Application Level Security Monitoring

%3CLINGO-SUB%20id%3D%22lingo-sub-2155683%22%20slang%3D%22en-US%22%3EApplication%20Level%20Security%20Monitoring%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2155683%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20scenario%20where%20the%20application%20is%20running%20on%20top%20of%20webapps%20and%20respective%20application%20level%20logs%20are%20getting%20stored%20in%20sql%20database%20(paas)%20on%20specific%20tables.%20My%20requirement%20is%20to%20collect%20the%20logs%20from%20database%20and%20then%20ingest%20into%20log%20analytics%20workspace%20for%20identifying%20the%20critical%20%2F%20anomalous%20%2Fmalicious%20activities.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20would%20be%20the%20best%20way%20to%20achieve%20this%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThoughts%20i%20have%20in%20my%20mind%20is%20using%20logic%20app(i%20think%20its%20possible%20but%20expensive%20)%20%2F%20function%20app%20(Not%20sure)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2156524%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Level%20Security%20Monitoring%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2156524%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F492724%22%20target%3D%22_blank%22%3E%40Pavan_Gelli1910%3C%2FA%3E%26nbsp%3BHow%20we%20do%20this%20is%20we%20query%20the%20dbs%20for%20the%20data%20and%20we%20upload%20the%20data%20via%20API.%20We%20use%20this%20script%20to%20perform%20the%20upload%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.powershellgallery.com%2Fpackages%2FUpload-AzMonitorLog%2F1.2%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EPowerShell%20Gallery%20%7C%20Upload-AzMonitorLog%201.2%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20just%20runs%20as%20a%20scheduled%20task%20on%20the%20server%20to%20upload%20the%20data.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2156749%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Level%20Security%20Monitoring%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2156749%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F492724%22%20target%3D%22_blank%22%3E%40Pavan_Gelli1910%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20don't%20you%20simply%20leverage%20Azure%20Defender%20for%20App%26nbsp%3B%20Service%20%3F%26nbsp%3B%20Even%20if%20your%20app%20is%20not%26nbsp%3B%20running%26nbsp%3B%20on%20app%20service%20you%20can%20still%20leverage%20security%20events%20in%20Defender%20or%20Sentinel%20to%20get%20notified%20and%20prepare%20your%20response%20at%20the%20right%20time%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Ffr-fr%2Fazure%2Fsecurity-center%2Fdefender-for-app-service-introduction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Ffr-fr%2Fazure%2Fsecurity-center%2Fdefender-for-app-service-introduction%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20also%20leverage%20application%20security%20detection%20pack%26nbsp%3B%20by%20using%20application%20insights%20%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fproactive-application-security-detection-pack%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fproactive-application-security-detection-pack%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Team,

 

I have scenario where the application is running on top of webapps and respective application level logs are getting stored in sql database (paas) on specific tables. My requirement is to collect the logs from database and then ingest into log analytics workspace for identifying the critical / anomalous /malicious activities.

 

What would be the best way to achieve this? 

 

Thoughts i have in my mind is using logic app(i think its possible but expensive ) / function app (Not sure)

 

6 Replies

@Pavan_Gelli1910 How we do this is we query the dbs for the data and we upload the data via API. We use this script to perform the upload: PowerShell Gallery | Upload-AzMonitorLog 1.2.

 

This just runs as a scheduled task on the server to upload the data.

@Pavan_Gelli1910 

 

Hi 

 

Why don't you simply leverage Azure Defender for App  Service ?  Even if your app is not  running  on app service you can still leverage security events in Defender or Sentinel to get notified and prepare your response at the right time 

https://docs.microsoft.com/fr-fr/azure/security-center/defender-for-app-service-introduction

 

You can also leverage application security detection pack  by using application insights :

https://docs.microsoft.com/en-us/azure/azure-monitor/app/proactive-application-security-detection-pa...

Here is my understanding. Please correct me if im wrong
1. Your manually picking the logs from sql paas and dumping those logs in a server (windows/linux)
2. On one server(where the dumped sql logs are residing) your scheduling a task to send logs to LA via DC API using PS script

im using the Azure Defender for App service also. But, I have requirement to build some custom correlation rules using the logs generated by the application.
I would recommend using Application Insights, which saves the data into Log Analytics and can be easily integrated to save all the logs that the application produces
Hi
You can leverage workspace-basd resources to have custom logs and cutom queries . I think it's the best way to do it unless the specified logs you want are not supported by app insights .
The doc said :
Workspace-based resources support full integration between Application Insights and Log Analytics.You can now choose to send your Application Insights telemetry to a common Log Analytics workspace, which allows you full access to all the features of Log Analytics while keeping application, infrastructure, and platform logs in a single consolidated location.
Reference : https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-workspace-resource