Collect Azure API Management logs

Supported in:

Google secops SIEM

This document explains how to export Azure API Management logs to Google Security Operations using an Azure Storage Account.

Before you begin

Ensure you have the following prerequisites:

In the Azure console, search for Storage accounts.
Click + Create.
Specify values for the following input parameters:
- Subscription: Select the subscription.
- Resource Group: Select the resource group.
- Region: Select the region.
- Performance: Select the performance (Standard recommended).
- Redundancy: Select the redundancy (GRS or LRS recommended).
- Storage account name: Enter a name for the new storage account.
Click Review + create.
Review the overview of the account and click Create.
From the Storage Account Overview page, select the Access keys submenu in Security + networking.
Click Show next to key1 or key2.
Click Copy to clipboard to copy the key.
Save the key in a secure location for later use.
From the Storage Account Overview page, select the Endpoints submenu in Settings.
Click Copy to clipboard to copy the Blob service endpoint URL; for example, https://<storageaccountname>.blob.core.windows.net.
Save the endpoint URL in a secure location for later use.

Sign in to the Azure Portal using your privileged account.
In the Azure portal, find and select the API Management service instance.
Select Monitoring > Diagnostic settings.
Click + Add diagnostic setting.
- Enter a descriptive name for the diagnostic setting.
Select Logs related to ApiManagement Gateway.
Select the Archive to a storage account checkbox as the destination.
- Specify the Subscription and Storage Account.
Click Save.

There are two different entry points to set up feeds in the Google SecOps platform:

To configure multiple feeds for different log types within this product family, see Configure feeds by product.

To configure a single feed, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed; for example, Azure API Management Logs.
Select Microsoft Azure Blob Storage as the Source type.
Select Azure API Management as the Log type.
Click Next.
Specify values for the following input parameters:
- Azure URI: The blob endpoint URL.
  - ENDPOINT_URL/BLOB_NAME
    - Replace the following:
      - ENDPOINT_URL: The blob endpoint URL (https://<storageaccountname>.blob.core.windows.net)
      - BLOB_NAME: The name of the blob (such as, insights-logs-<logname>)
- URI is a: Select the URI TYPE according to log stream configuration (Single file | Directory | Directory which includes subdirectories).
- Source deletion options: Select the deletion option according to your ingestion preferences.
  
  Note: If you select the Delete transferred files or Delete transferred files and empty directories option, make sure that you granted appropriate permissions to the service account.
- Shared key: The access key to the Azure Blob Storage.
- Asset namespace: The asset namespace.
- Ingestion labels: The label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

Specify values for the following fields:

Azure URI: The blob endpoint URL.
- ENDPOINT_URL/BLOB_NAME
  - Replace the following:
    - ENDPOINT_URL: The blob endpoint URL (https://<storageaccountname>.blob.core.windows.net)
    - BLOB_NAME: The name of the blob (such as, insights-logs-<logname>)
URI is a: Select the URI TYPE according to log stream configuration (Single file | Directory | Directory which includes subdirectories).
Source deletion options: Select the deletion option according to your ingestion preferences.
Shared key: The access key to the Azure Blob Storage.

Advanced options

Need more help? Get answers from Community members and Google SecOps professionals.