The Security Command Center curated detections, threat investigation, and Cloud Infrastructure Entitlement Management (CIEM) capabilities for Microsoft Azure require the ingestion of Microsoft Azure logs using the Security Operations console ingestion pipeline. The Microsoft Azure log types required for ingestion differ based on what you are configuring:
- CIEM requires data from the Azure Cloud Services (AZURE_ACTIVITY) log type.
- Curated detections require data from multiple log types. To learn more about the different Microsoft Azure log types, see Supported devices and required log types.
Curated detections
Curated detections in the Enterprise tier of Security Command Center help identify threats in Microsoft Azure environments using both event and context data.
These rule sets require the following data to function as designed. You must ingest Azure data from each of these data sources to have maximum rule coverage.
- Azure cloud services
- Microsoft Entra ID, previously Azure Active Directory
- Microsoft Entra ID audit logs, previously Azure AD audit logs
- Microsoft Defender for Cloud
- Microsoft Graph API Activity
For more information, see the following in the Google SecOps documentation:
Supported devices and required log types for Azure: information about the data required by each rule set.
Ingest Azure and Microsoft Entra ID data: steps to collect Azure and Microsoft Entra ID log data.
Curated detections for Azure data: summary of the Azure rule sets in the Cloud Threats Category curated detections.
Use curated detections to identify threats: how to use curated detections in Google SecOps.
For information about the type of log data that customers with Security Command Center Enterprise can ingest directly to the Google SecOps tenant, see Google SecOps log data collection.
Configure Microsoft Azure log ingestion for CIEM
To generate CIEM findings for your Microsoft Azure environment, the CIEM capabilities require data from Azure activity logs for each Azure subscription that needs to be analyzed.
To configure Microsoft Azure log ingestion for CIEM, do the following:
- To export activity logs for your Azure subscriptions, configure a Microsoft Azure storage account.
Configure Azure activity logging:
- In the Azure console, search for Monitor.
- In the left navigation pane, click the Activity log link.
- Click Export Activity Logs.
- Perform the following actions for each subscription for which logs need to be exported:
- In the subscription menu, select the Microsoft Azure subscription from which you want to export activity logs.
- Click Add diagnostic setting.
- Enter a name for the diagnostic setting.
- In Log categories, select Administrative.
- In Destination details, select Archive to a storage account.
- Select the subscription and storage account that you created, and click Save.
To ingest exported activity logs from the storage account, configure a feed in Security Operations console.
Set an Ingestion label for the feed by setting Label to
CIEM
and the Value toTRUE
.
What's next
- To enable CIEM, see Enable the CIEM detection service.
- To learn more about CIEM features, see Overview of CIEM.