|Protocol||Information Discovered||Information Collected||Used For|
|Azure CLI||None||Audit Logs||Security Monitoring|
In ADMIN > Device Support > Event Types, search for "Azure Audit" in the Search field to see the event types associated with this device.
You must define a user account in Azure for use by FortiSIEM to pull Audit logs. Use any of the following roles:
- Monitoring Reader
- Monitoring Contributor
- These roles are only defined at the subscription level, and are not visible under the Users tab in Azure AD.
- FortiSIEM recommends using the 'Monitoring Reader' role, which is the least privileged to do the job.
Take the following steps to create and assign a role.
Login to the Azure portal.
Navigate to Home > Subscriptions > Access control (IAM).
Click on Add role assignment.
Search for, and apply Monitoring Reader or Monitoring Contributor.
For more information on roles, see:
Take the following steps for configuration.
Complete these steps in the FortiSIEM UI after logging into the FortiSIEM supervisor node:
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials:
- Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box and click Save:
Settings Description Name Enter a name for the credential Device Type Microsoft Azure Audit Access Protocol Azure CLI Password Config Choose Manual, CyberArk, or RAX_MSCloud from the drop down list. For Manual credential method, enter the username and credentials for an Azure account. FortiSIEM recommends using 'Monitoring Reader' role for this account. For CyberArk or RAX_MSCloud, see Password Configuration.
Azure Subscription ID
Enter the 32-digit GUID associated with your Azure subscription. In 6.3.0, to enter multiple subscription IDs, separate each ID by a space.
Entering one subscription ID:
Entering two subscription IDs:
In 6.3.0, you can choose AzureCloud, AzureChinaCloud, AzureGermanCloud, or AzureUSGovernmentCloud.
Selecting AzureUSGovernmentCloud applies a GCC High environment.
Note: Prior to 6.3.0, the Azure CLI Agent only supported Global Azure, and did not support Azure China Cloud, Azure German Cloud, nor Azure US Government Cloud.
Organization The organization the device belongs to. Description Description of the device.
When logged in to the FortiSIEM Supervisor node, take the following steps.
- Go to ADMIN > Setup > Credentials.
- In Step 2: Enter IP Range to Credential Associations, click New.
- Enter a host name, an IP, or an IP range in the IP/Host Name field.
- Select the name of the credential created in the "Create Microsoft Azure Audit Credential" step from the Credentials drop-down list.
- Click Save.
- Click the Test drop-down list and select Test Connectivity without Ping to test the connection.
- Go to ADMIN > Setup > Pull Events and make sure an entry is created for Microsoft Audit Log Collection.
2016-02-26 15:19:10 FortiSIEM-Azure,[action]=Microsoft.ClassicCompute/virtualmachines/shutdown/action,[caller]=Doe.John@example.com,[level]=Error,[resourceId]=/subscriptions/3ed4ee1c-1a83-4e02-a928-7ff5e0008e8a/resourcegroups/china/providers/Microsoft.ClassicCompute/virtualmachines/china,[resourceGroupName]=china,[eventTimestamp]=2016-02-14T06:12:18.5539709Z,[status]=Failed,[subStatus]=Conflict,[resourceType]=Microsoft.ClassicCompute/virtualmachines,[category]=Administrative