20writing%20(08%2F2019)%20it%20is%20still%20in%20preview%20and%20still%20need%20to%20gain%20in%20maturity.%20Now%2C%20if%20you%20already%20have%20a%20SIEM%20like%20QRadar%2C%20you%20can%20send%20all%20your%20service%20logs%20to%20Event%20Hub%20directly%20and%20plug%20QRadar%20to%20Event%20Hub%20since%20it%20has%20a%20connector%20to%20it.%20This%20is%20valid%20for%20PaaS%20%26amp%3B%20FaaS%2C%20for%20VMs%2C%20you%20need%20indeed%20some%20agent%20to%20be%20installed%20(depending%20on%20the%20underlying%20OS).%20to%20collect%20the%20logs%2C%20send%20them%20to%20Azure%20Monitor%20%26amp%3B%20integrate%20with%20QRadar%20or%20other%20similar%20tools.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20Regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-814296%22%20slang%3D%22en-US%22%3ERe%3A%20The%20Azure%20Security%20Architect%20Map%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-814296%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20fantastic!%20a%20really%20great%20map!%20Thanks%20a%20lot%20for%20your%20effort!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-821443%22%20slang%3D%22en-US%22%3ERe%3A%20The%20Azure%20Security%20Architect%20Map%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-821443%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F277009%22%20target%3D%22_blank%22%3E%40stephaneey%3C%2FA%3E%26nbsp%3B%20hey.%20thanks%20for%20the%20reply.%20I%20appreciate%20it.%26nbsp%3B%20yes.%20we%20use%20QRadar.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20service%20%2Fadministrative%20logs.%20%26gt%3B%26gt%3B%20Event%20hub%20%26gt%3B%26gt%3B%26gt%3B%20Qradar%20-%20this%20is%20working%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20VM%20windows%20logs%20%26gt%3B%26gt%3B%20EventHub%20%26gt%3B%26gt%3B%20QRadar.%20-%20What%20is%20the%20MS%20recommended%20method%20%3F%26nbsp%3B%20Agent%20%26gt%3B%20Azure%20Monitor%26gt%3B%20EventHub%20%26gt%3B%20QRadar%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-821864%22%20slang%3D%22en-US%22%3ERe%3A%20The%20Azure%20Security%20Architect%20Map%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-821864%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F394258%22%20target%3D%22_blank%22%3E%40fn6Dragon%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20VMs%20you%20need%20indeed%20an%20agent%20to%20collect%20the%20logs%20and%20Azure%20Monitor%20is%20indeed%20where%20things%20should%20be%20centralized.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-714091%22%20slang%3D%22en-US%22%3EThe%20Azure%20Security%20Architect%20Map%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-714091%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERecently%2C%20I%20built%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Developer-Community-Blog%2FThe-Azure-Solution-Architect-Map%2Fba-p%2F689700%22%20target%3D%22_blank%22%3EAzure%20Solution%20Architect%20Map%3C%2FA%3E%20aimed%20at%20helping%20Architects%20finding%20their%20way%20in%20Azure.%26nbsp%3B%20Given%20the%20unexpected%20success%20and%20the%20very%20positive%20feedback%20I%20received%2C%20I%20decided%20to%20come%20up%20with%20other%20maps%2C%20namely%20the%20Azure%20Security%20Architect%20Map%2C%20the%20Azure%20Infrastructure%20Architect%20Map%20and%20the%20Azure%20Application%20Architect%20Map.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThe%20purpose%20of%20the%20Solution%20Architect%20map%20is%20to%20give%20a%20high-level%20view%20and%20quick%20insights%20about%20what%20is%20available%20and%20how%20to%20choose%20between%20the%20different%20services%20according%20to%20some%20functional%20needs.%3CBR%20%2F%3EIt%20covers%20a%20few%20key%20areas%2C%20mostly%20about%20putting%20in%20place%20the%20foundations%20of%20an%20Azure%20Platform%2C%20and%20cannot%20go%20into%20the%20details%20because%20this%20would%20make%20the%20map%20very%20indigestible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EToday%20I%20come%20with%20the%20Azure%20Security%20Architect%20Map%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fstephaneeyskens.files.wordpress.com%2F2019%2F06%2Fsecuritymap-4.png%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3E%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhich%20focuses%20on%20security%20only%20and%20goes%20much%20deeper%20into%20that%20key%20area.%20It%20is%20by%20no%20means%20the%20holy%20grail%20but%20it%20should%20help%20you%20take%20informed%20decisions%20on%20how%20you%20plan%20to%20use%20and%20deploy%20services%20and%20how%20you%20will%20govern%20your%20Azure%20workloads.%20I%20bring%20business%20drivers%20such%20as%20TTM%2C%20cost%20optimization%20and%20true%20elasticity%20into%20the%20equation%20to%20highlight%20the%20consequences%20of%20choosing%20an%20option%20over%20another.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20map%20focuses%20on%20the%20following%20areas%3A%3C%2FP%3ENetwork%20Layer%20Identity%20Layer%20Application%20Service%20Layer%20Application%20Data%20Security%20Posture%20Keys%2C%20Certificates%20and%20Secrets%20Management%20as%20well%20as%20Encryption%20capabilities%20MDM%20%26amp%3B%20MAM%3CP%3EHow%20to%20read%20this%20map%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhenever%20you%20see%20the%20attachment%20icon%20%2C%20it%20means%20that%20I%20have%20attached%20an%20explanation%20on%20a%20given%20rationale%20or%20service.%20If%20you%20see%20a%20(*)%20next%20to%20a%20node%2C%20it%20is%20kind%20of%20a%20must%20read%20information.%20So%20for%20instance%2C%20in%20the%20following%20screenshot%3A%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20catch%20your%20attention%20on%20the%20following%3A%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3EThe%20rationales%20behind%20certain%20routes%20are%20based%20on%20my%20own%20experience%20and%20do%20not%20represent%20the%20only%20option%20but%20should%20be%20considered%20as%20advisory%20only.%20So%20the%20idea%20is%20to%20review%20these%20maps%20frequently%20since%20the%20above%20information%20is%20likely%20to%20change%20over%20the%20coming%20months%20and%20I'll%20simply%20keep%20adding%20notes%20or%20remove%20them%20when%20it%20does%20not%20make%20sense%20anymore.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20link%20icon%26nbsp%3B%26nbsp%3Bis%20a%20pointer%20to%20the%20corresponding%20Microsoft%20documentation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20this%20tool%2C%20any%20Security%20Architect%20(Cloud%20or%20not)%20will%20quickly%20grasp%20the%20security%20landscape%20of%20Azure.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20pointer%20to%20the%20map%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapp.mindmapmaker.org%2F%23m%3Ammc00bf17b40454ecda863046602b7be3e%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fapp.mindmapmaker.org%2F%23m%3Ammc00bf17b40454ecda863046602b7be3e%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-714091%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20map%20is%20aimed%20at%20helping%20Security%20Architects%20take%20informed%20decisions%20when%20deploying%20Azure%20workloads.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-714091%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESoftware%20Architecture%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

Hi,

 

Recently, I built the Azure Solution Architect Map aimed at helping Architects finding their way in Azure.  Given the unexpected success and the very positive feedback I received, I decided to come up with other maps, namely the Azure Security Architect Map, the Azure Infrastructure Architect Map and the Azure Application Architect Map.


The purpose of the Solution Architect map is to give a high-level view and quick insights about what is available and how to choose between the different services according to some functional needs.
It covers a few key areas, mostly about putting in place the foundations of an Azure Platform, and cannot go into the details because this would make the map very indigestible.

 

Today I come with the Azure Security Architect Map:

 

map.png

 

which focuses on security only and goes much deeper into that key area. It is by no means the holy grail but it should help you take informed decisions on how you plan to use and deploy services and how you will govern your Azure workloads. I bring business drivers such as TTM, cost optimization and true elasticity into the equation to highlight the consequences of choosing an option over another.

 

The map focuses on the following areas:

  • Network Layer
  • Identity Layer
  • Application Service Layer
  • Application Data
  • Security Posture
  • Keys, Certificates and Secrets Management as well as Encryption capabilities
  • MDM & MAM

How to read this map?

 

Whenever you see the attachment icon attachicon.png, it means that I have attached an explanation on a given rationale or service. If you see a (*) next to a node, it is kind of a must read information. So for instance, in the following screenshot:

vnet.png

 

I want to catch your attention on the following:

attention.png

The rationales behind certain routes are based on my own experience and do not represent the only option but should be considered as advisory only. So the idea is to review these maps frequently since the above information is likely to change over the coming months and I'll simply keep adding notes or remove them when it does not make sense anymore.

 

The link icon  link.pngis a pointer to the corresponding Microsoft documentation.

 

With this tool, any Security Architect (Cloud or not) will quickly grasp the security landscape of Azure. 

 

Here is the pointer to the map:

 

https://app.mindmapmaker.org/#m:mmc00bf17b40454ecda863046602b7be3e

 

7 Comments
Occasional Visitor

Great mind map Stephan. Would love to see Azure PKI service to be included in Keys, certs when available.

New Contributor

Awsome.... So detailed... Thanks

Occasional Visitor

Hello @stephaneey . Awesome Diagram. Would you know what is the best way to collect Azure VM (windows to start with) logs to SIEM ? 

 

Support told me to install MMA agent on VM and send it to Log Analytics but not sure how I could then stream it to Event Hub.

 

I would like to send Windows Security Logs to SIEM basically.

 

Is that the recommended approach? Thank you. Appreciate it.

Hello @fn6Dragon 

 

I guess there is no black or white answer here. It all depends on what your company has in terms of existing tools and whether or not they want to leverage Cloud-native solutions. In terms of incident detection/response, Azure Sentinel is now pushed by Microsoft although at the time of writing (08/2019) it is still in preview and still need to gain in maturity. Now, if you already have a SIEM like QRadar, you can send all your service logs to Event Hub directly and plug QRadar to Event Hub since it has a connector to it. This is valid for PaaS & FaaS, for VMs, you need indeed some agent to be installed (depending on the underlying OS). to collect the logs, send them to Azure Monitor & integrate with QRadar or other similar tools.

 

Best Regards

Occasional Contributor

This is fantastic! a really great map! Thanks a lot for your effort! :)

Occasional Visitor

@stephaneey  hey. thanks for the reply. I appreciate it.  yes. we use QRadar.

 

Azure service /administrative logs. >> Event hub >>> Qradar - this is working fine.

 

Azure VM windows logs >> EventHub >> QRadar. - What is the MS recommended method ?  Agent > Azure Monitor> EventHub > QRadar?

Hello @fn6Dragon ,

 

With VMs you need indeed an agent to collect the logs and Azure Monitor is indeed where things should be centralized.