Using Azure Storage

Azure Storage refers to the Microsoft Azure cloud storage solution, a service that provides a massively scalable object store for data objects, a messaging store for reliable messaging, a file system service for the cloud, and a NoSQL store.

As an alternative to the Azure Log Analytics REST API, ThreatLockDown offers the possibility to access Azure Storage accounts in a simple way. The activity logs of the Microsoft Azure infrastructure can be exported to the storage accounts.

This section explains how to use the Azure portal to archive the Azure activity log in a storage account and how to configure the azure-logs module. A use case is included to show a practical example.

Configuring the Activity log export

  1. Click Activity log in the Monitor service menu. You can type activity in the search bar to find the option.

  2. Click Export Activity logs.

  3. Click Add diagnostic setting.

  4. Configure the following settings and click Save.

    • Tick AuditLogs checkbox.

    • Tick the Archive to storage account checkbox.

    • Select your Subscription.

    • Select your Storage account.

Azure Storage use case

This is a basic example of how to monitor the activity of the infrastructure. A new user will be created, resulting in an Azure Activity Log that will be exported to Storage if the Activity Log export was configured successfully.

Creating a user

An easy way to test this configuration is to create a new user in Microsoft Entra ID. A few minutes after the creation of the user, a new log will be available in a container named insights-logs-auditlogs inside the Storage account specified when configuring the Activity log export.

ThreatLockDown configuration

Proceed to configure the azure-logs module in the local configuration (ossec.conf). It is important to set the account_name and account_key of the Storage account to authenticate. This information can be found in the Access keys section of Storage accounts. Check the credentials reference for more information about the different authentication options available.

Applying the following configuration, the integration will be executed every day using a credentials file for authentication. The insights-logs-auditlogs container content will be processed, downloading every blob available with the .json extension from the last 24 hours. The content for these blobs is expected to be in json_inline format.

<wodle name="azure-logs">

    <disabled>no</disabled>
    <interval>1d</interval>
    <run_on_start>yes</run_on_start>

    <storage>

            <auth_path>/home/manager/Azure/storage_auth.txt</auth_path>
            <tag>azure-activity</tag>

            <container name="insights-logs-auditlogs">
                <blobs>.json</blobs>
                <content_type>json_inline</content_type>
                <time_offset>24h</time_offset>
            </container>

    </storage>
</wodle>

Check the Azure module reference page to learn more about the parameters available and how to use them.

ThreatLockDown rules

Thanks to the following rules, already included in the default ThreatLockDown ruleset, it is possible to monitor the infrastructure activity and obtain related alerts:

<rule id="87803" level="3">
    <decoded_as>json</decoded_as>
    <field name="azure_tag">azure-storage</field>
    <description>Azure: Storage</description>
</rule>

<rule id="87813" level="3">
    <if_sid>87803</if_sid>
    <field name="operationName">\.+</field>
    <description>Azure: Storage: $(OperationName)</description>
</rule>

Alert visualization

Once the ThreatLockDown configuration is set and the azure-logs module is running using the previous configuration, the event from the user creation example exported to Storage will be processed. The results can be checked in the ThreatLockDown dashboard.