Azure Activity Log Integration - Manually using the Azure Portal - Beta

This topic describes how to configure a Lacework Azure Activity Log integration. This feature is beta in this release.

To create a Lacework Azure Activity Log integration to gather, process, report, and alert on Azure activity log data, follow the steps in the procedure below. You must create a separate Azure Compliance integration for reporting and alerting on Azure compliance. For more information, see Integrate Lacework with Azure.

You do not need to create an Azure Compliance integration to create an Azure Activity Log integration. You can, however, use the same credentials for both integrations.

When an Azure Activity Log integration is created, Lacework gathers the logs of administrative operations from the activity log of an Azure subscription.

Azure captures detailed activity log data and stores that data in an activity log. Lacework aggregates and organizes this activity log data into useful maps and dashboards that illustrate the following:

• conceptual relationships
• causes and effects
• interactions between Azure entities

Lacework needs access to the Azure activity log data to process it.

Lacework also automatically generates alerts whenever an activity log event represents a security risk.

Create an Azure App

Follow the procedure provided in Manually Create an Azure App for Integration. You can skip this procedure if you have already created an Azure App for an Azure Compliance integration and just reuse the credentials.

Configure Azure for Activity Log Integration

Configure the Lacework Azure Activity Log integration to gather activity log data:

1. Log in to the Azure Portal.
2. In the main search field, enter subscription and from select Subscriptions from the drop-down.
3. Browse and click your subscription.

4. Under your subscription, click Settings > Resource providers.

   

5. In the filter by name… field, enter Microsoft.Insight.

6. If the STATUS is NotRegistered, select microsoft.insights and click Register.
7. Wait until the status changes to Registered. You may need to keep clicking Refresh.
8. In the filter by name… field, enter Microsoft.EventGrid.
9. If the STATUS is NotRegistered, select Microsoft.EventGrid and click Register.
10. Wait until the status changes to Registered. You may need to keep clicking Refresh.
11. In the filter by name… field, enter Microsoft.Security.
12. If the STATUS is NotRegistered, select Microsoft.Security and click Register.
13. Wait until the status changes to Registered. You may need to keep clicking Refresh.
14. Open an Azure Cloud Bash shell from the Azure Portal or install and open an Azure CLI window in a terminal window using the az login command. Keep the bash shell or CLI window open.
    
15. Get the current Application ID as described in the next set of steps. In the left panel, select Azure Active Directory.
    
16. Select App registrations.
    
17. From the App registrations panel, select your Lacework SA Audit App.
18. Open a text editor and copy and paste the Application (client) ID into a temporary file. In the file, label the values. Leave the file open in the editor.
    
19. In the Azure Cloud Bash Shell, enter appId= and paste the Application (client) ID number and hit return.

      $ appId=PasteTextHere
      $ echo $appId      

20. Either use an existing storage account that is configured to archive the Azure Activity Log or create the new storage account that has access to the Azure Activity Log. Azure recommends creating a separate storage account for accessing the Azure Activity Log data. For more information, see https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-export.
    The storage account must be an Azure General-purpose v2 account.
    Skip steps 20-24 if you want to use an existing storage account that is configured to archive the Azure Activity Log. To create a new storage account and log profile follow steps 21-24 below.
21. Create a resource group. Replace westus2 with your location. You can see a list of locations using the az account list-locations command. Specify the location as listed in the name field of the account list-locations command output. You can specify any resource group name, it does not have to be laceworkcws.

      $ az group create --name laceworkcws --location westus2      

22. Create a new storage account. Replace westus2 with your location. For the resource group, specify the resource name you created in a previous step. You can specify any account name, it cannot be laceworkcws (it must be a globally unique name).

      $ az storage account create --name laceworkcws --resource-group laceworkcws --assign-identity --encryption-services blob --https-only true --location westus2 --sku Standard_LRS --kind StorageV2      

23. Get the Storage Account ID.

      $ storageAccountId=$(az storage account show --name laceworkcws --resource-group laceworkcws --query id --output tsv)      

24. Create a log profile. Replace westus2 with your location. For the resource group, specify the resource name you created in a previous step. You can specify any account name, it does not have to be laceworkcws.

      $ locations=$(az account list-locations --query [].name --output tsv | paste -sd " " -)
      $ locations="$locations global"
      $ az monitor log-profiles create --categories Write Delete Action --location westus2 --locations $locations --name laceworkcws --storage-account-id $storageAccountId --days 7 --enabled true      

25. If you have multiple subscriptions, decide which subscription you want to use to hold the storage account used for activity logging. You can have only one log-profile per subscription, exporting its logs to a single storage account. You can have multiple Lacework integrations for Activity Logs (each subscription using its own storage account). Alternatively, you can aggregate logs from multiple subscriptions to a single subscription and only make that subscription active in the Lacework Audit Log integration (more info about this on step 35). In order to select again your select Azure account and logging storage account, enter the list command to get the list of subscriptions for the account currently logged into the CLI, set the active subscription of the account currently logged into the CLI, and get the Storage Account ID.

      $ az account list --all
      $ az account set --subscription MySubscriptionName
      $ storageAccountId=$(az storage account show --name laceworkcws --resource-group laceworkcws --query id --output tsv)      

26. Create an Azure queue to hold activity log data.

      $ az storage queue create --name laceworkcws --account-name laceworkcws      

27. Get the ID of the queue created in the previous step and create an event grid subscription.

      $ queueId="$storageAccountId/queueservices/default/queues/laceworkcws"
      $ az eventgrid event-subscription create --name laceworkcws --endpoint-type storagequeue --endpoint $queueId --source-resource-id $storageAccountId --subject-begins-with /blobServices/default/containers/insights-operational-logs/ --included-event-types Microsoft.Storage.BlobCreated      

28. Find the subscription id.

      $ subscriptionId=$(az account show --query id --output tsv)      

29. Open an editor and save the following JSON code into a file called al-role-template.json.

      {
      "Name":  "LaceworkCWS",
      "IsCustom":  true,
      "Description":  "Monitors Activity Log",
      "Actions": [
      "Microsoft.Resources/subscriptions/resourceGroups/read",
         "Microsoft.Storage/storageAccounts/read",
         "Microsoft.Storage/storageAccounts/blobServices/containers/read",
         "Microsoft.Storage/storageAccounts/queueServices/queues/read",
         "Microsoft.EventGrid/eventSubscriptions/read",
         "Microsoft.Storage/storageAccounts/listkeys/action"
      ],
      "DataActions": [
      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
      "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
         "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete"
      ],
      "AssignableScopes": [
         "/subscriptions/%subscriptionId"
      ]
      }      

30. You can change the name of the role from LaceworkCWS to another value if you wish. However, you must use the name when assigning a custom role to Active Directory application in the final step of this procedure.
31. In the shell, enter the following text, and copy the subscription id number.

      $ echo $subscriptionId      

32. Edit the al-role-template.json file and substitute %subscriptionId with the subscription id number copied in the previous step. Save the file.
33. Create a custom role.

      $ roleDefinition=$(cat al-role-template.json)
      $ echo $roleDefinition
      $ az role definition create --role-definition "$roleDefinition"      

34. Assign a custom role to Active Directory application created during compliance setup.

      $ az role assignment create --assignee $appId --role LaceworkCWS --scope "/subscriptions/$subscriptionId"      

35. (Optional) As explained in step 24, in order to aggregate audit logs from many other subscriptions in a single centralized storage account, repeat step 24 for each subscription you have in your AZ CLI (by doing first "az account set --subscription "), you just keep the same Storage Account ID (referred below as $centralizedStorageAccountId) for each subscription's log-profile.

      $ az account list --all
      $ ## for each other subscription, repeat the commands below ##
      $ az account set --subscription OtherSubscriptionName
      $ az monitor log-profiles create --categories Write Delete Action --location westus2 --locations $locations --name laceworkcws --storage-account-id $centralizedStorageAccountId --days 7 --enabled true      

Gather the Required Azure Client ID, Tenant ID, and Client Secret

Follow the procedure provided in Gather the Required Azure Client ID, Tenant ID, and Client Secret.

Create an Azure Activity Log Integration on the Lacework Console

Finish creating the integration through the Lacework Console as described by the following steps.

1. Log in to the Lacework Console.
2. Select Settings > Integrations > Cloud Accounts.
3. Click + Create New.
4. Select Azure > Activity Log.
5. In the Name field, enter a unique name for the integration.
6. In the Client ID field, enter the Application (client) ID value copied from Azure Portal.
7. In the Tenant ID field, enter the Directory (tenant) ID value copied from Azure Portal.
8. In the Client Secret field, enter the Client secret value copied from Azure Portal.
9. In the Queue URL field, enter the queue URL using the following format: https://MyStorageAccount.queue.core.windows.net/MyQueueName where MyStorageAccount is your storage account that is being used for the activity logs and MyQueueName is the name of the queue, for example: http://laceworkcws.queue.core.windows.net/laceworkcws
10. Click Save. A new integration displays in Cloud Accounts.
11. When the integration is complete and successful, the status changes to Integration Successful.
12. In the Lacework Console, select Resources > Cloud > Azure Activity Log and under Date Range select Last 7 days. Verify that data is being gathered.

For the “Integration Pending” status, you can hover over the status text and click the refresh icon to fetch the status result again. This does not retest the integration.