[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eThis document provides instructions on how to export Azure APP Service logs to Google Security Operations, enabling the logs to be parsed into a structured Unified Data Model (UDM) format.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves configuring an Azure Storage Account to store the logs, setting up log export from Azure App Services, and creating a feed in Google SecOps to ingest the logs from the storage account.\u003c/p\u003e\n"],["\u003cp\u003eA detailed UDM mapping table is provided, which shows how various log fields from Azure APP Service logs are transformed and mapped to corresponding UDM fields.\u003c/p\u003e\n"],["\u003cp\u003eThe content includes required prerequisites such as having a Google SecOps instance, an active Azure tenant, and privileged access to Azure.\u003c/p\u003e\n"],["\u003cp\u003eThe document outlines recent enhancements and changes made to the log parsing process, including updates to field mappings and support for new log formats.\u003c/p\u003e\n"]]],[],null,["# Collect Azure APP Service logs\n==============================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to export Azure APP Service logs to Google Security Operations using an Azure Storage Account. The parser transforms raw JSON formatted Azure App Service logs into a structured Unified Data Model (UDM). It extracts relevant fields from the raw logs, performs data cleaning and normalization, and maps the extracted information to corresponding UDM fields, ultimately outputting a UDM-compliant JSON object for each log entry.\n\nBefore you begin\n----------------\n\nEnsure you have the following prerequisites:\n\n- Google SecOps instance\n- An active Azure tenant\n- Privileged access to Azure\n\nConfigure Azure Storage Account\n-------------------------------\n\n1. In the Azure console, search for **Storage accounts**.\n2. Click **+ Create**.\n3. Specify values for the following input parameters:\n - **Subscription**: Select the subscription.\n - **Resource Group**: Select the resource group.\n - **Region**: Select the region.\n - **Performance**: Select the performance (Standard recommended).\n - **Redundancy**: Select the redundancy (GRS or LRS recommended).\n - **Storage account name**: Enter a name for the new storage account.\n4. Click **Review + create**.\n5. Review the overview of the account and click **Create**.\n6. From the **Storage Account Overview** page, select the **Access keys** submenu in **Security + networking**.\n7. Click **Show** next to **key1** or **key2**.\n8. Click **Copy to clipboard** to copy the key.\n9. Save the key in a secure location for later use.\n10. From the **Storage Account Overview** page, select the **Endpoints** submenu in **Settings**.\n11. Click **Copy to clipboard** to copy the **Blob service** endpoint URL; for example, `https://\u003cstorageaccountname\u003e.blob.core.windows.net`.\n12. Save the endpoint URL in a secure location for later use.\n\nHow to configure Log Export for Azure APP Service Logs\n------------------------------------------------------\n\n1. Sign in to the **Azure Portal** using your privileged account.\n2. Go to **App Services** and select the required app service in use.\n3. Select **Monitoring \\\u003e App Service Logs**.\n4. Turn **ON** for **Application Logging (blob)**.\n5. Select **Storage** under **Web Service Logging**.\n6. Select the **Subscription** and **Storage Account**.\n7. Define the **Retention Period** and **Quota** according to your requirements.\n8. Turn **ON** for **Detailed error messages**.\n9. Turn **ON** for **Failed request tracing**.\n10. Click **Save**.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the Azure App Service feed\n----------------------------------------\n\n1. Click the **Azure Platform** pack.\n2. Locate the **Azure App Service** log type and click **Add new feed**.\n3. Specify values for the following fields:\n\n - **Source Type**: Microsoft Azure Blob Storage V2.\n - **Azure URI** : The blob endpoint URL.\n - `ENDPOINT_URL/BLOB_NAME`\n - Replace the following:\n - `ENDPOINT_URL`: The blob endpoint URL (`https://\u003cstorageaccountname\u003e.blob.core.windows.net`)\n - `BLOB_NAME`: The name of the blob (such as, `\u003clogname\u003e-logs`)\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Includes files modified in the last number of days.\n Default is 180 days.\n\n - **Shared key**: The access key to the Azure Blob Storage.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace** : [Namespace associated with the feed](/chronicle/docs/investigation/asset-namespaces).\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]