Azure Sentinel: Collecting logs from Microsoft Services and Applications

%3CLINGO-SUB%20id%3D%22lingo-sub-792669%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%3A%20Collecting%20logs%20from%20Microsoft%20Services%20and%20Applications%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-792669%22%20slang%3D%22en-US%22%3E%3CDIV%3E%0A%3CP%3E%3CSPAN%3EAzure%20Sentinel%20supports%20collecting%20telemetry%20from%20a%20wide%20array%20of%20Microsoft%20sources.%20Some%20of%20them%20are%20listed%20in%20the%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel's%20connector%20page%3C%2FA%3E%3CSPAN%3Eand%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%23data-connection-methods%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%3CSPAN%3E.%20However%2C%20Sentinel%20can%20collect%20logs%20from%20most%20Azure%20services%2C%20even%20when%20not%20listed%20above.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20log%20a%20service%20to%20Sentinel%2C%20pick%20the%20service%20(1)%2C%20select%20%22Activity%20log%22%20from%20the%20menu%20(2)%2C%20and%20then%20click%20the%20%22Logs%22%20button%20(3).%20Note%20that%20in%20this%20screen%2C%20before%20pressing%20%22Logs%22%20you%20can%20review%20the%20information%20that%20will%20be%20sent%20to%20Sentinel.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F125969iADEB9E1E72AC8E6B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-08-07%2012_04_38-Clipboard.png%22%20title%3D%222019-08-07%2012_04_38-Clipboard.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CP%3E%3CSPAN%3EOn%20the%20next%20screen%2C%20click%20%22Add%22%2C%20then%20%22Select%20workspace%22%20and%20select%20the%20Sentinel%20workspace.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20some%20cases%2C%20the%20service%20provides%20diagnostic%20telemetry%20but%20not%20audit%20logs.%20The%20diagnostic%20telemetry%20is%20usually%20geared%20towards%20operations%20rather%20than%20security%20monitoring%20but%20in%20most%20cases%20will%20be%20useful%20also%20for%20security%20monitoring.%20In%20such%20cases%20use%20%22Diagnostic%20settings%22%20instead%20of%20%22Activity%20log%22%20and%20select%20%22Add%20diagnostic%20setting%22.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20find%20detailed%20further%20instructions%20for%20some%20services%20here.%20Note%20that%20some%20of%20them%20do%20not%20use%20the%20method%20outlined%20above%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Freference-architectures%2Fapp-service-web-app%2Fapp-monitoring%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EApp%20Services%20and%20Web%20Application%20monitoring%3C%2FA%3E%20-%20goes%20beyond%20how%20to%20connect%20instructions%20and%20provides%20a%20reference%20architecture%20that%20can%20be%20extended%20from%20operational%20to%20security%20monitoring%20using%20Sentinel.%3C%2FLI%3E%0A%3CLI%3EAzure%20Activity%20-%20you%20can%20collect%20Azure%20Activity%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoft.sharepoint.com%2F%3Ap%3A%2Fr%2Fteams%2FCXESecurityPartnerNDAchannel%2FShared%2520Documents%2FGeneral%2FEnablement%2FAzure%2520Arc%2FAzure%2520Arc%2520overview.pptx%3Fd%3Dw90de79a9c6964fc7a4b35a3f90f8e0bb%26amp%3Bcsf%3D1%26amp%3Be%3Dqt4Hdg%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ebuilt-in%20connector%3C%2FA%3E%2C%20however%20it%20is%20recommended%20to%20connect%20through%20the%20subscription%20diagnostic%20settings%20in%20a%20similar%20manner%20the%20one%20described%20above.%20This%20will%20ensure%20lower%20latency%20and%20broader%20collection.%3C%2FLI%3E%0A%3CLI%3EAzure%20B2C%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Azure-B2C%2Fm-p%2F645077%23M311%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Eincluded%20as%20part%20of%20AAD%20events%3C%2FA%3E.%20Note%20that%20B2C%2C%20which%20is%20not%20part%20of%20a%20subscription%2C%20has%20to%20be%20linked%20to%20a%20subscription%20in%20the%20tenant%20in%20which%20Sentinel%20exists.%3C%2FLI%3E%0A%3CLI%3EAzure%20B2B%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Fauditing-and-reporting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eincluded%20as%20part%20of%20AAD%20events%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EApplication%20Insights%3A%20use%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fcross-workspace-query%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Equeries%20across%20workspaces%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fmanage-ddos-protection%23configure-ddos-attack-mitigation-reports%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20DDOS%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Fdatabricks-monitoring%2Fapplication-logs%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Databricks%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Ftutorial-diagnostics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Firewall%3C%2FA%3E%2C%20plus%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffirewall%2Flog-analytics-samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Esample%20queries%3C%2FA%3E%26nbsp%3Band%20a%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FDashboards%2FAzure_Firewall.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20dashboard%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ffrontdoor%2Ffront-door-diagnostics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Front%20Door%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Finsights%2Fazure-key-vault%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Key%20Vault%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.serverlessnotes.com%2Fdocs%2Fazure-logic-apps-insights-using-log-analytics%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Logic%20Apps%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20NSG%3A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fnetwork-watcher%2Ftraffic-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EFlow%20logs%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fvirtual-network-nsg-manage-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERule%20activation%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-auditing%23subheading-2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20SQL%20Audit%20log%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsite-recovery%2Fmonitor-log-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Site%20Recovery%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fes-es%2Fblog%2Fquery-azure-storage-analytics-logs-in-azure-log-analytics%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Storage%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EDesktop%20Analytics%20-%20Just%20use%20your%20Sentinel%20workspace%20when%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsccm%2Fdesktop-analytics%2Ftutorial-windows10%23set-up-desktop-analytics%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Econfiguring%20Desktop%20Analytics%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Freview-logs-using-azure-monitor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EIntune%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EMicrosoft%20Cloud%20App%20Security%3CUL%3E%0A%3CLI%3EAlerts%20and%20discovery%20logs%20are%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-cloud-app-security%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Esupported%20out%20of%20the%20box%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EUse%20CEF%20for%20activity%20log%20as%20described%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FIngest-Box-com-activity-events-via-Microsoft-Cloud-App-Security%2Fba-p%2F1072849%22%20target%3D%22_self%22%3Ehere%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EOffice%20365%20DLP%20alerts%3A%20supported%20as%20part%20of%20the%20built-in%20Office%20365%20connect.%20See%20details%20here.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fcollect-sccm%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESCCM%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Frelational-databases%2Fsecurity%2Fauditing%2Fwrite-sql-server-audit-events-to-the-security-log%3Fview%3Dsql-server-ver15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESQL%20Server%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-792669%22%20slang%3D%22en-US%22%3E%3CP%3EEver%20wondered%20how%20to%20connect%20Azure%20Estate%2C%20Azure%20PaaS%20services%20or%20even%20Intune%20telemetry%20to%20Azure%20Sentinel%3F%20Learn%20how%20to%20do%20it%20here.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-792669%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConnectors%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

Azure Sentinel supports collecting telemetry from a wide array of Microsoft sources. Some of them are listed in the Sentinel's connector page and documentation. However, Sentinel can collect logs from most Azure services, even when not listed above.

To log a service to Sentinel, pick the service (1), select "Activity log" from the menu (2), and then click the "Logs" button (3). Note that in this screen, before pressing "Logs" you can review the information that will be sent to Sentinel.

2019-08-07 12_04_38-Clipboard.png

On the next screen, click "Add", then "Select workspace" and select the Sentinel workspace.

In some cases, the service provides diagnostic telemetry but not audit logs. The diagnostic telemetry is usually geared towards operations rather than security monitoring but in most cases will be useful also for security monitoring. In such cases use "Diagnostic settings" instead of "Activity log" and select "Add diagnostic setting".

You can find detailed further instructions for some services here. Note that some of them do not use the method outlined above:

App Services and Web Application monitoring - goes beyond how to connect instructions and provides a reference architecture that can be extended from operational to security monitoring using Sentinel.
Azure Activity - you can collect Azure Activity using the built-in connector, however it is recommended to connect through the subscription diagnostic settings in a similar manner the one described above. This will ensure lower latency and broader collection.
Azure B2C - included as part of AAD events. Note that B2C, which is not part of a subscription, has to be linked to a subscription in the tenant in which Sentinel exists.
Azure B2B - included as part of AAD events
Application Insights: use queries across workspaces
Azure DDOS
Azure Databricks
Azure Firewall, plus sample queries and a Sentinel dashboard
Azure Front Door
Azure Key Vault
Azure Logic Apps
Azure NSG:
- Flow logs
- Rule activation
Azure SQL Audit log
Azure Site Recovery
Azure Storage
Desktop Analytics - Just use your Sentinel workspace when configuring Desktop Analytics
Intune
Microsoft Cloud App Security
- Alerts and discovery logs are supported out of the box
- Use CEF for activity log as described here.
Office 365 DLP alerts: supported as part of the built-in Office 365 connect. See details here.
SCCM
SQL Server

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment