fbpx

Azure Security Monitoring and Alerting of Security Events

Active Directory & Office 365 Reporting Tool

Azure Security Monitoring and Alerting of Security Events. Securing the Azure environment demands proactive measures and also an effective system for monitoring and responding to security events in real-time. Monitoring of Azure resources detects, analyses, and acts upon potential threats. This guide lays out the essential steps to configure a comprehensive security monitoring infrastructure within Azure, ensuring the seamless collection, analysis, and management of critical security logs.

Also ReadĀ Analyze Azure AD Security Logs: Audit & Monitor Azure AD Activity

Prepare the Centralized Logging Infrastructure

The first step is the implementation of the centralized logging system. Either Azure Sentinel or Azure Monitor, or some third-party tool, such as IBM QRadar, SolarWinds Security Event Manager, etc.

The selected aggregation tool should have the features required to perform the security monitoring effectively.

Requirements for Centralized Security Log Management Tool

  • Compatibility with the Azure resources. Usually, the integration is configured through the Azure Event Hub which streamlines the data to the third-party destinations.
  • Search and Query Capabilities. The tool must offer advanced search and query functionalities, enabling security analysts to perform detailed investigations, filter logs based on specific criteria, and identify security events effectively.
  • Normalization and Correlation. Usually, when you deploy a log management tool, you expect it to collect data from the vast variety of different sources ā€“ Microsoft Entra ID, VMs, storage accounts, databases, etc. Capabilities for log normalization and correlation are crucial to make sense of data from different sources, aggregating and correlating logs to detect patterns or anomalies indicative of security threats.
  • Alerting and Notifications. Must support customizable alerting and notification features, enabling security teams to set up alerts for specific events or thresholds to act upon security incidents promptly.
  • Retention and Storage. Must support efficient log storage and retention policies, ensuring logs are retained for the required duration while managing storage costs effectively. For example, Azure Monitor stores the log entries in the Log Analytics workspace for up to 12 years.

In addition to the listed features, other factors, such as performance, scalability, reliability take price into configuration. In case you have a new infrastructure (greenfield), which is mostly located in Azure, the easiest solution would be the usage of the Azure Monitor. In case you already infrastructure which you want to expand to the cloud, consider the integration of the existing tool with Azure resources.

What is next with Azure Security Monitoring and Alerting of Security Events?

Also ReadĀ Azure AD Auditing: Enabling and Configuring Audit Logs

Enable Logging for the Resources

After the configuring of the logging system, the next step is the routing of the platform logs. They register events related for different Azure resources, more details is here Overview of Azure platform logs

Resource Logs

Resource logs provide information related to operations within the resource. The content of the logs depends on the resource type. This type of logs is very useful for the security monitoring as it registers access to the data. Resource logs arenā€™t collected by default and to collect them you need to route them to the log consolidation tool.

  1. To enable resource logging, navigate to the page of the resource in the Admin Portal. Then, on the left side of the page, select Diagnostic Settings, under the Monitoring section.
Azure Security Monitoring and Alerting of Security Events
  1. In the window, press the Add Diagnostic Setting
Add Diagnostic Setting ResourceLogs02
  1. Diagnostic Setting page opens. Specify diagnostic setting name, metrics to send and the destinations. If you are using Azure Monitor, the destination should be the Log Analytics workspace, while an event hub is the most probable option for the third-party tools. After that, press Save to submit.
Azure Security Monitoring and Alerting of Security Events ResourceLogs03

Also ReadĀ Take advantage of our Office 365 Reporting Tool

Activity Logs

Activity logs collect the information about the operations performed on the resource from the outside, for example, the changes made by the admin. These logs are enabled by default, however, sending them to the target destination, such as Log Analytics Workspace, requires extra configuration.

  1. To send activity logs to the log management system, go to the Monitor page in the Azure Admin Portal. On the left side menu, select Activity Log, and then select Export Activity Log.
Export Activity Logs Step
  1. Next, press the Add Diagnostic Setting button.
Azure Security Monitoring and Alerting of Security Events ActivityLog02
  1. A new page appears, use it to select the log types to send, specify the name of the diagnostic settings and choose the destination. And finally, press Save.
Azure Security Monitoring and Alerting of Security Events

Also ReadĀ How to Monitor Office 365 Activity Logs for Improved Security

Microsoft Entra logs

Microsoft Entra logs include records related to the Azure identity provider. Find the list of the sign-in events, audit logs of the access level changes, registration of applications, etc. The logs are enabled by default and available in the Microsoft Entra admin center, only the routing the logs to the centralized logging system is required.

  1. To enable the Microsoft Entra logs forwarding, open the Microsoft Entra Admin Center. Then Identity > Monitoring and health > Diagnostic settings.
Entra Admin Centre Diagnostic settings EntraLogs01
  1. Repeat the steps 2 and 3 from the activity logs forwarding configuration.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.Ā  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Operating System logs

In case virtual machines are used in your Azure infrastructure, ensure to configure the logging on the operating system level. Azure Monitor supports logging on machines running both Windows and Linux operating systems.

  1. To configure the operating system logs collection, go to Azure Monitor page in the Azure Admin Portal, then, on the navigation menu, select Data Collection Rules.
Azure Security Monitoring and Alerting of Security Events Data Collection Rules OSLogs01
  1. Press Create
  2. Create Data Collection Rule wizard shows up. Specify the rule name, resource group, region and platform. Optionally, select a data collection endpoint, if you want to collect some specific data, such as IIS logs (more details are found in Data collection endpoints in Azure Monitor). Press Next.
OSLogs02
  1. On the next page select Add resources, and select virtual machines you want to monitor. Press Next to continue the deployment. The Azure Monitor Agent is automatically installed on the selected virtual machines if they are running supported version of Windows Server or Linux. In case you want to monitor VM that runs the client version of Windows , follow the instructions in Azure Monitor agent on Windows client devices.
Create data collection rule add resources
  1. On the Collect and Deliver page, select Add data source. A new window with two tabs appears. On the first tab, called Data Source, select the logs that you want to collect. The available log types depend on the operating system and on the data connection endpoint selected in step 2. For the security monitoring, select Windows Event Logs for Windows machines, and Linux Syslog for Linux machines. You may need to specify the additional information, such as minimum log level.
Azure Security Monitoring and Alerting of Security Events choose data source type
  1. On the second tab, press Add Destination. Select Azure Monitor Logs as the destination type, and select the required Log Analytics workspace in the Account or namespace Press Add data source.
OSLogs05
  1. Go to the Review + Create tab and press Create to complete the deployment.

The installed Azure Monitor Agent isnā€™t only used by Azure Monitor. It also used by Microsoft Defender for Cloud (by its component Defender for Servers in particular), if it is deployed. The usage of Defender for Cloud is highly recommended from both protecting and monitoring perspective, but requires additional budgeting. More details on the pricing are here.

Also ReadĀ Check Azure AD Audit Logs for User Sign-Ins (Success Failures)

Set Up Alerts to Stay Informed

After you configured the log collection, the next step is to configure the proper notifications to the responsible personnel. In Azure, alert rules are used for this purpose. Alert rules are the configuration entities that bring together the monitoring data from the resource, condition and the action group.

Alert Rule

Creation of the Action Group

Before creating the alert rule, letā€™s pre-create an action group.

  1. To create an action group, go to Azure Monitor page in the Azure Admin Portal, then, on the navigation menu, select Alerts.Go to Create > Action Group.
Azure Security Monitoring and Alerting of Security Events Monitor Alerts
  1. Create action group wizard appears. On the first tab, specify the basic information ā€“ resource group name, region, group name (must be unique within the resource group) and display name (the name that is shown in the notification messages). Provide the necessary information and press Next.
Create action group Azure Security Monitoring and Alerting of Security Events
  1. On the Notifications tab, specify the necessary notifications ā€“ via email (to a specific role or to the selected address), SMS, push alert or voice call. Then finalize the creation by clicking on Review + Create, then Create.
ActionGroup03

During the action group creation, optionally configure some actions, not only notifications. Azure supports different types of actions ā€“ execution of Azure Automation runbook, start of the Azure Function, sending a webhook, creation of a ticket in the IT service management tool (such as ServiceNow), etc.

Creation of the Alert Rule

After the creation of the action group, create an alert rule.

  1. Back on the Alerts page, go to Create > Alert Rule.
Create Alert Rule
  1. Create an alert rule wizard appears. On the first page, press Select Scope and select the resources you are creating alert for. Press Next.
Azure Security Monitoring and Alerting of Security Events Select Scope
  1. On the Condition tab, select the proper signal for the alert. It can be some of the pre-created signals, such us modification of privileged accounts, or a custom log query using Kusto Query Language. After the selection, specify additional parameters of the condition, such as event level or event initiator. After the configuration of the condition press Next.
Azure Security Monitoring and Alerting of Security Events AlertRule03
  1. On the next page, select Select Action Group Select the necessary group from the drop-down list and press Next.
  2. On the Details tab, provide the necessary details, such as resource group and rule name, then complete the configuration by navigating to Review + Create, then Create.
AlertRule04

Also ReadĀ Real-time Monitoring with Azure AD Auditing: SIEM/ Analytics Tools

Alerting in Microsoft Defender for Cloud

Additionally, if you implemented Microsoft Defender for Cloud, you need to configure alerting there as well.

  1. To configure alerting for Microsoft Defender for Cloud, go to its page in Azure Admin Portal and select Security Alerts on the left side menu. Select any Alert from the appeared list.
MDCAlerting01
  1. Press Take action.
MDCAlerting02
  1. In the list of the available actions, select Configure Settings, under the Configured email notification settings
MDCAlerting03
  1. In the appeared Email Notifications page, specify the recipients and the notification type (based on the alert criticality of the alert), then press Save.
MDCAlerting04

That is a wrap! Thank you for reading Azure Security Monitoring and Alerting of Security Events. Let’s conclude.

Also ReadĀ Azure Security Center Best Practices: How to Secure Azure

Azure Security Monitoring and Alerting of Security Events Conclusion

The configuration of an efficient logging infrastructure and the implementation of effective alerting mechanisms, as outlined in this guide, form the cornerstone of a resilient security posture. By leveraging centralized log management tools, enabling comprehensive resource and activity logs, and configuring helpful alerting systems, a cyber security team swiftly identifies, responds to, and mitigates potential security threats, ensuring a fortified defence of the critical infrastructure.

InfraSOS-AD-Tools

Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

  • Free 15-Days Trial
  • SaaS AD Reporting & Auditing Solution

Related posts:

  1. How to Configure Azure AD Activity Logs for Effective Monitoring
  2. Secure Azure Network with Azure Firewall & Security Groups
  3. Automate Security Tasks and Workflows in Your Azure Environment
  4. Analyze Azure AD Security Logs: Audit & Monitor Azure AD Activity
  5. Check Azure AD Audit Logs for User Sign-Ins (Success Failures)
Marat M

Marat M

System administrator with 14 years of practical experience. Specializes in Microsoft products such as Exchange Server, Active Directory, Microsoft 365 and Azure.
Active Directory Reporting

Leave a comment

Your email address will not be published. Required fields are marked *