Forum Discussion

Akshaya_Kumar's avatar
Akshaya_Kumar
Copper Contributor
May 11, 2020

Azure Cloud integration with SIEM Tools

Hi Everyone,  I am currently researching on SIEM tools that could be integrated with Azure cloud. Are there any SIEM tools that could be integrated with Azure cloud in providing monitoring solution?...
azure
  • Pranav Holavanahalli's avatar
    Pranav Holavanahalli
    May 13, 2020

    Akshaya_Kumar In order for you to evaluate 3rd party SIEM tools (like Splunk etc) to ingest data from Azure, you need to think what all you will ingest. You can categorize data sources into 3 buckets:

    1.) Azure platform data: logs from O365, AAD, Activity logs etc fall into this bucket

    2.) Azure reource data: this is where you diagnostic data from VMs etc will come from

    3.) Finally you need to think of guest OS data like security logs, syslog etc

     

    All this data need to be quantified as Splunk or any tool for that matter will charge you on data ingested per day. This is needed for not only licensing for SIEM tools but for Azure Event Hub where the data will hit before getting forwarded to SIEM tool. If you want to use Splunk, there is a Azure monitor addon for Splunk that can gather data from Azure event hub. Check Azure price calculator for Event hub costing. If you are hosting SIEM on azure, there will be IaaS, disk cost etc. 

     

    Hope this helps

Akshaya_Kumar's avatar
Akshaya_Kumar
Copper Contributor

Thank youCharbelhanna .

I have checked that blog already. 

When integrating Splunk or Any other tool what are all the costs we should consider other than Virtual Machines and Event Hub? 

 

Thank You

Pranav Holavanahalli's avatar
Pranav Holavanahalli
Icon for Microsoft rankMicrosoft
May 13, 2020

Akshaya_Kumar In order for you to evaluate 3rd party SIEM tools (like Splunk etc) to ingest data from Azure, you need to think what all you will ingest. You can categorize data sources into 3 buckets:

1.) Azure platform data: logs from O365, AAD, Activity logs etc fall into this bucket

2.) Azure reource data: this is where you diagnostic data from VMs etc will come from

3.) Finally you need to think of guest OS data like security logs, syslog etc

 

All this data need to be quantified as Splunk or any tool for that matter will charge you on data ingested per day. This is needed for not only licensing for SIEM tools but for Azure Event Hub where the data will hit before getting forwarded to SIEM tool. If you want to use Splunk, there is a Azure monitor addon for Splunk that can gather data from Azure event hub. Check Azure price calculator for Event hub costing. If you are hosting SIEM on azure, there will be IaaS, disk cost etc. 

 

Hope this helps

  • Akshaya_Kumar's avatar
    Akshaya_Kumar
    Copper Contributor
    May 13, 2020
    Yeah. Thank you.
    • Charbelhanna's avatar
      Charbelhanna
      Brass Contributor
      May 13, 2020

      Hi Akshaya_Kumar,

       

      wanted to check if you still need any additional information in this respect, otherwise if you would mark a reply as an answer.

       

      Thank you in advance,

      Charbel Hanna

  • Akshaya_Kumar's avatar
    Akshaya_Kumar
    Copper Contributor
    May 13, 2020
    Previously there was a connector called Skyformation which helped to integrate Arcsight with Azure and I heard the support would end soon. Is there any other way to integrate it now?
    If yes what all should the organization consider interms of cost , risks , issues when using Azure Sentinel or any other SIEM tool.

Resources