If you're having trouble at any stage please contact us at firstname.lastname@example.org.
Azure is a suite of cloud services platform, provides Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) services. Azure helps organizations consume compute power and needed services, all without the need to buy or manage hardware.
But at the same time, the IaaS and SaaS public services presents the organization with new security challenges.
The main challenges and needs are to:
- Get and retain full audit of activities in Azure account
- Retrieve the Azure account activities as admin login to Azure console, Azure compute changes and data flows, events from Azure services and many more.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations
What is it
SkyFormation Cloud Connector for Azure, is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from multiple audit sources in the Azure account, unify the events into a common application events format, enrich the events with needed detection context and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for Azure retrieves the events from the Azure service through its APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information
- Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
Azure Audit Sources & Events Supported
For general information on Azure audit sources and logs please visit:
IMPORTANT AUDIT COVERAGE CHECK TO DO:
The availability of the Azure services including services as security & compliance and audit services depends on the Azure region in many cases. To verify what Azure audit sources and coverage will be available for you using the SkyFormation Azure connector, please:
- Open this link https://azure.microsoft.com/en-us/regions/services/ and go to the "Monitoring + Management" section.
- In the "Monitoring + Management" section look for the availability of the following monitoring services at the Azure regions you are using:
- Log Analytics
- Security & Compliance
- Protection & Recovery
- If the services mentioned above are not available at any of the Azure regions you are using, audit logs and event from the service will most likely not be available.
|Audit Source (API)||Service/
|Event Types||Events included|
Available in all Azure regions
|Administrative||This category contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of the types of events you would see in this category include “create virtual machine” and “delete network security group”|
|Service Health||This category contains the record of any service health incidents that have occurred in Azure. An example of the type of event you would see in this category is “SQL Azure in East US is experiencing downtime.”|
|Alert||This category contains the record of all activations of Azure alerts. An example of the type of event you would see in this category is “CPU % on myVM has been over 80 for the past 5 minutes.”|
|Autoscale||This category contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. An example of the type of event you would see in this category is “Autoscale scale up action failed.”|
|Recommendation||This category contains recommendation events from certain resource types, such as web sites and SQL servers. These events offer recommendations for how to better utilize your resources.|
Available in all Azure regions
|Content Delivery Network (CDN)|
|Data Lake Analytics|
|Data Lake Store|
|Network Security Groups|
|Metrics for Blob, Queue, Table, and File services|
|Analytics for Blob, Queue, and Table services|
|Event Hubs||Telemetry events from websites, apps and streams||
|Azure Security Center||