Application Level Security Monitoring

%3CLINGO-SUB%20id%3D%22lingo-sub-2155683%22%20slang%3D%22en-US%22%3EApplication%20Level%20Security%20Monitoring%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2155683%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20scenario%20where%20the%20application%20is%20running%20on%20top%20of%20webapps%20and%20respective%20application%20level%20logs%20are%20getting%20stored%20in%20sql%20database%20(paas)%20on%20specific%20tables.%20My%20requirement%20is%20to%20collect%20the%20logs%20from%20database%20and%20then%20ingest%20into%20log%20analytics%20workspace%20for%20identifying%20the%20critical%20%2F%20anomalous%20%2Fmalicious%20activities.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20would%20be%20the%20best%20way%20to%20achieve%20this%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThoughts%20i%20have%20in%20my%20mind%20is%20using%20logic%20app(i%20think%20its%20possible%20but%20expensive%20)%20%2F%20function%20app%20(Not%20sure)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2156524%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20Level%20Security%20Monitoring%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2156524%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F492724%22%20target%3D%22_blank%22%3E%40Pavan_Gelli1910%3C%2FA%3E%26nbsp%3BHow%20we%20do%20this%20is%20we%20query%20the%20dbs%20for%20the%20data%20and%20we%20upload%20the%20data%20via%20API.%20We%20use%20this%20script%20to%20perform%20the%20upload%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.powershellgallery.com%2Fpackages%2FUpload-AzMonitorLog%2F1.2%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EPowerShell%20Gallery%20%7C%20Upload-AzMonitorLog%201.2%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20just%20runs%20as%20a%20scheduled%20task%20on%20the%20server%20to%20upload%20the%20data.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Team,

 

I have scenario where the application is running on top of webapps and respective application level logs are getting stored in sql database (paas) on specific tables. My requirement is to collect the logs from database and then ingest into log analytics workspace for identifying the critical / anomalous /malicious activities.

 

What would be the best way to achieve this? 

 

Thoughts i have in my mind is using logic app(i think its possible but expensive ) / function app (Not sure)

 

4 Replies

@Pavan_Gelli1910 How we do this is we query the dbs for the data and we upload the data via API. We use this script to perform the upload: PowerShell Gallery | Upload-AzMonitorLog 1.2.

 

This just runs as a scheduled task on the server to upload the data.

@Pavan_Gelli1910 

 

Hi 

 

Why don't you simply leverage Azure Defender for App  Service ?  Even if your app is not  running  on app service you can still leverage security events in Defender or Sentinel to get notified and prepare your response at the right time 

https://docs.microsoft.com/fr-fr/azure/security-center/defender-for-app-service-introduction

 

You can also leverage application security detection pack  by using application insights :

https://docs.microsoft.com/en-us/azure/azure-monitor/app/proactive-application-security-detection-pa...

Here is my understand. Please correct me if im wrong
1. Your manually picking the logs from sql paas and dumping those logs in a server (windows/linux)
2. On one server(where the dumped sql logs are residing) your scheduling a task to send logs to LA via DC API using PS script
im using the Azure Defender for App service also. But, I have requirement to build some custom correlation rules using the logs generated by the application.