Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Microsoft Azure

 

The JSA DSM for Microsoft Azure collects events from Azure Activity logs.

The following table describes the specifications for the Microsoft Azure DSM:

Table 1: Microsoft Azure DSM specifications

Specification

Value

Manufacturer

Microsoft

DSM name

Microsoft Azure

RPM file name

DSM-MicrosoftAzure-JSA_version-build_number.noarch.rpm

Supported versions

N/A

Protocol

Syslog

Event format

LEEF

Recorded event types

Authorization

Classic Compute

Classic Storage

Compute

Insights

KeyVault

SQL

Storage

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

Microsoft Azure website (https://azure.microsoft.com)

To integrate Azure Activity logs with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console

    • DSMCommon RPM

    • Microsoft Azure DSM RPM

  2. Configure your Microsoft Azure Log Integration service to send syslog events to JSA.

  3. If JSA does not automatically detect the log source, add a Microsoft Azure log source on the JSA console. The following table describes the parameters that require specific values for Microsoft Azure event collection:

    Table 2: Microsoft Azure log source parameters

    Parameter

    Value

    Log Source type

    Microsoft Azure

    Protocol Configuration

    Syslog

    Log Source Identifier

    The IP address or host name of the device that sends Microsoft Azure events to JSA.

The following table provides a sample syslog event message for the Microsoft Azure DSM:

Table 3: Microsoft Azure sample syslog message

Event name

Low level category

Sample log message

Restarts virtual machines.

Start Activity Attempted

LEEF:1.0|Microsoft|Azure Resource Manager|1.0| MICROSOFT.CLASSICCOMPUTE /VIRTUALMACHINES/RESTART/ ACTION|devTime=Jun 07 2016 17:04:26 devTimeFormat =MMM dd yyyy HH:mm:ss cat=Compute src= 10.0.0.2 usrName =erica@example.com sev=4 resource= testvm resourceGroup=Test Resource Group description =Restart a Virtual Machine

Configuring Microsoft Azure to communicate with JSA

To collect events from Microsoft Azure, you must install Microsoft Azure Log Integration service on a machine running 64-bit Windows OS with .Net 4.5.1.

  1. If you have any previous versions of Microsoft Azure Log Integration service installed, you must uninstall the previous version. Uninstalling removes all registered sources. Complete the following steps to uninstall the Microsoft Azure Log Integration service.
    • Open a Windows command-line interface as an administrator, and then type the following commands in the order that they are listed.

      • cd C:\Program Files\Microsoft Azure Log Integration\

      • azlog removeazureid

    • From the Control Panel, click Add/Remove Program > Microsoft Azure Log Integration > Uninstall.

  2. Obtain and install the Microsoft Azure Log Integration service (AzureLogIntegration.msi) from the Microsoft website (https://azure.microsoft.com/en-us/documentation/articles/security-azure-log-integration-get-started/).
  3. Open a Windows command-line interface as an administrator.
  4. To configure the Microsoft Azure Log Integration service, go to the following directory by running the following command: cd C:\Program Files\Microsoft Azure Log Integration\, and then complete the following steps.
    1. Run the Azure PowerShell by typing the following command: azlog.exe powershell

    2. From the PowerShell, type the following command: Add-AzLogEventDestination -Name <JSA_Console_name> -SyslogServer <IP_address> -SyslogFormat LEEF

      If JSA’s syslog listener is not on the default port, you can specify the SyslogPort. The default is 514. For example,

      Add-AzLogEventDestination -Name <JSA_Console_name> -SyslogServer <IP_address> -SyslogPort <port_number> -SyslogFormat LEEF

    3. Run the command: .\azlog.exe createazureid, and then type your Azure login credentials in the prompt.

    4. To assign reader access on the subscription, type the following command: .\azlog authorize <Subscription_ID>