Collect Azure Storage Audit logs

Supported in:

This document explains how to export Azure Storage Audit logs to Google Security Operations using an Azure Storage Account. The parser processes logs in JSON format, transforming them into the Unified Data Model (UDM). It extracts fields from the raw log, performs data type conversions, enriches the data with additional context (like user agent parsing and IP address breakdown), and maps the extracted fields to the corresponding UDM fields.

Before You Begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have an active Azure tenant.
  • Ensure that you have privileged access to Azure.

Configure Azure Storage Account

  1. In the Azure console, search for Storage accounts.
  2. Click Create.
  3. Specify values for the following input parameters:
    • Subscription: select the subscription.
    • Resource Group: select the resource group.
    • Region: select the region.
    • Performance: select the performance (Standard recommended).
    • Redundancy: select the redundancy (GRS or LRS recommended).
    • Storage account name: enter a name for the new storage account.
  4. Click Review + create.
  5. Review the overview of the account and click Create.
  6. From the Storage Account Overview page, select the Access keys submenu in Security + networking.
  7. Click Show next to key1 or key2.
  8. Click Copy to clipboard to copy the key.
  9. Save the key in a secure location for later use.
  10. From the Storage Account Overview page, select the Endpoints submenu in Settings.
  11. Click Copy to clipboard to copy the Blob service endpoint URL; for example, https://<storageaccountname>.blob.core.windows.net.
  12. Save the endpoint URL in a secure location for later use.

Configure Log Export for Azure Storage Audit Logs

  1. Sign in to the Azure Portal using your privileged account.
  2. Go to Storage Accounts > Diagnostic Settings.
  3. Click + Add diagnostic setting.
  4. Select the diagnostic settings for blob, queue, table and file.
    • Select the allLogs option in Category groups for each diagnostic setting.
    • Enter a descriptive name for each diagnostic setting.
  5. Select the Archive to a storage account checkbox as the destination.
    • Specify the Subscription and Storage Account.
  6. Click Save.

Configure a feed in Google SecOps to ingest the Azure Storage Audit logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed; for example, Azure Storage Audit Logs.
  4. Select Microsoft Azure Blob Storage as the Source type.
  5. Select Azure Storage Audit as the Log type.
  6. Click Next.

  7. Specify values for the following input parameters:

    • Azure URI: the blob endpoint URL.
      • ENDPOINT_URL/BLOB_NAME
        • Replace the following:
          • ENDPOINT_URL: the blob endpoint URL (https://<storageaccountname>.blob.core.windows.net)
          • BLOB_NAME: the name of the blob (such as, <logname>-logs)
    • URI is a: select the URI TYPE according to log stream configuration (Single file | Directory | Directory which includes subdirectories).

    • Source deletion options: select the deletion option according to your preference.

    • Shared key: the access key to the Azure Blob Storage.

    • Asset namespace: the asset namespace.

    • Ingestion labels: the label to be applied to the events from this feed.

  8. Click Next.

  9. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log Field UDM Mapping Logic
callerIpAddress principal.asset.ip The IP address is extracted from the callerIpAddress field using a grok pattern and assigned to principal.asset.ip.
callerIpAddress principal.ip The IP address is extracted from the callerIpAddress field using a grok pattern and assigned to principal.ip.
callerIpAddress principal.port The port number is extracted from the callerIpAddress field using a grok pattern and assigned to principal.port.
category security_result.category_details The value of the category field is assigned to security_result.category_details.
correlationId security_result.detection_fields[0].key The literal string correlationId is assigned to the key field.
correlationId security_result.detection_fields[0].value The value of the correlationId field is assigned to security_result.detection_fields[0].value. The value of the time field is parsed as a timestamp and assigned to event.idm.read_only_udm.metadata.event_timestamp. If category is StorageWrite and principal.user.userid exists (derived from properties.accountName), the value is set to USER_RESOURCE_UPDATE_CONTENT. If category is StorageDelete and principal.user.userid exists, the value is set to USER_RESOURCE_DELETION. Otherwise, the value is set to USER_RESOURCE_ACCESS. The literal string AZURE_STORAGE_AUDIT is assigned to event.idm.read_only_udm.metadata.log_type. The literal string AZURE_STORAGE_AUDIT is assigned to event.idm.read_only_udm.metadata.product_name. The value of the schemaVersion field is assigned to event.idm.read_only_udm.metadata.product_version. The literal string AZURE_STORAGE_AUDIT is assigned to event.idm.read_only_udm.metadata.vendor_name.
location target.location.name The value of the location field is assigned to target.location.name.
operationName additional.fields[x].key The literal string operationName is assigned to the key field.
operationName additional.fields[x].value.string_value The value of the operationName field is assigned to additional.fields[x].value.string_value.
operationVersion additional.fields[x].key The literal string operationVersion is assigned to the key field.
operationVersion additional.fields[x].value.string_value The value of the operationVersion field is assigned to additional.fields[x].value.string_value.
properties.accountName principal.user.userid The value of the properties.accountName field is assigned to principal.user.userid.
properties.clientRequestId additional.fields[x].key The literal string clientRequestId is assigned to the key field.
properties.clientRequestId additional.fields[x].value.string_value The value of the properties.clientRequestId field is assigned to additional.fields[x].value.string_value.
properties.etag additional.fields[x].key The literal string etag is assigned to the key field.
properties.etag additional.fields[x].value.string_value The value of the properties.etag field is assigned to additional.fields[x].value.string_value.
properties.objectKey additional.fields[x].key The literal string objectKey is assigned to the key field.
properties.objectKey additional.fields[x].value.string_value The value of the properties.objectKey field is assigned to additional.fields[x].value.string_value.
properties.requestMd5 additional.fields[x].key The literal string requestMd5 is assigned to the key field.
properties.requestMd5 additional.fields[x].value.string_value The value of the properties.requestMd5 field is assigned to additional.fields[x].value.string_value.
properties.responseMd5 additional.fields[x].key The literal string responseMd5 is assigned to the key field.
properties.responseMd5 additional.fields[x].value.string_value The value of the properties.responseMd5 field is assigned to additional.fields[x].value.string_value.
properties.serviceType additional.fields[x].key The literal string serviceType is assigned to the key field.
properties.serviceType additional.fields[x].value.string_value The value of the properties.serviceType field is assigned to additional.fields[x].value.string_value.
properties.tlsVersion network.tls.version The value of the properties.tlsVersion field is assigned to network.tls.version.
properties.userAgentHeader network.http.parsed_user_agent The value of the properties.userAgentHeader field is parsed as a user agent string and assigned to network.http.parsed_user_agent.
properties.userAgentHeader network.http.user_agent The value of the properties.userAgentHeader field is assigned to network.http.user_agent.
protocol network.application_protocol The value of the protocol field is assigned to network.application_protocol.
resourceId target.resource.id The value of the resourceId field is assigned to target.resource.id.
resourceId target.resource.product_object_id The value of the resourceId field is assigned to target.resource.product_object_id. The literal string DATABASE is assigned to target.resource.resource_type.
resourceType additional.fields[x].key The literal string resourceType is assigned to the key field.
resourceType additional.fields[x].value.string_value The value of the resourceType field is assigned to additional.fields[x].value.string_value. If statusText is Success, the value is set to ALLOW.
statusCode network.http.response_code The value of the statusCode field is converted to an integer and assigned to network.http.response_code. The literal string MICROSOFT_AZURE is assigned to target.cloud.environment.
time timestamp The value of the time field is parsed as a timestamp and assigned to timestamp.
uri network.http.referral_url The value of the uri field is assigned to network.http.referral_url.

Changes

2024-12-12

  • Mapped identity.tokenHash, identity.type, identity.requester.appId, identity.requester.tenantId, identity.requester.tokenIssuer, properties.sourceAccessTier, principal.type, auth.action, auth.roleAssignmentId, and auth.roleDefinitionId to additional.fields.
  • Mapped identity.requester.upn to src.user.userid.
  • Mapped identity.requester.objectId to src.user.product_object_id.

2024-12-06

  • Mapped smbCommandMinor to security_result.action_details.

2024-07-31

  • Initialized statusText and correlationId to null.

2024-04-08

  • Newly created parser.

Need more help? Get answers from Community members and Google SecOps professionals.