diff --git a/source/cloud-security/azure/log-analytics.rst b/source/cloud-security/azure/log-analytics.rst index 973ffff7e5..5684541a37 100644 --- a/source/cloud-security/azure/log-analytics.rst +++ b/source/cloud-security/azure/log-analytics.rst @@ -205,6 +205,8 @@ Use case Here is an example of monitoring the infrastructure activity using the previously created Azure application. +.. _log_analytics_use_case_creating_user: + Creating a user ~~~~~~~~~~~~~~~ diff --git a/source/cloud-security/azure/platform-and-services.rst b/source/cloud-security/azure/platform-and-services.rst index e6c4be2a66..67d5174d13 100644 --- a/source/cloud-security/azure/platform-and-services.rst +++ b/source/cloud-security/azure/platform-and-services.rst @@ -106,6 +106,8 @@ Follow the steps below to obtain an ``application_id`` and ``application_key``: :align: center :width: 80% +.. _getting_access_credentials: + Getting access credentials for Microsoft Azure Storage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/source/cloud-security/azure/storage.rst b/source/cloud-security/azure/storage.rst new file mode 100644 index 0000000000..fe3ab8ea46 --- /dev/null +++ b/source/cloud-security/azure/storage.rst @@ -0,0 +1,127 @@ +.. Copyright (C) 2015, Wazuh, Inc. + +.. meta:: + :description: As an alternative to the Azure Log Analytics REST API, Wazuh offers access to a Microsoft Azure Storage account. + +Microsoft Azure Storage +======================= + +`Microsoft Azure Storage `__ refers to the Microsoft Azure cloud storage solution. This service provides a massively scalable object store for data objects, a messaging store for reliable messaging, a file system service for the cloud, and a NoSQL store. + +.. thumbnail:: /images/cloud-security/azure/microsoft-azure-storage-diagram.png + :align: center + :width: 80% + +As an alternative to the Azure Log Analytics REST API, Wazuh offers access to a Microsoft Azure Storage account. You can export the activity logs of the Microsoft Azure infrastructure to the storage accounts. + +This section explains using the Azure portal to archive your Microsoft Azure activity logs in a storage account. + +Configuration +------------- + +Azure +^^^^^ + +Configuring the activity log export +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +#. Select the **Audit Logs** option from the **Monitoring section** within **Microsoft Entra ID** and click on **Export Data Settings**. + + .. thumbnail:: /images/cloud-security/azure/export-data-settings.png + :align: center + :width: 80% + +#. Click **Add diagnostic setting**. + + .. thumbnail:: /images/cloud-security/azure/add-diagnostic-setting2.png + :align: center + :width: 80% + +#. Select the **AuditLogs** and **Archive to the storage account** checkbox, then select the subscription and Storage account to which you want to export the logs from the dropdown menu. + + .. thumbnail:: /images/cloud-security/azure/archive-to-the-storage-account.png + :align: center + :width: 80% + +Wazuh server or agent +^^^^^^^^^^^^^^^^^^^^^ + +It is important to set the ``account_name`` and ``account_key`` of the storage account to authenticate. The image below shows an already configured storage account. + +.. thumbnail:: /images/cloud-security/azure/storage-account-configured.png + :align: center + :width: 80% + +Check the :ref:`credentials ` section for guidance on configuring Microsoft Azure Storage credentials. + +#. Apply the following configuration to the local configuration file ``/var/ossec/etc/ossec.conf`` of the Wazuh server or agent. This will depend on where you configured the Wazuh module for Azure: + + .. code-block:: xml + + + + no + 1d + yes + + + + /home/manager/Azure/storage_auth.txt + azure-activity + + + .json + json_inline + 24h + info-logs + + + + + + Where + + - ```` is the full path of where the workspace secret key is stored. + - ```` contains useful parameters while fetching blog storage contents. + - ```` the log container that will be streamed. + - ``.json`` is the blob format that will be downloaded. + - ```` is the timeframe dated backward. In this case, all logs within a 24-hour timeframe will be downloaded. + - ```` is the format for storing the content of the blobs. + + Check the :doc:`Wazuh module for Azure ` reference page to learn more about the parameters available and how to use them. + +#. Restart your Wazuh server or agent, depending on where you configured the Wazuh module for Azure. + + Wazuh agent: + + .. code-block:: console + + # systemctl restart wazuh-agent + + Wazuh server: + + .. code-block:: console + + # systemctl restart wazuh-manager + +Use case +^^^^^^^^ + +Here is an example of Microsoft Entra ID activity monitoring using the above configuration. + +Create a new user +~~~~~~~~~~~~~~~~~ + +Create a new user in your Microsoft Azure environment using Microsoft Entra ID. A few minutes after creating the user, a new log will be available in a container named ``insights-activity-logs`` inside the Storage account specified when configuring the Activity log export. + +Please refer to the :ref:`creating a user ` section under the Azure Log Analytics use case. + +.. thumbnail:: /images/cloud-security/azure/new-container-available.png + :align: center + :width: 80% + +You can check the results in the Wazuh dashboard. + +.. thumbnail:: /images/cloud-security/azure/results-in-wazuh-dashboard2.png + :align: center + :width: 80% diff --git a/source/images/cloud-security/azure/add-diagnostic-setting2.png b/source/images/cloud-security/azure/add-diagnostic-setting2.png new file mode 100644 index 0000000000..be36582bef Binary files /dev/null and b/source/images/cloud-security/azure/add-diagnostic-setting2.png differ diff --git a/source/images/cloud-security/azure/archive-to-the-storage-account.png b/source/images/cloud-security/azure/archive-to-the-storage-account.png new file mode 100644 index 0000000000..f90aca9d68 Binary files /dev/null and b/source/images/cloud-security/azure/archive-to-the-storage-account.png differ diff --git a/source/images/cloud-security/azure/export-data-settings.png b/source/images/cloud-security/azure/export-data-settings.png new file mode 100644 index 0000000000..30b1b7d8a4 Binary files /dev/null and b/source/images/cloud-security/azure/export-data-settings.png differ diff --git a/source/images/cloud-security/azure/microsoft-azure-storage-diagram.png b/source/images/cloud-security/azure/microsoft-azure-storage-diagram.png new file mode 100644 index 0000000000..a06b39a9aa Binary files /dev/null and b/source/images/cloud-security/azure/microsoft-azure-storage-diagram.png differ diff --git a/source/images/cloud-security/azure/new-container-available.png b/source/images/cloud-security/azure/new-container-available.png new file mode 100644 index 0000000000..a52d4e4cd6 Binary files /dev/null and b/source/images/cloud-security/azure/new-container-available.png differ diff --git a/source/images/cloud-security/azure/results-in-wazuh-dashboard2.png b/source/images/cloud-security/azure/results-in-wazuh-dashboard2.png new file mode 100644 index 0000000000..0499c8ab23 Binary files /dev/null and b/source/images/cloud-security/azure/results-in-wazuh-dashboard2.png differ diff --git a/source/images/cloud-security/azure/storage-account-configured.png b/source/images/cloud-security/azure/storage-account-configured.png new file mode 100644 index 0000000000..92a4b25245 Binary files /dev/null and b/source/images/cloud-security/azure/storage-account-configured.png differ