[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[[["\u003cp\u003eThis document provides instructions on how to export Azure Firewall logs to Google Security Operations using an Azure Storage Account.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves configuring an Azure Storage Account, setting up log export from Azure Firewalls to the Storage Account, and then configuring a feed in Google SecOps to ingest these logs.\u003c/p\u003e\n"],["\u003cp\u003eThe parser in Google Security Operations processes Azure Firewall logs by first attempting to extract data from a JSON field, and if it is empty it then proceeds to use Grok patterns and conditional statements.\u003c/p\u003e\n"],["\u003cp\u003eThe document outlines the necessary prerequisites, including a Google SecOps instance, an active Azure tenant, and privileged access to Azure, before starting the configuration.\u003c/p\u003e\n"],["\u003cp\u003eA detailed UDM mapping is provided to show how raw log fields are mapped to the Unified Data Model, along with several updates and enhancements made to this feature.\u003c/p\u003e\n"]]],[],null,["# Collect Azure Firewall logs\n===========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to export Azure Firewall logs to Google Security Operations using Azure Storage Account. The parser first attempts to process the input as JSON, extracting data from the **Records** field. If the **Record** field is empty, the parser then uses a series of Grok patterns and conditional statements to extract relevant fields from the message, handling different formats and variations in the Azure Firewall logs.\n\nBefore you begin\n----------------\n\nEnsure you have the following prerequisites:\n\n- Google SecOps instance\n- An active Azure tenant\n- Privileged access to Azure\n\nConfigure Azure Storage Account\n-------------------------------\n\n1. In the Azure console, search for **Storage accounts**.\n2. Click **+ Create**.\n3. Specify values for the following input parameters:\n - **Subscription**: Select the subscription.\n - **Resource Group**: Select the resource group.\n - **Region**: Select the region.\n - **Performance**: Select the performance (Standard recommended).\n - **Redundancy**: Select the redundancy (GRS or LRS recommended).\n - **Storage account name**: Enter a name for the new storage account.\n4. Click **Review + create**.\n5. Review the overview of the account and click **Create**.\n6. From the **Storage Account Overview** page, select the **Access keys** submenu in **Security + networking**.\n7. Click **Show** next to **key1** or **key2**.\n8. Click **Copy to clipboard** to copy the key.\n9. Save the key in a secure location for later use.\n10. From the **Storage Account Overview** page, select the **Endpoints** submenu in **Settings**.\n11. Click **Copy to clipboard** to copy the **Blob service** endpoint URL; for example, `https://\u003cstorageaccountname\u003e.blob.core.windows.net`.\n12. Save the endpoint URL in a secure location for later use.\n\nHow to configure Log Export for Azure Firewalls Logs\n----------------------------------------------------\n\n1. Sign in to the **Azure Portal** using your privileged account.\n2. Go to **Firewalls** and select the required firewall.\n3. Select **Monitoring \\\u003e Diagnostic Services**.\n4. Click **+ Add diagnostic setting** .\n - Enter a descriptive name for the diagnostic setting.\n5. Select **allLogs**.\n6. Select the **Archive to a storage account** checkbox as the destination.\n - Specify the **Subscription** and **Storage Account**.\n7. Click **Save**.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the Azure firewall feed\n-------------------------------------\n\n1. Click the **Azure Platform** pack.\n2. Locate the **Azure firewall** log type and click **Add new feed**.\n3. Specify values for the following fields:\n\n - **Source Type**: Microsoft Azure Blob Storage V2.\n - **Azure URI** : The blob endpoint URL.\n - `ENDPOINT_URL/BLOB_NAME`\n - Replace the following:\n - `ENDPOINT_URL`: The blob endpoint URL (`https://\u003cstorageaccountname\u003e.blob.core.windows.net`)\n - `BLOB_NAME`: The name of the blob (such as, `\u003clogname\u003e-logs`)\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Includes files modified in the last number of days.\n Default is 180 days.\n\n - **Shared key**: The shared key (a 512-bit random string in base-64 encoding) used to access Azure resources.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace** : [Namespace associated with the feed](/chronicle/docs/investigation/asset-namespaces).\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping\n-----------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
