Ingest Microsoft Azure activity logs
Supported in:
This document describes the steps required to ingest Microsoft Azure activity logs
(AZURE_ACTIVITY
) into Google Security Operations.
Configure a Storage Account
Complete the following steps to configure a Storage account:
- In the Azure console, search for Storage accounts.
- Click Create.
- Select the Subscription, Resource Group, region, performance (recommend Standard), and Redundancy (recommend GRS or LRS) needed for the account, enter a name for the new Storage Account.
- Click Review + create, review the overview of the account and click Create.
- On the Storage Account Overview page, select Access keys from the left navigation of the window.
- Click Show keys and make a note of the shared key for the storage account.
- Select Endpoints from the left navigation of the window.
- Make a note of the Blob service endpoint. (https://<storageaccountname>.blob.core.windows.net/)
Configure Azure activity logging
Complete the following steps to configure Azure activity logging:
- In the Azure console, search for Monitor.
- Click the Activity log link in the left navigation of the page.
- Click the Export Activity Logs at the top of the window.
- Click Add diagnostic Setting.
- Select all the categories you wish to export to Google Security Operations.
- Under Destination details select Archive to a storage account.
- Select the subscription and storage account you created in the previous step.
- Click Save.
Configure a feed in Google Security Operations to ingest the Azure logs
Complete the following steps to configure a feed in Google Security Operations to ingest the Azure logs:
- Go to Google Security Operations settings, and click Feeds.
- Click Add New.
- Select Microsoft Azure Blob Storage for Source Type.
- Select Microsoft Azure Activity for Log Type.
- Click Next.
- Under Azure URI, enter the Blob Service endpoint value you recorded earlier, suffixed with insights-activity-logs (for example, https://acme-azure-chronicle.blob.core.windows.net/insights-activity-logs)
- Under URI Source Type select Directories including subdirectories.
- Under Shared key, enter the shared key value you captured earlier.
- Click Next and Finish.