Connect to Microsoft Azure for log data collection

The Security Command Center curated detections, threat investigation, and Cloud Infrastructure Entitlement Management (CIEM) capabilities for Microsoft Azure require the ingestion of Microsoft Azure logs using the Security Operations console ingestion pipeline. The Microsoft Azure log types required for ingestion differ based on what you are configuring:

  • CIEM requires data from the Azure Cloud Services (AZURE_ACTIVITY) log type.
  • Curated detections require data from multiple log types. To learn more about the different Microsoft Azure log types, see Supported devices and required log types.

Curated detections

Curated detections in the Enterprise tier of Security Command Center help identify threats in Microsoft Azure environments using both event and context data.

These rule sets require the following data to function as designed. You must ingest Azure data from each of these data sources to have maximum rule coverage.

For more information, see the following in the Google SecOps documentation:

For information about the type of log data that customers with Security Command Center Enterprise can ingest directly to the Google SecOps tenant, see Google SecOps log data collection.

Configure Microsoft Azure log ingestion for CIEM

To generate CIEM findings for your Microsoft Azure environment, the CIEM capabilities require data from Azure activity logs for each Azure subscription that needs to be analyzed.

To configure Microsoft Azure log ingestion for CIEM, do the following:

  1. To export activity logs for your Azure subscriptions, configure a Microsoft Azure storage account.
  2. Configure Azure activity logging:

    1. In the Azure console, search for Monitor.
    2. In the left navigation pane, click the Activity log link.
    3. Click Export Activity Logs.
    4. Perform the following actions for each subscription for which logs need to be exported:
      1. In the subscription menu, select the Microsoft Azure subscription from which you want to export activity logs.
      2. Click Add diagnostic setting.
      3. Enter a name for the diagnostic setting.
      4. In Log categories, select Administrative.
      5. In Destination details, select Archive to a storage account.
      6. Select the subscription and storage account that you created, and click Save.
  3. To ingest exported activity logs from the storage account, configure a feed in Security Operations console.

  4. Set an Ingestion label for the feed by setting Label to CIEM and the Value to TRUE.

What's next