Fortinet black logo

External Systems Configuration Guide

Microsoft Azure Audit

Microsoft Azure Audit

What is Discovered and Monitored

Protocol Information Discovered Information Collected Used For
Azure CLI None Audit Logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Azure Audit" in the Search field to see the event types associated with this device.

Configuration

Configuration in Azure

You must define a user account in Azure for use by FortiSIEM to pull Audit logs. Use any of the following roles:

  • Owner
  • Reader
  • Monitoring Reader
  • Monitoring Contributor
  • Contributor

Notes:

  • These roles are only defined at the subscription level, and are not visible under the Users tab in Azure AD.
  • FortiSIEM recommends using the 'Monitoring Reader' role, which is the least privileged to do the job.

Take the following steps to create and assign a role.

  1. Login to the Azure portal.

  2. Navigate to Home > Subscriptions > Access control (IAM).

  3. Click on Add role assignment.

  4. Search for, and apply Monitoring Reader or Monitoring Contributor.

For more information on roles, see:

https://docs.microsoft.com/en-us/azure/azure-monitor/roles-permissions-security

and

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current

Configuration in FortiSIEM

Take the following steps for configuration.

Create Microsoft Azure Audit Credential in FortiSIEM

Complete these steps in the FortiSIEM UI after logging into the FortiSIEM supervisor node:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:

      Settings Description
      Name Enter a name for the credential
      Device TypeMicrosoft Azure Audit
      Access Protocol Azure CLI
      Password ConfigChoose Manual, CyberArk, or RAX_MSCloud from the drop down list. For Manual credential method, enter the username and credentials for an Azure account. FortiSIEM recommends using 'Monitoring Reader' role for this account. For CyberArk or RAX_MSCloud, see Password Configuration.

      Azure Subscription ID

      Enter the 32-digit GUID associated with your Azure subscription. In 6.3.0, to enter multiple subscription IDs, separate each ID by a space.

      Examples:

      Entering one subscription ID:

      a0123bcd-e456-6f78-9112-gh3i4j56k789

      Entering two subscription IDs:

      a0123bcd-e456-6f78-9112-gh3i4j56k789 z9876yxv-u543-2t10-9876-sr5q4p32o109

      Account Env

      In 6.3.0, you can choose AzureCloud, AzureChinaCloud, AzureGermanCloud, or AzureUSGovernmentCloud.
      Selecting AzureUSGovernmentCloud applies a GCC High environment.

      Note: Prior to 6.3.0, the Azure CLI Agent only supported Global Azure, and did not support Azure China Cloud, Azure German Cloud, nor Azure US Government Cloud.

      Organization The organization the device belongs to.
      Description Description of the device.

Create IP Range to Credential Association and Test Connectivity in FortiSIEM

When logged in to the FortiSIEM Supervisor node, take the following steps.

  1. Go to ADMIN > Setup > Credentials.
  2. In Step 2: Enter IP Range to Credential Associations, click New.
    1. From the Credentials drop-down list, select the name of the credential created in the "Create Microsoft Azure Audit Credential" step.
      The IP/Host Name field will auto populate to azure.com
    2. Click Save.
  3. Click the Test drop-down list and select Test Connectivity without Ping to test the connection.
  4. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Microsoft Audit Log Collection.

Sample Events for Microsoft Azure Audit

2016-02-26 15:19:10 FortiSIEM-Azure,[action]=Microsoft.ClassicCompute/virtualmachines/shutdown/action,[caller]=Doe.John@example.com,[level]=Error,[resourceId]=/subscriptions/3ed4ee1c-1a83-4e02-a928-7ff5e0008e8a/resourcegroups/china/providers/Microsoft.ClassicCompute/virtualmachines/china,[resourceGroupName]=china,[eventTimestamp]=2016-02-14T06:12:18.5539709Z,[status]=Failed,[subStatus]=Conflict,[resourceType]=Microsoft.ClassicCompute/virtualmachines,[category]=Administrative

Microsoft Azure Audit

What is Discovered and Monitored

Protocol Information Discovered Information Collected Used For
Azure CLI None Audit Logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Azure Audit" in the Search field to see the event types associated with this device.

Configuration

Configuration in Azure

You must define a user account in Azure for use by FortiSIEM to pull Audit logs. Use any of the following roles:

  • Owner
  • Reader
  • Monitoring Reader
  • Monitoring Contributor
  • Contributor

Notes:

  • These roles are only defined at the subscription level, and are not visible under the Users tab in Azure AD.
  • FortiSIEM recommends using the 'Monitoring Reader' role, which is the least privileged to do the job.

Take the following steps to create and assign a role.

  1. Login to the Azure portal.

  2. Navigate to Home > Subscriptions > Access control (IAM).

  3. Click on Add role assignment.

  4. Search for, and apply Monitoring Reader or Monitoring Contributor.

For more information on roles, see:

https://docs.microsoft.com/en-us/azure/azure-monitor/roles-permissions-security

and

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current

Configuration in FortiSIEM

Take the following steps for configuration.

Create Microsoft Azure Audit Credential in FortiSIEM

Complete these steps in the FortiSIEM UI after logging into the FortiSIEM supervisor node:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:

      Settings Description
      Name Enter a name for the credential
      Device TypeMicrosoft Azure Audit
      Access Protocol Azure CLI
      Password ConfigChoose Manual, CyberArk, or RAX_MSCloud from the drop down list. For Manual credential method, enter the username and credentials for an Azure account. FortiSIEM recommends using 'Monitoring Reader' role for this account. For CyberArk or RAX_MSCloud, see Password Configuration.

      Azure Subscription ID

      Enter the 32-digit GUID associated with your Azure subscription. In 6.3.0, to enter multiple subscription IDs, separate each ID by a space.

      Examples:

      Entering one subscription ID:

      a0123bcd-e456-6f78-9112-gh3i4j56k789

      Entering two subscription IDs:

      a0123bcd-e456-6f78-9112-gh3i4j56k789 z9876yxv-u543-2t10-9876-sr5q4p32o109

      Account Env

      In 6.3.0, you can choose AzureCloud, AzureChinaCloud, AzureGermanCloud, or AzureUSGovernmentCloud.
      Selecting AzureUSGovernmentCloud applies a GCC High environment.

      Note: Prior to 6.3.0, the Azure CLI Agent only supported Global Azure, and did not support Azure China Cloud, Azure German Cloud, nor Azure US Government Cloud.

      Organization The organization the device belongs to.
      Description Description of the device.

Create IP Range to Credential Association and Test Connectivity in FortiSIEM

When logged in to the FortiSIEM Supervisor node, take the following steps.

  1. Go to ADMIN > Setup > Credentials.
  2. In Step 2: Enter IP Range to Credential Associations, click New.
    1. From the Credentials drop-down list, select the name of the credential created in the "Create Microsoft Azure Audit Credential" step.
      The IP/Host Name field will auto populate to azure.com
    2. Click Save.
  3. Click the Test drop-down list and select Test Connectivity without Ping to test the connection.
  4. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Microsoft Audit Log Collection.

Sample Events for Microsoft Azure Audit

2016-02-26 15:19:10 FortiSIEM-Azure,[action]=Microsoft.ClassicCompute/virtualmachines/shutdown/action,[caller]=Doe.John@example.com,[level]=Error,[resourceId]=/subscriptions/3ed4ee1c-1a83-4e02-a928-7ff5e0008e8a/resourcegroups/china/providers/Microsoft.ClassicCompute/virtualmachines/china,[resourceGroupName]=china,[eventTimestamp]=2016-02-14T06:12:18.5539709Z,[status]=Failed,[subStatus]=Conflict,[resourceType]=Microsoft.ClassicCompute/virtualmachines,[category]=Administrative