Collect Microsoft Azure Key Vault logging logs

Supported in:

This document describes how you can collect the Azure Key Vault logging logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google SecOps.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the AZURE_KEYVAULT_AUDI ingestion label.

Before you begin

To complete the tasks on this page, ensure that you have the following:

  • An Azure subscription that you can sign in to
  • An Azure Key Vault environment (tenant) in Azure
  • A global administrator or Azure Key Vault administrator role
  • An Azure storage account to store the logs

Configure a storage account

  1. Sign in to the Azure portal.
  2. In the Azure console, search for Storage accounts.

  3. Select the storage account that the logs must be pulled from, and then select Access key. To create a new storage account, do the following:

    1. Click Create.
    2. Enter a name for the new storage account.

    3. Select the subscription, resource group, region, performance, and redundancy for the account. We recommend setting the performance to standard, and the redundancy to GRS or LRS.

    4. Click Review + create.

    5. Review the overview of the account and click Create.

  4. Click Show keys and make a note of the shared key for the storage account.

  5. Select Endpoints and make a note of the Blob service endpoint.

    For more information about creating a storage account, see the Create an Azure storage account section in the Microsoft documentation.

Configure Azure Key Vault logging

  1. In the Azure portal, go to Key vaults and select the key vault that you want to configure for logging.
  2. In the Monitoring section, select Diagnostic settings.
  3. Select Add diagnostic setting. The Diagnostics settings window provides the settings for the diagnostic logs.
  4. In the Diagnostic setting name field, specify the name for diagnostic setting.
  5. In the Category groups section, select the audit checkbox.

  6. In the Retention (days) field, specify a log retention value that complies with your organization's policies. Google SecOps recommends a minimum of one day of log retention.

    You can store the Azure Key Vault logging logs in a storage account or stream the logs to Event Hubs. Google SecOps supports log collection using a storage account.

Archive to a storage account

  1. To store logs in storage account, in the Diagnostics settings window, select the Archive to a storage account checkbox.
  2. In the Subscription list, select the existing subscription.
  3. In the Storage account list, select the existing storage account.

Configure a feed in Google SecOps to ingest Azure Key Vault logging logs

  1. In the Google SecOps menu, select Settings > Feeds > Add new.
  2. In the Feed name field, enter a unique name for the feed.
  3. Select Microsoft Azure Blob Storage as the Source type.
  4. Select Azure Key Vault Logging as the Log type.
  5. Click Next.
  6. Configure the following input parameters:
    • Azure URI: specify the Blob service endpoint that you obtained previously along with one of the container names of that storage account. For example, https://xyz.blob.core.windows.net/abc/.
    • URI is a: specify the URI option.
    • Source deletion option: specify the source deletion option.
    • Key: specify the shared key that you obtained previously.
  7. Click Next and then click Submit.

For more information about Google SecOps feeds, see Google SecOps feeds documentation.

For information about requirements for each feed type, see Feed configuration by type.

If you encounter issues when you create feeds, contact Google Security Operations support.