Azure Activity Log Integration - Manually using the Azure Portal - Beta

This topic describes how to configure a Lacework Azure Activity Log Integration. This feature is beta in this release. 

To create a Lacework Azure Activity Log Integration to gather, process, report, and alert on Azure activity log data, follow the steps in the procedure below. You must create a separate Azure Compliance Integration for reporting and alerting on Azure compliance. For more information, see Lacework for Azure.

You do not need to create an Azure Compliance Integration to create an Azure Activity Log Integration. However, you can use the same credentials for both integrations.

When an Azure Activity Log Integration is created, Lacework gathers the logs of administrative operations from the activity log of an Azure subscription.

Azure captures detailed activity log data and stores that data in an activity log. Lacework aggregates and organizes this activity log data into useful maps and dashboards that illustrate the following:

• conceptual relationships
• causes and effects
• interactions between Azure entities

Lacework needs access to the Azure activity log data to process it.

Lacework also automatically generates alerts whenever an activity log event represents a security risk.

Create an Azure App

Follow the procedure provided in Manually Create an Azure App for Integration. You can skip this procedure if you have already created an Azure App for an Azure Compliance Integration and just reuse the credentials.

Configure Azure for Activity Log Integration

To configure Azure so the Lacework Azure Activity Log Integration can gather activity log data:

1. Log in to the Azure Portal.
2. In the main search field, enter subscription and from select Subscriptions from the drop-down.
3. Browse and click your subscription.
4. Under your subscription, click Settings > Resource providers.
   
5. In the filter by name… field, enter Microsoft.Insight.
6. If the STATUS is NotRegistered, select microsoft.insights and click Register.
7. Wait until the status changes to Registered. You may need to keep clicking Refresh.
8. In the filter by name… field, enter Microsoft.EventGrid.
9. If the STATUS is NotRegistered, select Microsoft.EventGrid and click Register.
10. Wait until the status changes to Registered. You may need to keep clicking Refresh.
11. In the filter by name… field, enter Microsoft.Security.
12. If the STATUS is NotRegistered, select Microsoft.Security and click Register.
13. Wait until the status changes to Registered. You may need to keep clicking Refresh.

14. Open an Azure Cloud Bash shell from the Azure Portal or install and open an Azure CLI window in a terminal window using the az login command. Keep the bash shell or CLI window open. 

    

15. Get the current Application ID as described in the next set of steps. In the left panel, select Azure Active Directory.
    
16. Select App registrations.
    
    
17. From the App registrations panel, select your  Lacework SA Audit App.  
18. Open a text editor and copy and paste the Application (client) ID into a temporary file. In the file, label the values. Leave the file open in the editor.
    
19. In the Azure Cloud Bash Shell, enter appId= and paste the Application (client) ID number and hit return.

    $ appId=PasteTextHere
    $ echo $appId

20. Either use an existing storage account that is configured to archive the Azure Activity Log or create the new storage account that has access to the Azure Activity Log. Azure recommends creating a separate storage account for accessing the Azure Activity Log data. For more information, see https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-export.
    The storage account must be an Azure General-purpose v2 account.
    Skip steps 20-24 if you do want to use an existing storage account that is configured to archive the Azure Activity Log. To create a new storage account and log profile follow steps 21-24 below.
21. Create a resource group. Replace westus2 with your location. You can see a list of locations using the az account list-locations command. Specify the location as listed in the name field of the account list-locations command output. You can specify any resource group name, it does not have to be laceworkcws.

    $ az group create --name laceworkcws --location westus2

22. Create a new storage account. Replace westus2 with your location. For the resource group, specify the resource name you created in a previous step. You can specify any account name, it does not have to be laceworkcws.

    $ az storage account create --name laceworkcws --resource-group laceworkcws --assign-identity --encryption-services blob --https-only true --location westus2 --sku Standard_LRS --kind StorageV2

23. Get the Storage Account ID.

    $ storageAccountId=$(az storage account show --name laceworkcws --resource-group laceworkcws --query id --output tsv)

24. Create a log profile. Replace westus2 with your location. For the resource group, specify the resource name you created in a previous step. You can specify any account name, it does not have to be laceworkcws.

     $ locations=$(az account list-locations --query [].name --output tsv | paste -sd " " -)
     $ locations="$locations global"
     $ az monitor log-profiles create --categories Write Delete Action --location westus2 --locations $locations --name laceworkcws --storage-account-id $storageAccountId --days 7 --enabled true

25. If you have multiple subscriptions, decide what subscription you want to make active for activity logging. You can only have one subscription active for activity logging at one time. However, you can aggregate logs from multiple subscriptions to a single subscription and make that subscription active. Enter the list command to get the list of subscriptions for the account currently logged into the CLI, set the active subscription of the account currently logged into the CLI, and get the Storage Account ID. 

    $ az account list --all
    $ az account set --subscription MySubscriptionName
    $ storageAccountId=$(az storage account show --name laceworkcws --resource-group laceworkcws --query id --output tsv)

26. Create an Azure queue to hold the activity log data.

     $ az storage queue create --name laceworkcws --account-name laceworkcws

27. Get the ID of the queue created in the previous step and create an event grid subscription.

     $ queueId="$storageAccountId/queueservices/default/queues/laceworkcws"
     $ az eventgrid event-subscription create --name laceworkcws --endpoint-type storagequeue --endpoint $queueId --source-resource-id $storageAccountId --subject-begins-with /blobServices/default/containers/insights-operational-logs/ --included-event-types Microsoft.Storage.BlobCreated

28. Find the subscription id.

     $ subscriptionId=$(az account show --query id --output tsv)

29. Open an editor and save the following JSON code into a file called al-role-template.json.

    {
    "Name":  "LaceworkCWS",
    "IsCustom":  true,
    "Description":  "Monitors Activity Log",
    "Actions": [
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    	"Microsoft.Storage/storageAccounts/read",
    	"Microsoft.Storage/storageAccounts/blobServices/containers/read",
    	"Microsoft.Storage/storageAccounts/queueServices/queues/read",
    	"Microsoft.EventGrid/eventSubscriptions/read",
    	"Microsoft.Storage/storageAccounts/listkeys/action"
      ],
      "DataActions": [
    	"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
    	"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
    		"Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete"
    ],
    "AssignableScopes": [
    	"/subscriptions/%subscriptionId"
     ]
    }

30. You can change the name of the role from LaceworkCWS to another value if you wish. However, you must use the name when assigning a custom role to Active Directory application in the final step of this procedure.
31. In the shell, enter the following text, and copy the subscription id number.

     $ echo $subscriptionId

32. Edit the al-role-template.json file and substitute %subscriptionId with the subscription id number copied in the previous step. Save the file.
33. Create a custom role.

     $ roleDefinition=$(cat al-role-template.json)
     $ echo $roleDefintion
     $ az role definition create --role-definition "$roleDefinition"

34. Assign a custom role to Active Directory application created during compliance setup.

     $ az role assignment create --assignee $appId --role LaceworkCWS --scope "/subscriptions/$subscriptionId"

Gather the Required Azure Client ID, Tenant ID, and Client Secret

Follow the procedure provided in Gather the Required Azure Client ID, Tenant ID, and Client Secret.

Create an Azure Activity Log Integration on the Lacework Console

Finish the creation of the integration using the Lacework Console as described by the following steps.

1. Log in to the Lacework Console.
2. Select Settings > Integrations.  
3. Select INCOMING > Azure Activity Log.
4. Click + ADD INTEGRATION.
5. In the Name field, enter a unique name for the integration.
6. In the Client ID field, enter the Application (client) ID value copied from Azure Portal.
7. In the Tenant ID field, enter the Directory (tenant) ID value copied from Azure Portal.
8. In the Client Secret field, enter the Client secret value copied from Azure Portal.
9. In the Queue URL field, enter the queue URL using the following format: https://MyStorageAccount.queue.core.windows.net/MyQueueName where MyStorageAccount is your storage account that is being used for the activity logs and MyQueueName is the name of the queue, for example: http://laceworkcws.queue.core.windows.net/laceworkcws
10. Click Save. In Settings > INCOMING, a new integration displays.
11. When the integration is complete and successful, the status changes to Integration Successful. 
12. In the Lacework Console, select Azure > Activity Log and under DATE RANGE select Last 7 days. Verify that data is being gathered.