Skip to content

Azure

Overview

Why is it important for Threat Hunting?

Azure logs provide unique and crucial visibility into the activities and resources in an organization's Azure environment.

As Cloud environments are vastly different from regular on-prem environments, many classic security products and auditing and logging mechanisms do not exist anymore in the Cloud environment as they were, which make the multiple logging mechanisms of Azure all the more important for defending an organization's Azure environment.

Supported APIs and data types

  • Azure Activity Log: logs all WRITE API calls in your environment. Passive READ events (such as listing users or VMs) are currently not logged in the Azure Activity Log, whether by a user or by system. This data type is required for all the detections in the Azure control plane.
  • Azure Sign-in Log: provides Information about the usage of managed applications and user sign-in activities.
  • Azure Audit Log: provides system activity information about users and group management, managed applications, and directory activities.
  • Azure NSG Flow Log: logs the equivalent of firewall logs in the cloud environment, and enable detections at the network level in your Azure environment.

Sending data to Hunters

Prerequisites

In order to ingest your Azure data into the Hunters platform, please follow this in order to learn how to configure your azure account properly.

Creating a Dataflow

Here are some refences to Microsoft's documentaion regarding the various log types:

Data Type File Format
Azure Activity Logs NDJSON
Azure Signin Log NDJSON
Azure Audit Log NDJSON
Azure NSG Flow Log NDJSON

FAQ

How do I configure Azure's Activiy logs?

  1. In the Azure portal home screen enter Activity Log and choose Diagnostic Settings
  2. Click Add Diagnostic Settings
  3. Check all log type boxes and choose Archive to a storage account
  4. Select the Storage Account that will be shared with Hunters.ai and Save

    Azure Activity Logs

How do I configure Azures AD's logs?

  1. In Azure portal home screen enter Azure Active Directory and choose Diagnostic Settings
  2. Click Add Diagnostic Settings
  3. Check AuditLogs and SigninLogs and choose Archive to a storage account
  4. Select the Storage Account that will be shared with Hunters.ai and Save

    Azure Active Directory Logs