integrate microsoft azure - eventtracker€¦ · if azure intune has been selected, it will pop up...

Integrate Microsoft Azure EventTracker v.9x and above

Publication Date: November 22, 2019

1

Integrate Microsoft Azure

Abstract

This guide provides instructions to configure Azure to generate logs for critical events. Once EventTracker is

configured to collect and parse these logs, dashboard and reports can be configured to monitor Azure

Activity, Azure Intune, Key vaults and Azure WAF.

Scope

The configurations detailed in this guide are consistent with EventTracker version 9.x and later, and Microsoft

Azure services.

Audience

IT Admins, Azure administrators and EventTracker users who wish to forward logs to EventTracker Manager

and monitor events using EventTracker.

The information contained in this document represents the current view of Netsurion. on the

issues discussed as of the date of publication. Because Netsurion must respond to changing

market conditions, it should not be interpreted to be a commitment on the part of Netsurion, and

Netsurion cannot guarantee the accuracy of any information presented after the date of

publication.

This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS

OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, this paper may be freely distributed without permission from Netsurion, if

its content is unaltered, nothing is added to the content and credit to Netsurion is provided.

Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Netsurion, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious.

No association with any real company, organization, product, person or event is intended or

should be inferred.

© 2019 Netsurion. All rights reserved. The names of actual companies and products mentioned

herein may be the trademarks of their respective owners.

2


Table of Contents 1. Overview ........................................................................................................................................................ 4

2. Prerequisites .................................................................................................................................................. 4

3. Configuring Azure to forward logs to EventTracker ...................................................................................... 4

3.1 Method 1: Integrating through EventTracker application ..................................................................... 4

3.1.1 EventTracker Integrator for Azure .................................................................................................. 5

3.1.2 Registering application with your Azure Active Directory Tenant .................................................. 9

3.1.3 Granting the Azure AD Application Reader Access to the Subscription ....................................... 14

3.1.4 Finding your Azure tenant ID in the Azure AD portal.................................................................... 14

3.1.5 Verifying Azure Integration ........................................................................................................... 15

3.2 Method 2: Integrating through Azure Function App ............................................................................ 15

3.2.1 Creating an Event Hub Namespace and Event Hub ...................................................................... 15

3.2.2 Creating Azure Function App......................................................................................................... 18

3.2.3 Azure Application Gateway Configuration to EventHub ............................................................... 26

3.2.4 Azure Web Application Firewall on Azure Front Door Configuration to EventHub ...................... 29

3.2.5 Azure Key vault Configuration to EventHub .................................................................................. 31

4. EventTracker Knowledge Pack (KP) ............................................................................................................. 34

4.1 Reports .................................................................................................................................................. 34

4.1.1 Azure Intune .................................................................................................................................. 34

4.1.2 Azure Key Vault ............................................................................................................................. 36

4.1.3 Azure WAF ..................................................................................................................................... 38

4.2 Alerts ..................................................................................................................................................... 41

4.2.1 Azure Key Vault ............................................................................................................................. 41

4.2.2 Azure WAF ..................................................................................................................................... 41

5. Saved Searches ............................................................................................................................................ 42

6. Sample Dashboards ..................................................................................................................................... 42

6.1 Azure Intune ......................................................................................................................................... 42

6.2 Azure Key Vault ..................................................................................................................................... 44

6.2.1 Azure WAF ..................................................................................................................................... 47

7. Importing Knowledge Pack into EventTracker ............................................................................................ 53

3


7.1 Alerts ..................................................................................................................................................... 53

7.2 Knowledge Objects ............................................................................................................................... 54

7.3 Flex Reports .......................................................................................................................................... 55

7.4 Category ................................................................................................................................................ 57

7.5 Dashlets ................................................................................................................................................ 58

8. Verifying Knowledge Pack in EventTracker ................................................................................................. 61

8.1 Alerts ..................................................................................................................................................... 61

8.2 Knowledge Object ................................................................................................................................. 62

8.3 Flex Reports .......................................................................................................................................... 62

8.4 Category ................................................................................................................................................ 63

8.5 Dashlets ................................................................................................................................................ 64

4


1. Overview EventTracker Knowledge pack for Microsoft Azure captures important and critical activities in Azure. Monitoring these activities is critical from a security aspect and is required for compliance and operational reasons. The dashboards, reports will help you in getting deeper insights to analyze various security use cases like azure resource and service activities and changes. EventTracker helps you to monitor day to day activities of Azure resource activities, Intune, Key vault audit

activities and Azure WAF.

2. Prerequisites • EventTracker v9.x or above should be installed.

• PowerShell 5.0 should be installed on the EventTracker Manager.

3. Configuring Azure to forward logs to EventTracker To Integrating Azure services to EventTracker following methods need to be configured:

Integration methods will differ based on the service you wanted to monitor.

Method 1: Integrating through EventTracker application – This integration method we will use custom

application from EventTracker to get the event details from Azure management or graph api.

Below services can be monitored using the method1:

• Azure Monitor

• Azure Intune

Method 2: Integrating through Azure Function App – This integration method we are using Azure Function

app service to create a trigger on EventHub and send it to EventTracker Manager.

Below services can be monitored using Method 2:

• Azure Key vault

• Azure Front door WAF

• Azure Application gateway firewall

3.1 Method 1: Integrating through EventTracker application This method uses the Azure API to fetch events and send them to EventTracker.

5


Use this method to monitor the below services only:

• Azure Monitor

• Azure Intune

Pre-request:

• To create a “Microsoft graph and Azure Management API” enabled the app in Azure AD, please

follow the steps mentioned here.

• After the successful creation of the user and application, run the Azure Integrator.

• Please enable the following URL, if there is any web filter or firewall in between:

o https://graph.microsoft.com

o https://login.windows.net

o https://manage.office.com

3.1.1 EventTracker Integrator for Azure

You need to follow these steps if you want to create an application.

1. Please contact EventTracker Support for the Azure Integration package.

2. Run executable file “Azure Integrator.exe”.

Figure 1

https://graph.microsoft.com/

https://login.windows.net/

mailto:[email protected]?subject=Office%20365%20Integration%20Package

6


After launching the integrator, it will check for PowerShell compatibility. If it is found compatible, the

integrator will allow you to configure Azure. Otherwise, update PowerShell on the EventTracker

Manager machine.

3. Please follow the Register Application section and permission sections for application creation

respectively. Fill the details in the Application.

Figure 2

4. Fill the details of the app registered in Azure AD with Microsoft Graph and Azure Management

API permission. If the user doesn’t have an app registered in Azure AD, please follow the

instructions mentioned here.

7


5. Provide the tenant ID for the enterprise. Please follow the instruction mentioned here, if tenant

ID is not known.

6. Once you have filled the appropriate fields in the forms, it will enable the Select Azure Product

checkboxes.

7. Select the Check box which is required to monitor.

8. If Azure Intune has been selected, it will pop up the browser window to authorize the client.

Login with Azure administrator account to authorize the application.

Figure 3

9. If the browser window is not popped-up, it will pop up a form with a URL. Click the “Copy URL

to Clipboard” button.

8


Figure 4

10. Once the link is copied, paste it in your web browser and login with azure administrator

credentials.

11. Make sure “Consent on behalf of your organization” is checked and click accept.

Figure 5

9


12. If the application is authorized, the page will redirect to your localhost or redirect to the URL,

which you are given.

13. Copy the redirected URL from the browser and paste it in Redirected Auth URL text box and

click OK to proceed further.

14. Once you provide all the details in the Integrator “OK” button will be enabled.

15. Click on the OK button to complete the Integration.

3.1.2 Registering application with your Azure Active Directory Tenant

If the application has not been registered in Azure AD, please follow the below procedure. This

procedure should be carried out by a user having Global Administrator rights in Azure.

1. Sign in to the Azure portal.

2. If your account gives you access to more than one, click your account in the top right corner,

and set your portal session to the desired Azure AD tenant.

3. In the left-hand navigation pane, click the Azure Active Directory service, click App

registrations, and click New application registration.

Figure 6

4. When the Create page appears, enter your application's registration information:

a. Name: Enter an appropriate application name

b. Application type: Select Web app / API

c. Sign-On URL: Enter http://localhost

https://portal.azure.com/

10


Figure 7

5. When finished, click Create. Azure AD assigns a unique Application ID to your application, and

you are taken to your application's main registration page. Please note down the Application

ID.

6. To add permission(s) to access resource APIs from your client,

a. Click the Required Permissions section on the Settings page.

b. Click the Add button.

c. Click Select an API to select the type of resources you want to pick from and then select

the Microsoft Graph.

11


Figure 8

7. After selecting the Microsoft Graph, add following application permissions:

a. Read all identity risky user information

b. Read all usage reports.

c. Read your organization’s security events.

12


Figure 9

8. Click Grant permissions after selecting Required permissions. For granting permissions,

user(s) with “Global Administrator” privileges are required.

13


Figure 10

9. You are taken to the application's main registration page, which opens the Settings page for

the application. To add a secret key for your web application's credentials:

a. Click the Keys section on the Settings page.

b. Add a description for your key.

c. Select Never from expires drop-down.

d. Click Save. The right-most column will contain the key value after you save the

configuration. Make note of value generated. This will be used in the integrator as a

client secret.

Figure 11

10. Please note down the Application ID after completing the app configuration.

14


3.1.3 Granting the Azure AD Application Reader Access to the Subscription

1. After creating the Azure application (which is similar to a service account), the application

needs to be granted Security reader access to the subscription(s) via a service principal object.

2. Select Subscriptions -> Your subscription -> Access control (IAM) -> Add -> select the

Security Reader role -> type the name of your application registration from the previous step

-> select the application when it appears in the results -> click the Save button.

Figure 12

3.1.4 Finding your Azure tenant ID in the Azure AD portal

• Sign in to the Azure portal.

• In the Microsoft Azure portal, click Azure Active Directory.

• Under Manage, click Properties. Make note of the value in the Directory ID box. This will be

used as a Tenant ID in the integrator.

Figure 13

https://portal.azure.com/

15


3.1.5 Verifying Azure Integration

After providing details to Azure Integrator, please follow the steps to verify the Azure integration.

• Check if the following task is created in Task Scheduler.

Figure 14

3.2 Method 2: Integrating through Azure Function App Use this method to monitor the below services only:

• Azure Application Gateway

• Azure Front Door

• Azure Key vault

This Method uses Azure EventHub and Azure Function app services from azure. Use the below steps to

configure the same.

Note: Select the service, plan, resource group and region according to your environment.

Pre-request:

• EventHub to be created and all service monitoring EventHub should configure the log point to that

EventHub.

• Function with EventHub trigger need to be created.

• Make sure IP and port between Function app and EventTracker Manager are open and reachable.

3.2.1 Creating an Event Hub Namespace and Event Hub

The Event Hub Namespace will contain one or more Event Hubs. The configured Azure services will

create Event Hubs in this namespace to store activity logs and diagnostics logs.

1. Navigate to All services > Event Hubs > Add -> supply a Name, Resource group, and any

other settings -> Create

16


Figure 15

Figure 16

17


2. Select the EventHubs under the EventHub namespace which we created.

3. Click on “+Event Hub” and supply EventHub name, partition count based on your

environment.

Figure 17

4. Click Create.

18


Figure 18

3.2.2 Creating Azure Function App

Azure Functions is a solution for easily running small pieces of code, or "functions," in the cloud. For

more details on function app overview and cost refer to the link.

To Create Function APP in Azure Portal

1. Use the link to create Azure Function APP

2. Select the following options as mentioned below

• “Publish” as “Code”

• “Runtime stack” as “.NET Core”

• “Region” appropriate to your service region

https://docs.microsoft.com/en-us/azure/azure-functions/functions-overview

https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-function-app-portal

19


Figure 19

3. Select the Hosting tab and create a new storage account or use an existing one.

4. Select the Operating System as Windows

5. Select Plan and plan type according to your environment refer above link for plan and cost

details.

20


Figure 20

6. Select the “Review+create” tab to create a function app.

7. Once Function app created. Navigate to All services > Function App > <Function APP Name>

to do further configuration.

8. Click to create a new function under the function app.

21


Figure 21

9. Choose an AZURE Event HUB trigger template

Figure 22

10. Fill the Name, connection consumer group, and EventHub name and click create.

11. Event Hub Connection settings.

22


Figure 23

Figure 24

12. Open the function we created.

Figure 25

23


13. Click Upload and browse and select the run.csx file which we have given in the integration

pack.

Figure 26

14. Once file uploaded, Add EventTracker Server IP Address and EventTracker Manager Name as

mentioned below

Note: EventTracker Server IP Address should be a pubic IP address, or it should configure to reachable

from outside network.

Figure 27

15. Click Save.

24


Figure 28

16. Navigate to All service > function App > <Function app name> > Platform features tab in home

page.

17. Select Advanced tools(kudu)

Figure 29

18. On popped up KUDU console. Open Debug console select PowerShell.

25


Figure 30

19. Drag and drop the support folder from the integration pack to D:\home\site\wwwroot\bin\

as in the image below.

Figure 31

26


3.2.3 Azure Application Gateway Configuration to EventHub

1. Navigate to your Azure Application gateway.

2. Click on the Diagnostic settings.

Figure 32

3. Click on Add diagnostic setting.

27


Figure 33

4. Give setting a name.

5. Select “Stream to an event hub”.

Figure 34

6. Select the EventHub which we configured earlier.

28


Figure 35

7. Select the below check box under the log section and click Save.

• ApplicationGatewayAccessLog

• ApplicationGatewayFirewallLog

Figure 36

29


3.2.4 Azure Web Application Firewall on Azure Front Door Configuration to

EventHub

To configure Front Doors WAF to EventHub,

1. Navigate to All services > >Front Doors > ><Your Front Door>

2. Click on the Diagnostic settings.

Figure 37

30



Figure 38



Figure 39


Figure 40

31


7. Select below check box under the Log section and click save.

• FrontdoorAccessLog

• FrontdoorWebApplicationFirewallLog

Figure 41

3.2.5 Azure Key vault Configuration to EventHub

1. Navigate to the Key vault you wanted to monitor

All Services > Key vault > <Your Key vault Name>

32


Figure 42


33


Figure 43



Figure 44


Figure 45

34


6. Select below check box under the Log section and click save.

• Audit

Figure 46

4. EventTracker Knowledge Pack (KP) Once logs are received in EventTracker; Reports, Knowledge Objects, and Dashboards can be configured in

EventTracker.

The following Knowledge Packs are available in EventTracker v9.x and later to support Azure monitoring:

4.1 Reports

4.1.1 Azure Intune

• Azure Intune - Audit Events: This report will provide you with information related to Azure

Intune Audit Events.

35


Sample Report:

Figure 47

Sample Log

Figure 48

36


4.1.2 Azure Key Vault

• Azure Key vault - Audit activity details: This report will provide you with information related to

Azure Key vault audit events.

Sample Log:

Figure 49

37


Figure 50

• Azure Key vault - Unauthorized access details – This report will provide detailed information on

unauthorized access on key vaults.

Figure 51

38


Sample Log:

Figure 52

4.1.3 Azure WAF

• Azure WAF - Application gateway firewall activity – This report will provide detailed information

on azure application gateway firewall traffic and detection of OWASP rules and other rules

matched or detected based on the configuration.

Figure 53

39


Sample Log:

Figure 54

• Azure WAF - Application gateway access traffic details – This report will provide detailed

information on azure application gateway access traffic. It will help you to identify and analyze

the user (IP address) and status of the traffic and protocol method which they are accessing.

Figure 54

40


Sample Log:

Figure 55

Figure 56

41


• Azure WAF - Application gateway access failed details – This report will provide detailed

information on azure application gateway failed access traffic. It can be used for identifying or

analysis server operation related issues or malicious activities.

Sample Log:

Figure 57

4.2 Alerts

4.2.1 Azure Key Vault

• Azure Key Vault: Unauthorized access detected - This alert is generated when unauthorized access on key vault event occurs.

• Azure Key Vault: Key Vault deleted – This alert is generated when keys in key vault deleted.

4.2.2 Azure WAF

• Azure WAF: OWASP ruleset scanner detected - - This alert is generated when the WAF OWASP rule matched or detected for scanner detection.

• Azure WAF: OWASP ruleset InvalidHTTPRequest detected- This alert is generated when the WAF OWASP rule matched or detected for invalid protocol requests on site.

• Azure WAF: OWASP ruleset path traversal attempted - This alert is generated when the WAF OWASP rule matched or detected for path traversal attempt on site.

• Azure WAF: OWASP ruleset PHP injection attack detected - This alert is generated when the WAF OWASP rule matched or detected for path traversal attempt on site.

42


• Azure WAF: OWASP ruleset possible remote file inclusion (RFI) Attack detected - This alert is generated when the WAF OWASP rule matched or detected for remote file inclusion attempt on site.

• Azure WAF: OWASP ruleset possible session fixation attack detected- This alert is generated when the WAF OWASP rule matched or detected for session fixation attack detected on site.

• Azure WAF: OWASP ruleset PROTOCOL-ATTACK detected- This alert is generated when the WAF OWASP rule matched or detected for protocol attack detected on site.

• Azure WAF: OWASP ruleset remote command execution detected- This alert is generated when the WAF OWASP rule matched or detected for command execution on site.

• Azure WAF: OWASP ruleset SQL Injection Attack detected- This alert is generated when the WAF OWASP rule matched or detected for SQL injection attack on site.

• Azure WAF: OWASP ruleset XSS attack detected- This alert is generated when the WAF OWASP rule matched or detected for XSS attack on site.

5. Saved Searches

• Azure Key vault - Unauthorized access details – This saved search helps you to search and drill down analysis on unauthorized access on key vault events.

• Azure Key vault - Audit activity details - This saved search helps you to search and drill down analysis on audit activities on key vault events.

• Azure WAF - Application gateway firewall activity -This saved search helps you to search and drill down analysis on application gateway firewall activities and type of attack detected on traffic or site.

• Azure WAF - Application gateway traffic details -This saved search helps you to search and drill down analysis on application gateway traffic and its status.

6. Sample Dashboards

6.1 Azure Intune • Azure Intune Audit Activities by Category

43


Figure 58

• Azure Intune Audit Activities by Type

Figure 59

• Azure Intune Audit Activities by User

Figure 60

44


• Azure Intune Audit Activities by Status

Figure 61

• Azure Intune Audit Activities by Component

Figure 62

6.2 Azure Key Vault

45


• Azure Key vault Audit Activities by Geo Location

Figure 63

• Azure Key vault Audit Activities

Figure 64

46


• Azure Key vault Audit activity table

Figure 65

• Azure Key vault Audit Activities by name

Figure 66

47


• Azure Key vault Audit Activities by geo location

Figure 67

6.2.1 Azure WAF

• Azure WAF Traffic details by http method

Figure 68

48


• Azure WAF traffic by URI

Figure 69

• Azure WAF traffic by status

Figure 70

49


• Azure WAF traffic details by IP

Figure 71

• Azure WAF Firewall activity details

Figure 72

50


• Azure WAF Firewall activities by URI

Figure 73

• Azure WAF Firewall activities by rule group

Figure 74

51


• Azure WAF Firewall activities by source geo location

Figure 75

• Azure WAF Firewall activities by host

Figure 76

52


• Azure WAF Firewall activities by rule

Figure 77

• Azure WAF web traffic failed by hostname

Figure 78

53


7. Importing Knowledge Pack into EventTracker NOTE: Import knowledge pack items in the following sequence:

• Alerts.

• Knowledge Object.

• Token templates.

• Flex Reports.

• Categories.

• Dashboard.

1. Launch the EventTracker Control Panel.

2. Double click Export/Import Utility, and then click the Import tab.

Figure 79

3. Import Tokens/Flex Reports as given below.

7.1 Alerts

1. Click Alert option, and then click the browse button

2. Navigate to the location having a file with the extension “.isalt” and then click on the “Import”

button:

54


Figure 80

EventTracker displays a success message:

Figure 81

7.2 Knowledge Objects 1. Click Knowledge objects under the Admin option in the EventTracker manager page.

2. Locate the file named *.etko.

55


Figure 82

3. Now select all the check box and then click on the ‘Import’ option.

4. Knowledge objects are now imported successfully.

Figure 83

7.3 Flex Reports 1. Click Reports option and select new (.etcrx) from the option.

56


Figure 84

2. Locate the file named *. etcrx and select all the check box.

Figure 85

57


3. Click the Import button to import the reports. EventTracker displays a success message.

Figure 86

7.4 Category 1. Click the category option, and then click the browse button.

Figure 87

2. Locate the. iscat file, and then click the open button.

3. To import category, click the Import button.

58


EventTracker displays a success message.

Figure 88

4. Click the OK button, and then click the Close button.

7.5 Dashlets In EventTracker 9.0, we have added a new feature which will help to import/export the dashlet. Following is

the procedure to do that:

1. Login into EventTracker Web console.

Figure 89

2. Go to My Dashboard option.

59


Figure 90

3. Click on the import button and select .etwd File.

Figure 91

4. Browse to the file path.

60


Figure 92

5. Click Upload and select the Dashboards which you want to import.

61


Figure 93

6. Click on the Import button. It will upload all the selected dashboards.

7. Repeat the same procedure to import all other .etwd for different azure service Dashboards.

8. Verifying Knowledge Pack in EventTracker

8.1 Alerts 1. In the EventTracker web interface, click the Admin dropdown, and then click Alerts.

2. In search box enter “Azure” and then click the Search button.

EventTracker displays an alert related to “Azure”:

62


Figure 94

8.2 Knowledge Object 1. Logon to EventTracker.

2. Click the Admin menu, and then click the Knowledge Object.

3. In Knowledge Object Group Tree to view imported knowledge object, scroll down and click the Azure

group folder.

Knowledge Object is displayed in the pane.

Figure 95

8.3 Flex Reports 1. Logon to EventTracker.

63


2. Click the Reports menu, and then Configuration.

3. Select Defined in report type.

4. In Report Groups Tree to view imported Scheduled Reports, scroll down and click the Azure group

folder.

Reports are displayed in the Reports configuration pane.

Figure 96

8.4 Category 1. Login to EventTracker.

2. Click the Admin menu, and then click Category.

Figure 97

64


3. Click the search, and then search with Azure.

Figure 98

8.5 Dashlets 1. Logon to EventTracker.

2. Click the Dashboard menu, and then My Dashboard.

Figure 99

3. Then click on Customize Dashlet button and search for “Azure”.

4. Click on Add, for adding the dashlets to the My Dashboard.

integrate microsoft azure - eventtracker€¦ · if azure intune has been selected, it will pop up...

Documents