SOLVED

Azure Cloud integration with SIEM Tools

Copper Contributor

Hi Everyone, 

I am currently researching on SIEM tools that could be integrated with Azure cloud. Are there any SIEM tools that could be integrated with Azure cloud in providing monitoring solution? If yes could anyone elaborate on how it is done and what are all the costs to be considered when setting up the solution using the SIEM tool. (VMs, Configuration, Storage and data, Hosting, Installation, Maintenance and upgrades)

Thank you :)

10 Replies

Hello, @Akshaya_Kumar 

 

Is there any specific requirement to look for a SIEM tool that integrates with Azure cloud rather using the monitoring services provided by Azure? like Azure monitor and sentinel ?

Yes. I know Azure sentinel can provide such service. I wanna know if there is any way we can use ArcSight or Splunk for that and integrate with Azure Cloud to do so. Any other SIEM tool other than the above 2 would also help. Earlier Arcsight could be integrated with Azure using Skyformation but its support will end soon and I wanna know if there is any other way to do so.

@Akshaya_Kumar 

 

Hi, actually there are many tools that can integrates with Azure monitor, among arcsight, splunk, dynatrace.

 

check the information in the following article to get more details about each integration status.

https://azure.microsoft.com/en-us/blog/use-azure-monitor-to-integrate-with-siem-tools/

 

Regards,

Charbel Hanna

Thank you@Charbelhanna .

I have checked that blog already. 

When integrating Splunk or Any other tool what are all the costs we should consider other than Virtual Machines and Event Hub? 

 

Thank You

@Akshaya_Kumar 

 

These are main costs that you think of, including the required infrastructure components, like storage, bandwidth and so on.

 

hope this answers your question.

Charbel Hanna

best response confirmed by Akshaya_Kumar (Copper Contributor)
Solution

@Akshaya_Kumar In order for you to evaluate 3rd party SIEM tools (like Splunk etc) to ingest data from Azure, you need to think what all you will ingest. You can categorize data sources into 3 buckets:

1.) Azure platform data: logs from O365, AAD, Activity logs etc fall into this bucket

2.) Azure reource data: this is where you diagnostic data from VMs etc will come from

3.) Finally you need to think of guest OS data like security logs, syslog etc

 

All this data need to be quantified as Splunk or any tool for that matter will charge you on data ingested per day. This is needed for not only licensing for SIEM tools but for Azure Event Hub where the data will hit before getting forwarded to SIEM tool. If you want to use Splunk, there is a Azure monitor addon for Splunk that can gather data from Azure event hub. Check Azure price calculator for Event hub costing. If you are hosting SIEM on azure, there will be IaaS, disk cost etc. 

 

Hope this helps

Yeah. Thank you.

Hi @Akshaya_Kumar,

 

wanted to check if you still need any additional information in this respect, otherwise if you would mark a reply as an answer.

 

Thank you in advance,

Charbel Hanna

Thank you for your response. Could you help me in explaning the possible changes to be made by the organisation when they use SIEM tools like Arcsight or Splunk and Changes to be made when using Azure sentinel? What would be the Configuration time and installation time involved? with the
data being stored in Azure.

Thank you
Previously there was a connector called Skyformation which helped to integrate Arcsight with Azure and I heard the support would end soon. Is there any other way to integrate it now?
If yes what all should the organization consider interms of cost , risks , issues when using Azure Sentinel or any other SIEM tool.
1 best response

Accepted Solutions
best response confirmed by Akshaya_Kumar (Copper Contributor)
Solution

@Akshaya_Kumar In order for you to evaluate 3rd party SIEM tools (like Splunk etc) to ingest data from Azure, you need to think what all you will ingest. You can categorize data sources into 3 buckets:

1.) Azure platform data: logs from O365, AAD, Activity logs etc fall into this bucket

2.) Azure reource data: this is where you diagnostic data from VMs etc will come from

3.) Finally you need to think of guest OS data like security logs, syslog etc

 

All this data need to be quantified as Splunk or any tool for that matter will charge you on data ingested per day. This is needed for not only licensing for SIEM tools but for Azure Event Hub where the data will hit before getting forwarded to SIEM tool. If you want to use Splunk, there is a Azure monitor addon for Splunk that can gather data from Azure event hub. Check Azure price calculator for Event hub costing. If you are hosting SIEM on azure, there will be IaaS, disk cost etc. 

 

Hope this helps

View solution in original post