Conéctate a Microsoft Azure para la recopilación de datos de registro
Organiza tus páginas con colecciones
Guarda y categoriza el contenido según tus preferencias.
Las detecciones seleccionadas, la investigación de amenazas y las capacidades de Cloud Infrastructure Entitlement Management (CIEM) de Security Command Center para Microsoft Azure requieren la transferencia de registros de Microsoft Azure a través de la canalización de transferencia de la consola de Operaciones de seguridad. Los tipos de registros de Microsoft Azure necesarios para la transferencia varían según lo que configures:
La CIEM requiere datos del tipo de registro de Azure Cloud Services (AZURE_ACTIVITY).
Las detecciones seleccionadas requieren datos de varios tipos de registros.
Para obtener más información sobre los diferentes tipos de registros de Microsoft Azure, consulta Dispositivos compatibles y tipos de registros obligatorios.
Detecciones seleccionadas
Las detecciones seleccionadas en el nivel Enterprise de Security Command Center ayudan a identificar amenazas en entornos de Microsoft Azure con datos de eventos y de contexto.
Estos conjuntos de reglas requieren los siguientes datos para funcionar según lo previsto. Debes ingerir datos de Azure desde cada una de estas fuentes de datos para tener la máxima cobertura de reglas.
Para obtener información sobre el tipo de datos de registro que los clientes de Security Command Center Enterprise pueden transferir directamente al arrendatario de Google SecOps, consulta Recopilación de datos de registro de Google SecOps.
Configura la transferencia de registros de Microsoft Azure para CIEM
Para generar resultados de la CIEM en tu entorno de Microsoft Azure, las capacidades de la CIEM requieren datos de los registros de actividad de Azure para cada suscripción o grupo de administración de Azure que se deba analizar.
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-05 (UTC)"],[],[],null,["| Enterprise [service tier](/security-command-center/docs/service-tiers)\n|\n| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThe Security Command Center curated detections, threat investigation, and Cloud Infrastructure Entitlement Management (CIEM)\ncapabilities for Microsoft Azure require the ingestion of Microsoft Azure logs\nusing the Security Operations console ingestion pipeline. The Microsoft Azure log\ntypes required for ingestion differ based on what you are configuring:\n\n- CIEM requires data from the Azure Cloud Services (AZURE_ACTIVITY) log type.\n- Curated detections require data from multiple log types. To learn more about the different Microsoft Azure log types, see [Supported devices and required log types](/chronicle/docs/detection/cloud-threats-category#azure-supported-devices).\n\nCurated detections\n\nCurated detections in the Enterprise tier of Security Command Center help identify threats in\nMicrosoft Azure environments using both event and context data.\n\nThese rule sets require the following data to function as designed. You must ingest\nAzure data from each of these data sources to have maximum rule coverage.\n\n- [Azure cloud services](https://azure.microsoft.com/en-us/free/cloud-services/)\n- [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/), previously Azure Active Directory\n- [Microsoft Entra ID audit logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs), previously Azure AD audit logs\n- [Microsoft Defender for Cloud](https://www.microsoft.com/en-us/security/business/cloud-security/microsoft-defender-cloud)\n- [Microsoft Graph API Activity](https://learn.microsoft.com/en-us/graph/use-the-api)\n\nFor more information, see the following in the Google SecOps\ndocumentation:\n\n- [Supported devices and required log types for Azure](/chronicle/docs/detection/cloud-threats-category#azure-supported-devices): information about the data\n required by each rule set.\n\n- [Ingest Azure and Microsoft Entra ID data](/chronicle/docs/detection/cloud-threats-category#ingest-azure) and [Create an Azure Event Hub feed](/chronicle/docs/administration/create-azure-feed): steps to collect Azure and Microsoft\n Entra ID log data.\n\n- [Curated detections for Azure data](/chronicle/docs/detection/cloud-threats-category#azure-curated-detections): summary of the Azure rule sets\n in the Cloud Threats Category curated detections.\n\n- [Use curated detections to identify threats](/chronicle/docs/detection/use-curated-detections): how to use curated detections in Google SecOps.\n\nFor information about the type of log data that customers with Security Command Center\nEnterprise can ingest directly to the Google SecOps tenant, see\n[Google SecOps log data collection](/security-command-center/docs/service-tiers#microsoft-logs).\n\nConfigure Microsoft Azure log ingestion for CIEM\n\nTo generate CIEM findings for your Microsoft Azure environment,\nthe CIEM capabilities require data from Azure activity logs for\neach Azure subscription or management group that needs to be analyzed.\n\nBefore you begin\n\nTo export activity logs for your Azure subscriptions or management groups, [configure a Microsoft Azure storage account](/chronicle/docs/ingestion/cloud/ingest-azure-activity-logs#configure_a_storage_account).\n\nConfigure Microsoft Azure log ingestion for management groups\n\n1. To configure Azure activity logging for management groups, use the\n [Management group API](https://learn.microsoft.com/en-us/rest/api/monitor/management-group-diagnostic-settings/create-or-update).\n\n | **Note:** The Microsoft Azure portal does not support configuring diagnostic settings for management groups.\n2. To ingest exported activity logs from the storage account, [configure a feed in Security Operations console](/chronicle/docs/ingestion/cloud/ingest-azure-activity-logs#configure_a_feed_in_to_ingest_the_azure_logs).\n\n3. Set an **Ingestion label** for the feed by setting **Label** to `CIEM` and the **Value** to `TRUE`.\n\nConfigure Microsoft Azure log ingestion for subscriptions\n\n1. To configure Azure activity logging for subscriptions, do the following:\n\n 1. In the Azure console, search for **Monitor.**\n 2. In the left navigation pane, click the **Activity log** link.\n 3. Click **Export Activity Logs**.\n 4. Perform the following actions for each subscription or management group for which logs need to be exported:\n 1. In the **subscription** menu, select the Microsoft Azure subscription from which you want to export activity logs.\n 2. Click **Add diagnostic setting.**\n 3. Enter a name for the diagnostic setting.\n 4. In **Log categories** , select **Administrative**.\n 5. In **Destination details** , select **Archive to a storage account**.\n 6. Select the subscription and storage account that you created, and click **Save**.\n2. To ingest exported activity logs from the storage account, [configure a feed in Security Operations console](/chronicle/docs/ingestion/cloud/ingest-azure-activity-logs#configure_a_feed_in_to_ingest_the_azure_logs).\n\n3. Set an **Ingestion label** for the feed by setting **Label** to `CIEM` and the **Value** to `TRUE`.\n\nWhat's next\n\n- To enable CIEM, see [Enable the CIEM detection service](/security-command-center/docs/enable-ciem-detection).\n- To learn more about CIEM features, see [Overview of CIEM](/security-command-center/docs/concepts-ciem)."]]