Azure Security Monitoring and Alerting of Security Events. Securing the Azure environment demands proactive measures and also an effective system for monitoring and responding to security events in real-time. Monitoring of Azure resources detects, analyses, and acts upon potential threats. This guide lays out the essential steps to configure a comprehensive security monitoring infrastructure within Azure, ensuring the seamless collection, analysis, and management of critical security logs.
Prepare the Centralized Logging Infrastructure
The first step is the implementation of the centralized logging system. Either Azure Sentinel or Azure Monitor, or some third-party tool, such as IBM QRadar, SolarWinds Security Event Manager, etc.
The selected aggregation tool should have the features required to perform the security monitoring effectively.
Requirements for Centralized Security Log Management Tool
- Compatibility with the Azure resources. Usually, the integration is configured through the Azure Event Hub which streamlines the data to the third-party destinations.
- Search and Query Capabilities. The tool must offer advanced search and query functionalities, enabling security analysts to perform detailed investigations, filter logs based on specific criteria, and identify security events effectively.
- Normalization and Correlation. Usually, when you deploy a log management tool, you expect it to collect data from the vast variety of different sources – Microsoft Entra ID, VMs, storage accounts, databases, etc. Capabilities for log normalization and correlation are crucial to make sense of data from different sources, aggregating and correlating logs to detect patterns or anomalies indicative of security threats.
- Alerting and Notifications. Must support customizable alerting and notification features, enabling security teams to set up alerts for specific events or thresholds to act upon security incidents promptly.
- Retention and Storage. Must support efficient log storage and retention policies, ensuring logs are retained for the required duration while managing storage costs effectively. For example, Azure Monitor stores the log entries in the Log Analytics workspace for up to 12 years.
In addition to the listed features, other factors, such as performance, scalability, reliability take price into configuration. In case you have a new infrastructure (greenfield), which is mostly located in Azure, the easiest solution would be the usage of the Azure Monitor. In case you already infrastructure which you want to expand to the cloud, consider the integration of the existing tool with Azure resources.
What is next with Azure Security Monitoring and Alerting of Security Events?
Enable Logging for the Resources
After the configuring of the logging system, the next step is the routing of the platform logs. They register events related for different Azure resources, more details is here Overview of Azure platform logs
Resource logs provide information related to operations within the resource. The content of the logs depends on the resource type. This type of logs is very useful for the security monitoring as it registers access to the data. Resource logs aren’t collected by default and to collect them you need to route them to the log consolidation tool.
- To enable resource logging, navigate to the page of the resource in the Admin Portal. Then, on the left side of the page, select Diagnostic Settings, under the Monitoring section.
- In the window, press the Add Diagnostic Setting
- Diagnostic Setting page opens. Specify diagnostic setting name, metrics to send and the destinations. If you are using Azure Monitor, the destination should be the Log Analytics workspace, while an event hub is the most probable option for the third-party tools. After that, press Save to submit.
Activity logs collect the information about the operations performed on the resource from the outside, for example, the changes made by the admin. These logs are enabled by default, however, sending them to the target destination, such as Log Analytics Workspace, requires extra configuration.
- To send activity logs to the log management system, go to the Monitor page in the Azure Admin Portal. On the left side menu, select Activity Log, and then select Export Activity Log.
- Next, press the Add Diagnostic Setting button.
- A new page appears, use it to select the log types to send, specify the name of the diagnostic settings and choose the destination. And finally, press Save.
Microsoft Entra logs
Microsoft Entra logs include records related to the Azure identity provider. Find the list of the sign-in events, audit logs of the access level changes, registration of applications, etc. The logs are enabled by default and available in the Microsoft Entra admin center, only the routing the logs to the centralized logging system is required.
- To enable the Microsoft Entra logs forwarding, open the Microsoft Entra Admin Center. Then Identity > Monitoring and health > Diagnostic settings.
In case virtual machines are used in your Azure infrastructure, ensure to configure the logging on the operating system level. Azure Monitor supports logging on machines running both Windows and Linux operating systems.
- To configure the operating system logs collection, go to Azure Monitor page in the Azure Admin Portal, then, on the navigation menu, select Data Collection Rules.
- Press Create
- Create Data Collection Rule wizard shows up. Specify the rule name, resource group, region and platform. Optionally, select a data collection endpoint, if you want to collect some specific data, such as IIS logs (more details are found in Data collection endpoints in Azure Monitor). Press Next.
- On the next page select Add resources, and select virtual machines you want to monitor. Press Next to continue the deployment. The Azure Monitor Agent is automatically installed on the selected virtual machines if they are running supported version of Windows Server or Linux. In case you want to monitor VM that runs the client version of Windows , follow the instructions in Azure Monitor agent on Windows client devices.
- On the Collect and Deliver page, select Add data source. A new window with two tabs appears. On the first tab, called Data Source, select the logs that you want to collect. The available log types depend on the operating system and on the data connection endpoint selected in step 2. For the security monitoring, select Windows Event Logs for Windows machines, and Linux Syslog for Linux machines. You may need to specify the additional information, such as minimum log level.
- On the second tab, press Add Destination. Select Azure Monitor Logs as the destination type, and select the required Log Analytics workspace in the Account or namespace Press Add data source.
- Go to the Review + Create tab and press Create to complete the deployment.
The installed Azure Monitor Agent isn’t only used by Azure Monitor. It also used by Microsoft Defender for Cloud (by its component Defender for Servers in particular), if it is deployed. The usage of Defender for Cloud is highly recommended from both protecting and monitoring perspective, but requires additional budgeting. More details on the pricing are here.
Set Up Alerts to Stay Informed
After you configured the log collection, the next step is to configure the proper notifications to the responsible personnel. In Azure, alert rules are used for this purpose. Alert rules are the configuration entities that bring together the monitoring data from the resource, condition and the action group.
Before creating the alert rule, let’s pre-create an action group.
- To create an action group, go to Azure Monitor page in the Azure Admin Portal, then, on the navigation menu, select Alerts.Go to Create > Action Group.
- Create action group wizard appears. On the first tab, specify the basic information – resource group name, region, group name (must be unique within the resource group) and display name (the name that is shown in the notification messages). Provide the necessary information and press Next.
- On the Notifications tab, specify the necessary notifications – via email (to a specific role or to the selected address), SMS, push alert or voice call. Then finalize the creation by clicking on Review + Create, then Create.
During the action group creation, optionally configure some actions, not only notifications. Azure supports different types of actions – execution of Azure Automation runbook, start of the Azure Function, sending a webhook, creation of a ticket in the IT service management tool (such as ServiceNow), etc.
Creation of the Alert Rule
After the creation of the action group, create an alert rule.
- Back on the Alerts page, go to Create > Alert Rule.
- Create an alert rule wizard appears. On the first page, press Select Scope and select the resources you are creating alert for. Press Next.
- On the Condition tab, select the proper signal for the alert. It can be some of the pre-created signals, such us modification of privileged accounts, or a custom log query using Kusto Query Language. After the selection, specify additional parameters of the condition, such as event level or event initiator. After the configuration of the condition press Next.
- On the next page, select Select Action Group Select the necessary group from the drop-down list and press Next.
- On the Details tab, provide the necessary details, such as resource group and rule name, then complete the configuration by navigating to Review + Create, then Create.
Alerting in Microsoft Defender for Cloud
Additionally, if you implemented Microsoft Defender for Cloud, you need to configure alerting there as well.
- To configure alerting for Microsoft Defender for Cloud, go to its page in Azure Admin Portal and select Security Alerts on the left side menu. Select any Alert from the appeared list.
- Press Take action.
- In the list of the available actions, select Configure Settings, under the Configured email notification settings
- In the appeared Email Notifications page, specify the recipients and the notification type (based on the alert criticality of the alert), then press Save.
That is a wrap! Thank you for reading Azure Security Monitoring and Alerting of Security Events. Let’s conclude.
Azure Security Monitoring and Alerting of Security Events Conclusion
The configuration of an efficient logging infrastructure and the implementation of effective alerting mechanisms, as outlined in this guide, form the cornerstone of a resilient security posture. By leveraging centralized log management tools, enabling comprehensive resource and activity logs, and configuring helpful alerting systems, a cyber security team swiftly identifies, responds to, and mitigates potential security threats, ensuring a fortified defence of the critical infrastructure.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool