Azure Sentinel – How to Audit Management Groups

Published Jul 15 2021 12:00 AM 2,707 Views
Microsoft

 

Hi folks!!  

 

Simone is back to you. 

 

Probably, most of you know that when you enable Azure Activity connector in Azure Sentinel Connector’ s blade almost every audit log generated from Azure resources is saved in the AzureActivity Table.  

 

Well, almost does not mean all :) In fact, from the Azure portal we can only manage the subscriptions level, but some audits created by the Root management group are not collected by default by the Azure Sentinel collectors. 

For example, operations logged by the Microsoft.Management resource provider are not available at root level as creation/move/delete of subscriptions.  

 

To keep under control these logs we can configure the audit using the Azure Monitor REST API following the steps below: 

 

  1. Under management groups take the “tenant root group ID” (ManagementGroupID) and Name 
    sifriger_1-1625049836482.png 

  2. Open the link Management Group Diagnostic Settings - Get - REST API (Azure Monitor) | Microsoft Docs  
    Try to get the setting from tenant root  
    sifriger_2-1625049836483.png 

  3. Sign in and fill the fields with ManagementGroupID and Name and click RUN at the bottom of the page: 
    sifriger_3-1625049836485.png 

  4. Now we should create or update Diagnostic Setting 
    Management Group Diagnostic Settings – Create Or Update – REST API (Azure Monitor) | Microsoft Docs –  
    Click on Try 
    sifriger_4-1625049836486.png
     
  5. Fill the fields with ManagementGroupID and Name as already done before at 3 Step: 
    sifriger_5-1625049836487.png

  6. Copy the JSON schema Template from this link Resource Manager template samples for diagnostic settings - Azure Monitor | Microsoft Docs: 

  7. Modify the setting related to the repository (Log Analytics, Event Hub, Storage Account), and define the categories that you wish to collect, in our case Administrative and Policy 
    sifriger_6-1625049836488.png

  8. in case you don’t need the other setting, you can delete the specific line: 
    sifriger_7-1625049836490.png

  9. Paste the Json in the box “body” and click RUN: 

 

 

 

        { 
            "type": "Microsoft.Insights/diagnosticSettings", 
            "apiVersion": "2017-05-01-preview", 
            "name": "[parameters('settingName')]", 
            "properties": { 
                "workspaceId": "[parameters('workspaceId')]", 
                "logs": [ 
                    { 
                        "category": "Administrative", 
                        "enabled": true 
                    }, 
                    { 
                        "category": "Policy", 
                        "enabled": true 
                    } 
                ] 
            } 
        } 

 

 

 

 

sifriger_8-1625049836491.png
 

Do you like automation and powershell?  

 

No problem!! My colleague @Martin Schvartzman  wrote and share a cool powershell script.  

 

Let's check it 

https://github.com/martin77s/Azure/blob/master/PS/Enable-DiagnosticSettingsMG.ps1 

 

I hope it will help you, save some time as well as some headaches! 

 

See you next time! 

Simone 

 

 

Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

 

Co-Authors
Version history
Last update:
‎Jul 18 2021 12:57 AM
Updated by: