Collect Azure VPN logs

Supported in:

This guide explains how to export Azure VPN logs to Google Security Operations using an Azure Storage Account. The parser extracts fields from JSON-formatted Azure VPN logs and then uses Grok patterns to extract further details from the properties.message field. Finally, it maps the extracted information to the standardized fields of the Unified Data Model (UDM).

Before you begin

Ensure you have the following prerequisites:

  • Google SecOps instance
  • An active Azure tenant
  • Privileged access to Azure

Configure Azure Storage Account

  1. In the Azure console, search for Storage accounts.
  2. Click + Create.
  3. Specify values for the following input parameters:
    • Subscription: Select the subscription.
    • Resource Group: Select the resource group.
    • Region: Select the region.
    • Performance: Select the performance (Standard recommended).
    • Redundancy: Select the redundancy (GRS or LRS recommended).
    • Storage account name: Enter a name for the new storage account.
  4. Click Review + create.
  5. Review the overview of the account and click Create.
  6. From the Storage Account Overview page, select the Access keys submenu in Security + networking.
  7. Click Show next to key1 or key2.
  8. Click Copy to clipboard to copy the key.
  9. Save the key in a secure location for later use.
  10. From the Storage Account Overview page, select the Endpoints submenu in Settings.
  11. Click Copy to clipboard to copy the Blob service endpoint URL; for example, https://<storageaccountname>.blob.core.windows.net.
  12. Save the endpoint URL in a secure location for later use.

How to configure Log Export for Azure VPN Gateway Logs

  1. Sign in to the Azure Portal using your privileged account.
  2. Select the Subscription being monitored.
  3. In the resource list of that subscription, locate the VPN gateway (this should typically be of the Resource Type, Virtual Network Gateway).
  4. Click the Gateway.
  5. Select Monitoring > Diagnostic Services.
  6. Click + Add diagnostic setting.
    • Enter a descriptive name for the diagnostic setting.
  7. Select allLogs.
  8. Select the Archive to a storage account checkbox as the destination.
    • Specify the Subscription and Storage Account.
  9. Click Save.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

  • SIEM Settings > Feeds
  • Content Hub > Content Packs

Set up feeds from SIEM Settings > Feeds

To configure multiple feeds for different log types within this product family, see Configure feeds by product.

To configure a single feed, follow these steps:

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed name field, enter a name for the feed; for example, Azure VPN Logs.
  5. Select Microsoft Azure Blob Storage as the Source type.
  6. Select Azure VPN as the Log type.
  7. Click Next.

  8. Specify values for the following input parameters:

    • Azure URI: The blob endpoint URL.
      • ENDPOINT_URL/BLOB_NAME
        • Replace the following:
          • ENDPOINT_URL: The blob endpoint URL (https://<storageaccountname>.blob.core.windows.net)
          • BLOB_NAME: The name of the blob (such as, <logname>-logs)
    • URI is a: Select the URI TYPE according to log stream configuration (Single file | Directory | Directory which includes subdirectories).

    • Source deletion options: Select the deletion option according to your ingestion preferences.

    • Shared key: The access key to the Azure Blob Storage.

    • Asset namespace: The asset namespace.

    • Ingestion labels: The label to be applied to the events from this feed.

  9. Click Next.

  10. Review your new feed configuration in the Finalize screen, and then click Submit.

Set up feeds from the Content Hub

Specify values for the following fields:

  • Azure URI: The blob endpoint URL.
    • ENDPOINT_URL/BLOB_NAME
      • Replace the following:
        • ENDPOINT_URL: The blob endpoint URL (https://<storageaccountname>.blob.core.windows.net)
        • BLOB_NAME: The name of the blob (such as, <logname>-logs)
  • URI is a: Select the URI TYPE according to log stream configuration (Single file | Directory | Directory which includes subdirectories).
  • Source deletion options: Select the deletion option according to your ingestion preferences.
  • Shared key: The access key to the Azure Blob Storage.

Advanced options

  • Feed Name: A prepopulated value that identifies the feed.
  • Source Type: Method used to collect logs into Google SecOps.
  • Asset Namespace: Namespace associated with the feed.
  • Ingestion Labels: Labels applied to all events from this feed.

UDM Mapping Table

Log Field UDM Mapping Logic
category security_result.category_details Directly mapped from the category field in the raw log.
IV_PLAT security_result.detection_fields.value Directly mapped from the IV_PLAT field in the raw log. Part of a key-value pair within the detection_fields array, where the key is IV_PLAT.
IV_PLAT_VER security_result.detection_fields.value Directly mapped from the IV_PLAT_VER field in the raw log. Part of a key-value pair within the detection_fields array, where the key is IV_PLAT_VER.
IV_PROTO security_result.detection_fields.value Directly mapped from the IV_PROTO field in the raw log. Part of a key-value pair within the detection_fields array, where the key is IV_PROTO.
IV_VER security_result.detection_fields.value Directly mapped from the IV_VER field in the raw log. Part of a key-value pair within the detection_fields array, where the key is IV_VER.
level security_result.severity Mapped from the level field in the raw log. If level is Informational, the severity is set to INFORMATIONAL.
local_ip target.ip Extracted from the properties.message field using grok patterns and mapped to the target IP address.
local_port target.port Extracted from the properties.message field using grok patterns and mapped to the target port number. Converted to integer type.
operationName metadata.product_event_type Directly mapped from the operationName field in the raw log.
properties.message metadata.description Extracted from the properties.message field using grok patterns. Depending on the message format, the description might include additional details extracted from desc2 field.
remote_ip principal.ip Extracted from the properties.message field using grok patterns and mapped to the principal IP address.
remote_port principal.port Extracted from the properties.message field using grok patterns and mapped to the principal port number. Converted to integer type.
resourceid target.resource.product_object_id Directly mapped from the resourceid field in the raw log.
time timestamp, metadata.event_timestamp Parsed from the time field in the raw log using the RFC 3339 format and mapped to both the event timestamp and the UDM timestamp.
metadata.log_type Hardcoded to AZURE_VPN.
metadata.vendor_name Hardcoded to AZURE.
metadata.product_name Hardcoded to VPN.
metadata.event_type Dynamically set based on the presence of IP addresses. If both remote_ip and local_ip are present, it's set to NETWORK_CONNECTION, otherwise USER_RESOURCE_ACCESS.
extensions.auth.type Hardcoded to VPN.

Changes

2023-03-07

  • Newly created parser.

Need more help? Get answers from Community members and Google SecOps professionals.