Azure Logs Integration

Introduction

This document shows information related to Azure Active Directory Integration.
The Azure Logs integration retrieves different types of log data from Azure.

Assumptions

The procedures described in the Requirements section assumes that a Log Collector has already
been setup.

Requirements

Main Setup

One or more event hub to store in-flight logs exported by Azure services and make them available to the Log Collector

Example:

  ┌────────────────┐       ┌────────────┐
  │     adlogs     │       │  Log       │
  │ <<Event Hub>>  │─────▶ │  Collector │
  └────────────────┘       └────────────┘

One or more diagnostic setting to export logs from Azure services to Event Hubs

Example:

┌──────────────────┐      ┌──────────────┐     ┌─────────────────┐
│Microsoft Entra ID│      │  Diagnostic  │     │    Event Hub    │
│    <<source>>    │─────▶│   settings   │────▶│ <<destination>> │
└──────────────────┘      └──────────────┘     └─────────────────┘

One Storage Account Container to store information about logs consumed by the Log Collector

Example:

  ┌────────────────┐                     ┌────────────┐
  │     adlogs     │        logs         │  Log       │
  │ <<Event Hub>>  │────────────────────▶│  Collector │
  └────────────────┘                     └────────────┘
                                                │
                       consumer group info      │
  ┌────────────────┐   (state, position, or     │
  │   azurelogs    │         offset)            │
  │ <<container>>  │◀───────────────────────────┘
  └────────────────┘

Here are several requirements before using the integration since the logs will
be read from azure event hubs.

The logs have to be exported first to the event hub.
• Create an event hub using Azure portal.
• More information can be found on: https://learn.microsoft.com/en-us/azure/event-hubs/event-hubscreate.
To export activity logs to event hubs users can follow the steps here.
• Legacy collection methods
• More information can be found on: https://learn.microsoft.com/en-us/azure/azuremonitor/essentials/activity-log?tabs=powershell#legacy-collectionmethods
To export audit and sign-in logs to event hubs users can follow the
steps here.
• Stream Azure Active Directory logs
• More information can be found on: https://learn.microsoft.com/en-us/azure/active-directory/reportsmonitoring/tutorial-azure-monitor-stream-logs-to-event-hub

Azure Active Directory Integration Procedures

Create a Resource Group
A resource group is a logical collection of Azure resources. All resources are
deployed and managed in a resource group. To create a resource group:

Sign in to the Azure portal.
In the left navigation, select Resource groups, and then
select Create a resource.
For Subscription, select the name of the Azure subscription in which
you want to create the resource group. For CyTech (Azure Active Directory)
Type a unique name for the resource group. The system
immediately checks to see if the name is available in the currently
selected Azure subscription.
Select a region for the resource group.
Select Review + Create.
Takes a few minutes to complete.

Create an Event Hubs Namespace

An Event Hubs namespace provides a unique scoping container, in which you create
one or more event hubs. To create a namespace in your resource group using the
portal, do the following actions:

In the Azure portal, and select Create a resource at the top left of
the screen.
Select All services in the left menu, and select star (*) next to Event
Hubs in the Analytics category. Confirm that Event Hubs is added
to FAVORITES in the left navigational menu.
Select Event Hubs under FAVORITES in the left navigational menu, and
select Create on the toolbar.
On the Create namespace page, take the following steps:
a. Select the subscription in which you want to create the
namespace.
b. Select the resource group you created in the previous step.
c. Enter a name for the namespace. The system immediately checks to see if the name is available. d. Select a location for the namespace.
e. Choose Basic for the pricing tier. To learn about differences
between tiers, see Quotas and limits, Event Hubs Premium, and Event
Hubs Dedicated articles.f. Leave the throughput units (for standard tier) or processing
units (for premium tier) settings as it is. To learn about throughput units
or processing units: Event Hubs scalability. g. Select Review + Create at the bottom of the page.
h. On the Review + Create page, review the settings, and select Create.
Wait for the deployment to complete.
On the Deployment page, select Go to resource to navigate to the page for
your namespace.

Create an Event Hub

To create an event hub within the namespace, do the following actions:
On the Overview page, select + Event hub on the command bar.
Type a name for your event hub, then select Review + create. The partition count setting allows you to parallelize consumption across
many consumers. For more information, see Partitions.
The message retention setting specifies how long the Event Hubs service
keeps data. For more information, see Event retention.
On the Review + create page, select Create.
You can check the status of the event hub creation in alerts. After the event
hub is created, you see it in the list of event hubs.

Create a Diagnostic Setting

The diagnostic settings export the logs from Azure services to a destination and in order to use Azure Logs integration, it must be an event hub.

To create a diagnostic settings to export logs:

Locate the diagnostic settings for the service (for example, Microsoft Entra ID).
Select diagnostic settings in the Monitoring section of the service. Note that different services may place the diagnostic settings in different positions.
Select Add diagnostic settings.

In the diagnostic settings page you have to select the source log categories you want to export and then select their destination.

Select log categories

Each Azure services exports a well-defined list of log categories. Check the individual integration doc to learn which log categories are supported by the integration.

Select the destination

Select the subscription and the Event Hubs namespace you previously created. Select the event hub dedicated to this integration.

Example:

  ┌───────────────┐   ┌──────────────┐    ┌───────────────┐       ┌────────────┐
  │  MS Entra ID  │   │  Diagnostic  │    │     adlogs    │       │  Log       │
  │  <<service>>  ├──▶│   Settings   │──▶│ <<Event Hub>> │─────▶ │ Collector │
  └───────────────┘   └──────────────┘    └───────────────┘       └────────────┘

Create a Storage Account

To create an Azure storage account with the Azure portal, follow these steps:

From the left portal menu, select Storage accounts to display a list
of your storage accounts. If the portal menu isn't visible, click the
menu button to toggle it on.
On the Storage accounts page, select Create.
The following image shows a standard configuration of the basic properties
The following image shows a standard configuration of the advanced
properties for a new storage account.
The following image shows a standard configuration of the networking
properties for a new storage account.
The following image shows a standard configuration of the data protection
properties for a new storage account.
The following image shows a standard configuration of the encryption
properties for a new storage account.
Review + Create Tab
When you navigate to the Review + create tab, Azure runs
validation on the storage account settings that you have chosen. If
validation passes, you can proceed to create the storage account.
If validation fails, then the portal indicates which settings need to be
modified.

The following image shows the Review tab data prior to the creation
of a new storage account.

Resources needed for the integration of Azure Active Directory:

Azure Diagnostics Settings
Create a Diagnostics Configuration and select which log from
Azure will send to the event hub.
Navigate to Microsoft Entra ID > Monitoring > Diagnostic settings
Event Hub Credentials
Go to > EventHub Resources > Select Shared Access Policies
Please provide CyTech the:
a. Event Hubs Name Not the Name Space:
b. Connection string-primary key:
Account Storage Credentials
Please provide CyTech the:
a. Storage Account Name:
b. Key 1 Key

Additional Information:

Azure Active Directory Logs contain

Retrieves Azure Active Directory sign-in logs. The sign-ins report provides
information about the usage of managed applications and user sign-in
activities.

Identity Protection logs - Information about user risk status and the events
that change it.

Retrieves Azure AD Identity Protection logs. The Azure AD Identity
Protection service analyzes events from AD users' behavior, detects risk
situations, and can respond by reporting only or even blocking users at
risk, according to policy configurations.

Provisioning logs - Information about users and group synchronization to
and from external enterprise applications.

Retrieves Azure Active Directory Provisioning logs. The Azure AD
Provisioning service syncs AD users and groups to and from external
enterprise applications. For example, you can configure the provisioning
service to replicate all existing AD users and groups to an external
Dropbox Business account or vice-versa.

The Provisioning Logs contain a lot of details about a inbound/outbound
sync activity, like:

User or group details.
Source and target systems (e.g., from Azure AD to Dropbox).
Provisioning status.
Provisioning steps (with details for each step).

Audit logs – Information about changes to your tenant, such as users and
group management, or updates to your tenant's resources.

Retrieves Azure Active Directory audit logs. The audit logs provide
traceability through logs for all changes done by various features within
Azure AD. Examples of audit logs include changes made to any resources
within Azure AD like adding or removing users, apps, groups, roles and
policies.

If you need further assistance, kindly contact our support at info@cytechint.com for prompt assistance and guidance.