This is part of a series of blogs on connectors. You might find what you are looking for also here:
- Syslog, CEF, Logstash and other 3rd party connectors grand list
- Azure Sentinel Agent: Collecting telemetry from on-prem and IaaS server
- Creating Custom Connectors
In this blog post:
- The Azure Monitor collection framework
- How to connect Azure resources to Azure Sentinel
- Understanding the Azure monitor schema
- Collecting from specific Microsoft and Azure sources
Azure Sentinel supports collecting telemetry from a wide array of Microsoft sources. Some of them are listed in the Sentinel's connector page and documentation. However, Sentinel can collect logs from most Azure services and other Microsoft products, even when not listed above.
The Azure Monitor collection framework
Azure Monitor, and its Log Analytics module, is the underlying log management platform powering Azure Sentinel. As such, any source that sends logs to Azure Monitor or Log Analytics supports inherently Azure Sentinel. Most Azure and Microsoft solutions support sending telemetry to Azure monitor. You can read more about Azure Monitor collection here: "Collect Azure platform logs in Log Analytics workspace in Azure Monitor."
How can I collect from a supported Azure source?
The following provides a guide as to how to connect each resource using the portal to Log Analytics/Azure Sentinel. The actual portal flow may differ from resource to resource.
To log a service to Sentinel, pick the service (1), select "Activity Log" from the menu (2), and then click the "Logs" button (3). Note that on this screen, before pressing "Logs," you can review the information that will be sent to Sentinel.
On the next screen, click "Add," then "Select workspace," and select the Sentinel workspace. In some cases, the service provides diagnostic telemetry but not audit logs. In such cases, use "Diagnostic settings" instead of "Activity Log" and select "Add diagnostic setting." Some sources do not use the method outlined above, and the instructions below would help,
Understanding and using the events
You can read more about the structure of the events received by Azure Monitor here. The telemetry may be stored in the AzureDiagnostics table or in a dedicated table depending on the mode used by the source.
Each event will include several standard fields such as time, Resource Id, and Tenant ID as described here, as well as per resource fields. Several standard fields available in each Log Analytics table and not just Azure resource tables such as TimeGenerated, Type, and billing information are listed here.
Also, you can find a full reference - still under construction - to the Azure Monitor table schema for all sources, not just Azure ones, here. The Azure Monitor GitHub contains queries and workbooks for many Azure services that can provide a starting point for understanding the logs sent by them.
The Big List
Azure Services
- App Services and Web Application monitoring - goes beyond how to connect instructions and provides a reference architecture that can be extended from operational to security monitoring using Sentinel.
- Azure Activity - you can collect Azure Activity using the built-in connector, however it is recommended to connect through the subscription diagnostic settings in a similar manner the one described above. This will ensure lower latency and broader collection. You can find the Azure Activity schema here.
- Azure AD Domain Services:
- Azure B2C - collect B2C logs from your B2C tenant to your primary tenant AAD logs as described here. Note that this uses Azure Lighthouse to send diagnostics across tenant boundaries and they will show in the same tables in Sentinel, however the local AAD connector will not show as connected (unless also connected).
- Azure B2B - included as part of AAD events
- Application Insights:
- Azure Data Lake Storage Gen1:
- Azure DDOS
- Azure Databricks
- Azure Firewall:
- Azure Front Door
- Azure Key Vault (AKV)
- Azure Kubernetes Service (AKS):
- Blog post: Monitoring Azure Kubernetes Service (AKS) with Azure Sentinel
- Documentation: Enable Azure Monitor for containers (AKS)
- Azure Logic Apps
- Azure Management groups activity logs:
- Azure NSG:
- Azure Security Center (ASC)
- Azure Sentinel has a built-in connector for getting ASC alerts. You may also want to review ASC alert list and alert schema.
- Use ASC's continous export feature to get ASC's recommendations to Sentinel.
- Azure SQL Audit log
- Azure Site Recovery
- Azure Storage
- Setting up diagnostics
- Custom collection using an Azure function and Hunting use cases (based on the custom collection)
- Azure WAF:
- Cosmos DB
- Log Analytics - collect query auditing and other metrics
Modern Workplace, servers and workstations
- Desktop Analytics - Just use your Sentinel workspace when configuring Desktop Analytics
- Intune
- SCCM
- Windows Virtual Desktop:
- Setup diagnostics using the portal and sampels queries
- Setup diagnostics using PowerShell and Sample queries
- Common error codes
- Blog post covering connecting and using: Monitoring Windows Virtual Desktop environments
For additional collection capabilities from servers and workstations, read about collecting using the Log Analytics agent.
Office and Power Apps
- Office 365 SharePoint, OneDrive and Exchange using the built in connector
- The connector collects data in the SharePoint and Exchange schemas (and related Common schema) of the Office Management Activity API
- Other Office 365 workloads including PowerBI, Tammer, Sway, Forms and others:
- Use Either a Logic App or an Azure function custom connector
- Microsoft Cloud App Security
- Alerts and discovery logs are supported out of the box
- Use CEF for activity log as described here.
- Office 365 DLP alerts:
- supported as part of the built-in Office 365 connect. See details here.
- Teams:
- Use the built in Office 365 connector, or use custom connectors for special use cases: Logic Apps or Azure Functions
- Collect Teams call logs using Logic Apps
- Hunting use cases
- Graph Visualization of External MS Teams Collaborations
- Understand the schema
-
Expanding Microsoft Teams Log Data in Azure Sentinel:
- Extracting Teams file sharing information
- Mapping Teams logs to Teams call records
- Merging Teams logs with sign in activity to detect anomalous actions
Devevelopment tools
- Azure DevOps (The telemtry is stored in AzureDevOpsAuditing)
- GitHub: Logic Apps based collector, detection and hunting queries
On-prem an IaaS using the Microsoft Log Analytics agent
For more information on using the agent and this sources, refer to Azure Sentinel Agent: Collecting from servers and workstations, on-prem and in the cloud.
- Active Directory (using Security Events below)
- IIS logs
- Microsoft DNS servers (built-in connector)
- Windows Firewall (built-in connector)
- Windows Security Events (built-in connector)
- Also read about Enriching Windows Security Events with Parameterized Function
- Other Windows Events, including Sysmon
- SQL Server (Using Windows Events above)
- VM Insights: network connections, open ports, processes, and general computer information (Schema, Sample queries)
- Wire Data: sFlow-like data collected by the agent (being replaced by VM Insights above)
The Windows firewall writes logs to files which are collected and sent by the agent when files are rotated. This leads to additional collections latency, which can be controlled by changing the log file size as described here.