Microsoft Azure Audit
What is Discovered and Monitored
Protocol | Information Discovered | Information Collected | Used For |
---|---|---|---|
Azure CLI | None | Audit Logs | Security Monitoring |
Event Types
In ADMIN > Device Support > Event Types, search for "Azure Audit" in the Search field to see the event types associated with this device.
Configuration
Configuration in Azure
You must define a user account in Azure for use by FortiSIEM to pull Audit logs. Use any of the following roles:
- Owner
- Reader
- Monitoring Reader
- Monitoring Contributor
- Contributor
Notes:
- These roles are only defined at the subscription level, and are not visible under the Users tab in Entra ID (Formerly Azure AD).
- FortiSIEM recommends using the 'Monitoring Reader' role, which is the least privileged to do the job.
Take the following steps to create and assign a role.
-
Login to the Azure portal.
-
Navigate to Home > Subscriptions > Access control (IAM).
-
Click on Add role assignment.
-
Search for, and apply Monitoring Reader or Monitoring Contributor.
For more information on roles, see:
https://docs.microsoft.com/en-us/azure/azure-monitor/roles-permissions-security
and
Configuration in FortiSIEM
Take the following steps for configuration.
Create Microsoft Azure Audit Credential in FortiSIEM
Complete these steps in the FortiSIEM UI after logging into the FortiSIEM supervisor node:
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials:
- Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box and click Save:
Settings Description Name Enter a name for the credential Device Type Microsoft Azure Audit Access Protocol Azure CLI Password Config Choose Manual, CyberArk, or RAX_MSCloud from the drop down list. For Manual credential method, enter the username and credentials for an Azure account. FortiSIEM recommends using 'Monitoring Reader' role for this account. For CyberArk or RAX_MSCloud, see Password Configuration. Azure Subscription ID
Enter the 32-digit GUID associated with your Azure subscription. In 6.3.0, to enter multiple subscription IDs, separate each ID by a space.
Examples:
Entering one subscription ID:
a0123bcd-e456-6f78-9112-gh3i4j56k789
Entering two subscription IDs:
a0123bcd-e456-6f78-9112-gh3i4j56k789 z9876yxv-u543-2t10-9876-sr5q4p32o109
Account Env
In 6.3.0, you can choose AzureCloud, AzureChinaCloud, AzureGermanCloud, or AzureUSGovernmentCloud.
Selecting AzureUSGovernmentCloud applies a GCC High environment.Note: Prior to 6.3.0, the Azure CLI Agent only supported Global Azure, and did not support Azure China Cloud, Azure German Cloud, nor Azure US Government Cloud.
Organization The organization the device belongs to. Description Description of the device.
Create IP Range to Credential Association and Test Connectivity in FortiSIEM
When logged in to the FortiSIEM Supervisor node, take the following steps.
- Go to ADMIN > Setup > Credentials.
- In Step 2: Enter IP Range to Credential Associations, click New.
- From the Credentials drop-down list, select the name of the credential created in the "Create Microsoft Azure Audit Credential" step.
The IP/Host Name field will auto populate to azure.com - Click Save.
- From the Credentials drop-down list, select the name of the credential created in the "Create Microsoft Azure Audit Credential" step.
- Click the Test drop-down list and select Test Connectivity without Ping to test the connection.
- Go to ADMIN > Setup > Pull Events and make sure an entry is created for Microsoft Audit Log Collection.
Sample Events for Microsoft Azure Audit
2016-02-26 15:19:10 FortiSIEM-Azure,[action]=Microsoft.ClassicCompute/virtualmachines/shutdown/action,[caller]=Doe.John@example.com,[level]=Error,[resourceId]=/subscriptions/3ed4ee1c-1a83-4e02-a928-7ff5e0008e8a/resourcegroups/china/providers/Microsoft.ClassicCompute/virtualmachines/china,[resourceGroupName]=china,[eventTimestamp]=2016-02-14T06:12:18.5539709Z,[status]=Failed,[subStatus]=Conflict,[resourceType]=Microsoft.ClassicCompute/virtualmachines,[category]=Administrative