barsgre.blogg.se - Azure active log

After the Service Principal is created and assigned suitable roles, take note of the following information:ĪpiVersion: /v1alpha1

Microsoft.EventHub/namespaces/authorizationRules/listkeys/actionĪdditionally, assign the role Azure Event Hubs Data Receiver to the Service Principal to allow it to receive events from Event Hubs.

Microsoft.Insights/DiagnosticSettings/Write.

Microsoft.Insights/DiagnosticSettings/Delete.

Microsoft.Insights/DiagnosticSettings/Read.

Make sure you select a role which has at least the following permissions: The section called “Assign a role to the application” describes how to assign permissions to the Service Principal.

You can create a Service Principal by following the instructions at How to: Use the portal to create an Azure AD application and service principal that can access resources.

Service Principal CreationĪ Service Principal is required in order to authenticate the event source against the Azure tenant that has authority over the Azure Subscription to monitor. To set this up, you’ll need to create an Azure Service Principal, an Event Hubs namespace, an Event Hubs instance, and a Shared Access Policy. Then, once the logs are on the hub, TriggerMesh can subscribe to that hub to send the events on to the destination. This routing is done by registering Diagnostic Settings that automatically send a selected set of log categories to a dedicated Event Hub. Get Azure Activity LogsĪzure Activity logs can be exported from Azure by routing them over Azure Event Hubs. Transformation to the desired schema can be done with the TriggerMesh JSON transformation. We will keep this straightforward with two parts: For example, the source could be Oracle Cloud Infrastructure (OCI) or Google Cloud Audit Logs, and the target could be your on-premises data center or a SaaS application like SecureWorks Taegis. Throughout this example, keep in mind that you can change any piece of this bridge to suit your specific needs. In this post we will be looking at a specific example of extracting audit log messages from Azure Activity Logs and sending them to AWS EventBridge from where they can be sent to AWS CloudWatch for example. The collection, transformation and dispatching of events in TriggerMesh is called a Bridge. With TriggerMesh, you can accomplish the ingestion of security events from your multiple cloud providers (e.g GCP, AWS, Azure), transform the events in specific schemas and send those events to any destination (called Target in TriggerMesh lingo).