Connect to Microsoft Azure for log data collection

The Security Command Center curated detections, threat investigation, and Cloud Infrastructure Entitlement Management (CIEM) capabilities for Microsoft Azure require the ingestion of Microsoft Azure logs using the Security Operations console ingestion pipeline. The Microsoft Azure log types required for ingestion differ based on what you are configuring:

CIEM requires data from the Azure Cloud Services (AZURE_ACTIVITY) log type.
Curated detections require data from multiple log types. To learn more about the different Microsoft Azure log types, see Supported devices and required log types.

Curated detections

Curated detections in the Enterprise tier of Security Command Center help identify threats in Microsoft Azure environments using both event and context data.

These rule sets require the following data to function as designed. You must ingest Azure data from each of these data sources to have maximum rule coverage.

Azure cloud services
Microsoft Entra ID, previously Azure Active Directory
Microsoft Entra ID audit logs, previously Azure AD audit logs
Microsoft Defender for Cloud
Microsoft Graph API Activity

For more information, see the following in the Google SecOps documentation:

Supported devices and required log types for Azure: information about the data required by each rule set.
Ingest Azure and Microsoft Entra ID data and Create an Azure Event Hub feed: steps to collect Azure and Microsoft Entra ID log data.
Curated detections for Azure data: summary of the Azure rule sets in the Cloud Threats Category curated detections.
Use curated detections to identify threats: how to use curated detections in Google SecOps.

For information about the type of log data that customers with Security Command Center Enterprise can ingest directly to the Google SecOps tenant, see Google SecOps log data collection.

Configure Microsoft Azure log ingestion for CIEM

To generate CIEM findings for your Microsoft Azure environment, the CIEM capabilities require data from Azure activity logs for each Azure subscription or management group that needs to be analyzed.

Before you begin

To export activity logs for your Azure subscriptions or management groups, configure a Microsoft Azure storage account.

Configure Microsoft Azure log ingestion for management groups

To configure Azure activity logging for management groups, use the Management group API.

Note: The Microsoft Azure portal does not support configuring diagnostic settings for management groups.
To ingest exported activity logs from the storage account, configure a feed in Security Operations console.
Set an Ingestion label for the feed by setting Label to CIEM and the Value to TRUE.

Configure Microsoft Azure log ingestion for subscriptions

To configure Azure activity logging for subscriptions, do the following:
1. In the Azure console, search for Monitor.
2. In the left navigation pane, click the Activity log link.
3. Click Export Activity Logs.
4. Perform the following actions for each subscription or management group for which logs need to be exported:
  1. In the subscription menu, select the Microsoft Azure subscription from which you want to export activity logs.
  2. Click Add diagnostic setting.
  3. Enter a name for the diagnostic setting.
  4. In Log categories, select Administrative.
  5. In Destination details, select Archive to a storage account.
  6. Select the subscription and storage account that you created, and click Save.
To ingest exported activity logs from the storage account, configure a feed in Security Operations console.
Set an Ingestion label for the feed by setting Label to CIEM and the Value to TRUE.

What's next

To enable CIEM, see Enable the CIEM detection service.
To learn more about CIEM features, see Overview of CIEM.