Azure Log Stitching

%3CLINGO-SUB%20id%3D%22lingo-sub-1281896%22%20slang%3D%22en-US%22%3EAzure%20Log%20Stitching%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1281896%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EHave%20a%20hybrid%20environment%2C%20VM's%20in%20Azure%20in%20various%20subscriptions%2C%20hub%20contains%20NVA%20from%20vendors%20as%20well%20as%20LB.%20We%20have%20NAT%20also.%20Question%20is%20one%20of%20SNAT%20and%20log%20stitching%20to%20follow%20the%20following%20scenarios%3A%3C%2FP%3E%3COL%3E%3CLI%3EUser%20logs%20onto%20VM%2C%20we%20have%20UDR%20to%20direct%20them%20through%20NVA%20etc%20to%20get%20to%20Internet%20along%20the%20way%20we%20have%20SNAT%2C%20logs%20from%20vendors%20need%20to%20be%20able%20to%20be%20stitched%20so%20we%20can%20follow%20the%20flows.%3C%2FLI%3E%3C%2FOL%3E%3CP%3ETrying%20to%20think%20of%20ways%20to%20achieve%20this%2C%20can%20think%20of%20some%2C%20but%20no%20great%20one%20as%20yet%2C%20this%20cannot%20be%20a%20unique%20situation%2C%20any%20suggestions%20please%20to%20consider%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1301030%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Log%20Stitching%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1301030%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F609534%22%20target%3D%22_blank%22%3E%40cpm2710%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20think%20that%20Azure%20Sentinel%2C%20our%20SIEM%20product%2C%20might%20be%20your%20solution%20here.%20For%20information%20on%20how%20to%20collect%20events%20see%20here%20(it%20does%20not%20list%20all%20your%20sources%2C%20but%20is%20a%20start)%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EFormal%20documentation%20about%20the%26nbsp%3B%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3Ebuilt-in%20connectors%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-syslog-cef-and-other-3rd-party-connectors-grand%2Fba-p%2F803891%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Syslog-CEF-and-other-3rd-party-connectors-grand%2Fba-p%2F803891%22%20target%3D%22_blank%22%3ESyslog%2C%20CEF%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-agent-collecting-telemetry-from-on-prem-and-iaas%2Fba-p%2F811760%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Agent-Collecting-telemetry-from-on-prem-and-IaaS%2Fba-p%2F811760%22%20target%3D%22_blank%22%3ECollecting%20telemetry%20from%20on-prem%20and%20IaaS%20server%20using%20the%20Log%20Analytics%20agent%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CDIV%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-collecting-logs-from-microsoft-services-and%2Fba-p%2F792669%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Collecting-logs-from-Microsoft-Services-and%2Fba-p%2F792669%22%20target%3D%22_blank%22%3ECollecting%20logs%20from%20Microsoft%20Services%20and%20Applications%3C%2FA%3E%3C%2FDIV%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-creating-custom-connectors%2Fba-p%2F864060%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Creating-Custom-Connectors%2Fba-p%2F864060%22%20target%3D%22_blank%22%3ECreating%20Custom%20Connectors%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThan%20you%20need%20to%20%22Stitch%22%2C%20which%20in%20the%20SIEM%20jargon%20we%20call%20correlate.%20For%20that%2C%20see%20those%20blog%20posts%3A%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-correlation-rules-active-lists-out-make-list-in%2Fba-p%2F1029225%22%20target%3D%22_blank%22%3EAzure%20Sentinel%20correlation%20rules%3A%20Active%20Lists%20out%3B%20make_list()%20in%2C%20the%20AAD%2FAWS%20correlation%20example%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-correlation-rules-the-join-kql-operator%2Fba-p%2F1041500%22%20target%3D%22_blank%22%3EAzure%20Sentinel%20correlation%20rules%3A%20the%20join%20KQL%20operator%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fimplementing-lookups-in-azure-sentinel-part-1-reference-files%2Fba-p%2F1091306%22%20target%3D%22_blank%22%3EImplementing%20Lookups%20in%20Azure%20Sentinel%20part%20%231%3A%20reference%20files%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fusing-kql-functions-to-speed-up-analysis-in-azure-sentinel%2Fba-p%2F712381%22%20target%3D%22_blank%22%3EUsing%20KQL%20functions%20to%20speed%20up%20analysis%20in%20Azure%20Sentinel%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E
Established Member

Hello,

Have a hybrid environment, VM's in Azure in various subscriptions, hub contains NVA from vendors as well as LB. We have NAT also. Question is one of SNAT and log stitching to follow the following scenarios:

  1. User logs onto VM, we have UDR to direct them through NVA etc to get to Internet along the way we have SNAT, logs from vendors need to be able to be stitched so we can follow the flows.

Trying to think of ways to achieve this, can think of some, but no great one as yet, this cannot be a unique situation, any suggestions please to consider?

1 Reply