Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Microsoft Azure

 

The JSA DSM for Microsoft Azure collects events from a Microsoft Azure Log Integration service or Microsoft Azure Event Hubs.

To integrate Microsoft Azure with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console

    • DSMCommon RPM

    • Microsoft Azure DSM RPM

  2. Optional: Configure your Microsoft Azure Log Integration service to send syslog events to JSA.

  3. If JSA does not automatically detect the log source, add a Microsoft Azure log source on the JSA console. The following table describes the parameters that require specific values for Microsoft Azure event collection:

    Table 1: Microsoft Azure log source parameters

    Parameter

    Value

    Log Source type

    Microsoft Azure

    Protocol Configuration

    Syslog

    Log Source Identifier

    The IP address or host name of the device that sends Microsoft Azure events to JSA.

  4. Optional: Configure the Microsoft Azure Event Hubs Protocol.

    1. Download and install the most recent version of the following RPMs on your JSA Console.

      • DSMCommon RPM

      • Microsoft Azure Event Hubs Protocol RPM

      Note

      JSA 2014.8 Patch 7 and later is required for Microsoft Azure Event Hubs Protocol RPM.

    2. JSA does not automatically detect the Microsoft Azure Event Hubs Protocol. For more information about configuring the protocol, go to Configuring JSA to collect events from Microsoft Azure Event Hubs by using the Microsoft Azure Event Hubs protocol.

Configuring Microsoft Azure Log Integration service to communicate with JSA

To collect events from Microsoft Azure, you must install Microsoft Azure Log Integration service on a machine, either on-premises or in the Cloud, running 64-bit Windows OS with .Net 4.5.1.

  1. If you have any previous versions of Microsoft Azure Log Integration service installed, you must uninstall the previous version. Uninstalling removes all registered sources. Complete the following steps to uninstall the Microsoft Azure Log Integration service.
    • Open a Windows command-line interface as an administrator, and then type the following commands in the order that they are listed.

      • cd C:\Program Files\Microsoft Azure Log Integration\

      • azlog removeazureid

    • From the Control Panel, click Add/Remove Program > Microsoft Azure Log Integration > Uninstall.

  2. Obtain and install the Microsoft Azure Log Integration service (AzureLogIntegration.msi) from the Microsoft website (https://azure.microsoft.com/en-us/

    documentation/articles/security-azure-log

    -integration-get-started/).
  3. Open a Windows command-line interface as an administrator.
  4. To configure the Microsoft Azure Log Integration service, go to the following directory by running the following command: cd C:\Program Files\Microsoft Azure Log Integration\, and then complete the following steps.
    1. Run the Azure PowerShell by typing the following command: azlog.exe powershell

    2. From the PowerShell, type the following command: Add-AzLogEventDestination -Name <JSA_Console_name> -SyslogServer <IP_address> -SyslogFormat LEEF

      If JSA’s syslog listener is not on the default port, you can specify the SyslogPort. The default is 514. For example,

      Add-AzLogEventDestination -Name <JSA_Console_name> -SyslogServer <IP_address> -SyslogPort <port_number> -SyslogFormat LEEF

    3. Run the command: .\azlog.exe createazureid, and then type your Azure login credentials in the prompt.

    4. To assign reader access on the subscription, type the following command: .\azlog authorize <Subscription_ID>

Configuring Microsoft Azure Event Hubs to Communicate with JSA

The Microsoft Azure Event Hubs protocol collects Azure Activity logs, Diagnostic logs, and Syslog events from the Microsoft Azure Event Hubs cloud storage.

To collect events from Microsoft Azure Event Hubs, you need to create a Microsoft Azure Storage Account and an Event Hub entity under the Azure Event Hub Namespace. For every Namespace, port 5671 and port 5672 must be open. For every Storage Account, port 443 must be open. The Namespace host name is usually [Namespace Name].windows.net and the Storage Account host name is usually [Storage_Account_Name].blob.core.windows.net. The Event Hub must have at least one Shared Access Signature that is created with Listen Policy and at least one Consumer Group.

Note

The Microsoft Azure Event Hubs protocol can't connect by using a proxy server.

  1. Obtain a Microsoft Azure Storage Account Connection String.

    The Storage Account Connection String contains authentication for the Storage Account Name and the Storage Account Key that is used to access the data in the Azure Storage account.

    1. Log in to the (https://portal.azure.com).

    2. From the dashboard, in the All resources section, select a Storage account.

    3. From the Storage account menu, select Access keys.

    4. Record the value for the Storage account name. Use this value for the Storage Account Name parameter value when you configure a log source in JSA.

    5. From the Default keys section, record the following values.

      1. KEY - Use this value for the Storage Account Key parameter value when you configure a log source in JSA.

      2. CONNECTION STRING - Use this value for the Storage Account Connection String parameter value when you configure a log source in JSA

        Note

        You can use the Storage Account Name and Storage Account Key values or you can use the Storage Account Connection String value to connect to the Storage Account.

  2. Obtain a Microsoft Azure Event Hub Connection String.

    The Event Hub Connection String contains the Namespace Name, the path to the Event Hub within the namespace and the Shared Access Signature (SAS) authentication information.

    1. Log in to the (https://portal.azure.com).

    2. From the dashboard, in the All resources section, select an Event Hub. Record this value to use as the Namespace Name parameter value when you configure a log source in JSA.

    3. In the Entities section, select Event Hubs. Record this value to use for the Event Hub Name parameter value when you configure a log source in JSA.

    4. In the Event Hub section, select an Event Hub from the list.

    5. In the Settings section, select Shared access policies.

      1. Select a POLICY that contains a Listen CLAIMS. Record this value to use for the SAS Key Name parameter value when you configure a log source in JSA.

      2. Record the values for the following parameters:

        • Primary key or Secondary key - Use the value for the SAS Key parameter value when you configure a log source in JSA.

        • Connection string-primary key or Connection string-secondary key - Use this value for the Event Hub Connection String parameter value when you configure a log source in JSA.

        Note

        You can use the Namespace Name, Event Hub Name, SAS Key Name and SAS Key values, or you can use the Event Hub Connection String value to connect to the Event Hub.

  3. In the Entities section, select Consumer groups. Record the value to use for the Consumer Group parameter value when you configure a log source in JSA.

Configuring JSA to Collect Events from Microsoft Azure Event Hubs by using the Microsoft Azure Event Hubs Protocol

To collect events from Microsoft Azure Event Hubs by using the Microsoft Azure Event Hubs protocol, you must manually configure a log source because JSA does not automatically detect these log sources.

Download and install the most recent version of the following RPMs on your JSA Console.

  • Protocol Common RPM

  • Microsoft Azure Event Hubs Protocol RPM

Note

JSA 2014.8 Patch 7 and later is required for Microsoft Azure Event Hubs Protocol RPM.

  1. On the Admin tab, click Data Sources > Log Sources and then click Add.
  2. From the Log Source Type list, select Microsoft Azure.
  3. From the Protocol Configuration list, select Microsoft Azure Event Hubs.
  4. Use the following table to help you configure these parameters:

    Description

    An identifiable name or IP address for the log source. When the Use as Gateway Log Source field is selected, the Log Source Identifier value is not used.

    The collected events go through the Traffic Analysis component, which automatically detects the appropriate log source or log sources.

    Clear this check box to manually enter the Event Hub Connection String, Namespace Name, Event Hub Name, SAS Name, and SAS Key.

    This option is only available if Use Event Hub Connection String is enabled. Enter the Connection string-primary key.

    Available if the Use Event Hub Connection String check box is cleared.

    Available if the Use Event Hub Connection String check box is cleared.

    Available if the Use Event Hub Connection String check box is cleared.

    Available if the Use Event Hub Connection String check box is cleared. Enter the Primary key.

    The view that is used during the connection.

    Clear this check box to manually enter the Storage Account Name and Storage Account Key.

    Available if the Use Storage Account Connection String check box is enabled. Enter the CONNECTION STRING.

    Available if the Use Storage Account Connection String check box is cleared.

    Available if the Use Storage Account Connection String check box is cleared.

    If you select Yes from the list, JSA automatically downloads the certificate and begins trusting the target server.

    The maximum number of events that the Microsoft Azure Event Hubs Protocol forwards per second.

    100 EPS is the minimum value.

    10,000 EPS is the maximum value.

  5. Click Save.
  6. On the Admin tab, click Deploy Changes.

Microsoft Azure DSM Specifications

The following table describes the specifications for the Microsoft Azure DSM:

Table 3: Microsoft Azure DSM Specifications

Specification

Value

Manufacturer

Microsoft

DSM name

Microsoft Azure

RPM file name

DSM-MicrosoftAzure-JSA_version-build_number.noarch.rpm

Supported versions

N/A

Protocol

Syslog

Microsoft Azure Event Hubs

Event format

LEEF

JSON

Recorded event types

Network Security Group (NSG) Flow logs, Network Security Group (NSG) Logs, Authorization, Classic Compute, Classic Storage, Compute, Insights, KeyVault, SQL, Storage, Automation, Cache, CDN, Devices, Event Hub, HDInsight, Recovery Services, AppService, Batch, Bing Maps, Certificate Registration, Cognitive Services, Container Service, Content Moderator, Data Catalog, Data Factory, Data Lake Analytics, Data Lake Store, Domain Registration, Dynamics LCS, Features, Logic, Media, Notification Hubs, Search, Servicebus, Support, Web, Scheduler, Resources, Resource Health, Operation Insights, Market Place Ordering, API Management, AD Hybrid Health Service, Server Management

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

Microsoft Azure website (https://azure.microsoft.com)

Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

The following tables provide sample event messages for the Microsoft Azure DSM:

Table 4: Microsoft Azure Sample Syslog Message

Event name

Low level category

Sample log message

Restarts virtual machines.

Start Activity Attempted

LEEF:1.0|Microsoft|Azure Resource Manager|1.0| MICROSOFT.CLASSICCOMPUTE /VIRTUALMACHINES/RESTART/ ACTION|devTime=Jun 07 2016 17:04:26 devTimeFormat =MMM dd yyyy HH:mm:ss cat=Compute src= 10.0.0.2 usrName =erica@example.com sev=4 resource= testvm resourceGroup=Test Resource Group description =Restart a Virtual Machine

Returns the access keys for the specified storage account

Read Activity Attempted

"{"records": [{ "time": "2017-09-14T11:47:36.1987564Z", "res ourceId": "/SUBSCRIPTIONS//RESOURCE GROUPS//PROVIDERS/MICROSOFT.STORAGE /STORAGEACCOUNTS/", "operationName" : "MICROSOFT.STORAGE/STORAGEACCOUNT S/LISTKEYS/ACTION", "category": "Ac tion", "resultType": "Start", "resu ltSignature": "Started.", "duration Ms": 0, "callerIpAddress": “<IP address>”, "correlationId": "", "identity": {"authorization":{"scope":"/subscri ptions//resourceGroups//providers/Mi crosoft.Storage/storageAccounts/","a ction":"Microsoft.Storage/storageAcc ounts/listKeys/action","evidence":{" role":"Insights Management Service Ro le","roleAssignmentScope":"/subscript ions/","roleAssignmentId":"","roleDef initionId":"","principalId":"","princ ipalType":"ServicePrincipal"}},"claim s":{"aud":"https://management.azure.c om/","iss":"https://sts.windows.net// ","iat":"","nbf":"","exp":"","aio":"= =","appid":"","appidacr":"2","e_exp": "262800","http://schemas.microsoft.co m/identity/claims/identityprovider":" https://sts.windows.net//","http://sc hemas.microsoft.com/identity/claims/o bjectidentifier":"","http://schemas.x mlsoap.org/ws/2005/05/identity/claims /nameidentifier":"","http://schemas.m icrosoft.com/identity/claims/tenantid ":"","uti":"xxxxxx__xxxxxxxxxxxxxx", "ver":"1.0"}}, "level": "Information" , "location": "global"},{ "time": "20 17-09-14T11:47:36.3237658Z", "resource Id": "/SUBSCRIPTIONS//RESOURCEGROUPS/ /PROVIDERS/MICROSOFT.STORAGE/STORAGEA CCOUNTS/", "operationName": "MICROSOF T.STORAGE/STORAGEACCOUNTS/LISTKEYS/AC TION", "category": "Action", "resultT ype": "Success", "resultSignature": " Succeeded.OK", "durationMs": 125, "ca llerIpAddress": "<IP address>” "correlati onId": "", "identity": {"authorizatio n":{"scope":"/subscriptions//resource Groups//providers/Microsoft.Storage/ storageAccounts/","action":"Microsoft .Storage/storageAccounts/listKeys/act ion","evidence":{"role":"Insights Man agement Service Role","roleAssignment Scope":"/subscriptions/","roleAssignm entId":"","roleDefinitionId":"","prin cipalId":"","principalType":"ServiceP rincipal"}},"claims":{"aud":"https:/ /management.azure.com/","iss":"https: //sts.windows.net/xxxxxxxx-xxxx-xxxx -xxxx-xxxxxxxxxxxx/","iat":"150538935 6","nbf":"1505389356","exp":"15053932 56","aio":"Y2VgYBBQEA5y0vTd4PVnSpSp9q VwAA==","appid":"","appidacr":"2","e_ exp":"262800","http://schemas.microso ft.com/identity/claims/identityprovid er":"https://sts.windows.net//","http ://schemas.microsoft.com/identity/cla ims/objectidentifier":"","http://sche mas.xmlsoap.org/ws/2005/05/identity/c laims/nameidentifier":"","http://sch mas.microsoft.com/identity/claims/ten antid":"","uti":"xxxxxx__xxxxxxxxxxxx xx","ver":"1.0"}}, "level": "Informat ion", "location": "global", "properti es": {"statusCode":"OK","serviceReque stId":""}}]}"

SecretGet

Read Activity Attempted

"{"records": [{"time": "2016-03-02T 04:31:28.6127743Z","resourceId": "/SUBSCR IPTIONS//RESOURCEGROUPS//PROVIDERS/MICROS OFT.KEYVAULT/VAULTS/AZLOGTEST","operation Name": "SecretGet","operationVersion": "2 015-06-01","category": "AuditEvent","resu ltType": "Success","resultSignature": "OK" ,"resultDescription": "","durationMs": "18 7","callerIpAddress": "","correlationId": "","identity": {"claim": {"http://schemas. microsoft.com/identity/claims/objectidenti fier": "","appid": "","http://schemas.xmls oap.org/ws/2005/05/identity/claims/upn": ""}},"properties": {"clientInfo": "","requ estUri": "","id": "https://.vault.azure.ne t/secrets/testsecret/","httpStatusCode": 200}}]}"

Failed Password

SSH Login Failed

"{"time": "2017-05-11T21:58:37 .0000000Z","resourceId": "/subscriptions// resourceGroups//providers/Microsoft.Comput e/virtualMachines/","properties": {"host" : "","ident": "sshd","pid": "","Ignore": "syslog","Facility": "auth","Severity" : "info","EventTime": "2017-05-11T21:58 :37+0000","SendingHost": "","Msg": "Fai led password for root from <IP address> port 1111 ssh2","hostname": "","Fluent dIngest Timestamp": "2017-05-11T21:58 :37Z"},"category": "auth","level": "info"}"