Azure Activity Data Connector for Microsoft Sentinel and Azure Monitor

The Azure Activity Data Connector is a game-changer for organizations looking to streamline their security and monitoring efforts. This powerful tool allows you to connect your Azure resources to Microsoft Sentinel and Azure Monitor, providing a unified view of your cloud activity.

By leveraging the Azure Activity Data Connector, you can gain real-time insights into your cloud activity, enabling you to identify and respond to security threats more effectively. This is particularly useful for organizations with complex cloud infrastructures, as it simplifies the process of monitoring and analyzing activity across multiple resources.

The Azure Activity Data Connector supports a wide range of Azure services, including Azure Storage, Azure Virtual Machines, and Azure Active Directory. This means you can connect your entire Azure ecosystem to Microsoft Sentinel and Azure Monitor, providing a comprehensive view of your cloud activity.

Authentication and authorization are crucial steps in setting up the Azure Activity Data Connector. To authenticate, you must create an app registration and service principal in Azure AD, which involves assigning the Reader role on the subscription.

You can also use Managed Identity for secure authentication, which hides many of the other fields in the configuration. This is especially useful if you host Grafana in Azure, such as in App Service or Azure Virtual Machines.

To enable workload identity for Grafana, you need to set the workload_identity_enabled flag in the [azure] section of the Grafana server configuration.ini file. This flag is set to true by default, but you can modify it as needed.

Here are the configuration variables that can control the authentication method:

In the Azure Monitor data source configuration, you need to set Authentication to Workload Identity to enable this feature. This will hide the directory ID, application ID, and client secret fields, and the data source will use workload identity to authenticate to Azure Monitor Metrics and Logs, and Azure Resource Graph.

To set up the Azure Activity data connector, you'll need to configure Azure Active Directory (AD) authentication. This involves creating an app registration and service principal in Azure AD to authenticate the data source.

You can configure the Azure Monitor data source to use Managed Identity for secure authentication without entering credentials into Grafana. This is especially useful if you host Grafana in Azure, such as in App Service or Azure Virtual Machines.

To enable workload identity for Grafana, you'll need to set the workload_identity_enabled flag in the [azure] section of the Grafana server configuration.ini file to true. This will allow the data source to use workload identity to authenticate to Azure Monitor Metrics and Logs, and Azure Resource Graph.

Here are the configuration variables that can control the authentication method:

For more information on configuring the Azure Activity data connector, refer to the Azure documentation for service principals and role assignments.

To configure workload identity for Azure Monitor in Grafana, you'll need to host Grafana in a Kubernetes environment, such as AKS. This setup allows you to securely authenticate data sources without manually configuring credentials via Azure AD App Registrations.

You can use workload identity to configure Azure Monitor in Grafana, which lets you securely authenticate data sources without manually configuring credentials via Azure AD App Registrations. For details on workload identity, refer to the Azure workload identity documentation.

To enable workload identity for Grafana, start by setting the workload_identity_enabled flag in the [azure] section of the Grafana server configuration.ini file. This flag is crucial for workload identity to work correctly.

Set the workload_identity_enabled flag to true in the [azure] section of the Grafana server configuration.ini file.

In the Azure Monitor data source configuration, set Authentication to Workload Identity. This hides the directory ID, application ID, and client secret fields, and the data source uses workload identity to authenticate to Azure Monitor Metrics and Logs, and Azure Resource Graph.

You can also control the authentication method by using additional configuration variables. These variables include workload_identity_tenant_id, workload_identity_client_id, and workload_identity_token_file.

Here are the additional configuration variables that can control the authentication method:

To set up Azure Active Directory (AD) authentication, you'll need to create an app registration and service principal in Azure AD. This is a crucial step to authenticate the data source.

You must assign the Reader role on the subscription to the app registration you create. This ensures you have the necessary permissions to access the data.

If you host Grafana in Azure, such as in App Service or Azure Virtual Machines, you can use Managed Identity for secure authentication without entering credentials into Grafana.

To configure the Azure Monitor data source, you can use the following options:

To set up Azure activity logging, you'll need to complete the following steps:

1. In the Azure console, search for Monitor.

2. Click the Activity log link in the left navigation of the page.

3. Click the Export Activity Logs at the top of the window.

4. Click Add diagnostic Setting.

5. Select all the categories you wish to export to Google Security Operations.

6. Under Destination details select Archive to a storage account.

7. Select the subscription and storage account you created in the previous step.

8. Click Save.

Setting up a Microsoft Azure AD connector requires activating the integration run by switching ON the toggle button after creating a custom workflow with your Microsoft Azure AD connector's action steps.

To set up the data connector, you'll need to install the data connector to forward data for Azure Activity to Microsoft Sentinel. This involves selecting the Azure Activity data connector and launching the Azure Policy Assignment Wizard.

To configure a feed in Google Security Operations to ingest the Azure logs, you'll need to follow these steps:

1. Go to SIEM Settings>Feeds.

2. Click Add New.

3. Enter a unique name for the Field Name.

4. Select Microsoft Azure Blob Storage as the Source Type.

5. Select Microsoft Azure Activity as the Log Type.

6. Click Next and configure the mandatory input parameters.

7. Click Next and then click Submit.

To integrate and collect data with the Azure Activity data connector, you'll need to follow a few steps.

First, enable the Azure Activity data connector in Microsoft Sentinel, which will allow you to view the activity data added to the workspace.

To do this, select Data connectors, search for and select the Azure Activity data connector, and then review its status to ensure it's connected.

Once connected, you can view the activity data ingested into the workspace by running a query in Log Analytics, specifically the AzureActivity query.

You can also forward data to Event Hub and enable integration with XDR by selecting the Stream to an event hub option and entering the desired event hub destination.

To set up integration, you'll need to enter a unique name for the integration in XDR and click Done, then start the Event Hub integration and configure Azure Monitor Diagnostic Settings.

Data collected from integration includes various categories, such as Antivirus, Auth, CloudAudit, DHCP, DNS, Email, Encrypt, HTTP, Management, Netflow, NIDS, and Thirdparty.

Here's a breakdown of the data provided from integration:

Note that XDR detectors are not guaranteed to be triggered, even if data is normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.