Using Azure Storage

Azure Storage refers to Microsoft Azure cloud storage solution, a service that provides a massively scalable object store for data objects, a messaging store for reliable messaging, a file system service for the cloud, and a NoSQL store.

As an alternative to the Azure Log Analytics REST API, Wazuh offers the possibility to access Azure Storage accounts in a simple way. The activity logs of the Microsoft Azure infrastructure can be exported to the storage accounts.

This section explains how to use the Azure portal to archive the Azure activity log in a storage account and how to configure the azure-logs module. A use case is included to show a practical example.

Configuring the Activity log export

  1. To export the logs, search for the Activity log service. It can be found by typing “Activity” in the search engine. From there, access the Audit Logs section and click on Export Data Settings.

  1. Click on Add diagnostic setting.

  1. Check the AuditLogs box and the Archive to storage account, selecting the name of the subscription and the Storage account to export the logs.

Azure Storage use case

This is a basic example of how to monitor the activity of the infrastructure. A new user will be created, resulting in an Azure Activity Log that will be exported to Storage if the Activity Log export was configured successfully.

Creating a user

An easy way to test this configuration is to create a new user in Azure Active Directory. A few minutes after the creation of the user, a new log will be available in a container named insights-logs-auditlogs inside the Storage account specified when configuring the Activity log export.

Wazuh configuration

Proceed to configure the azure-logs module in the local configuration (ossec.conf). It is important to set the account_name and account_key of the Storage account to authenticate. This information can be found in the Access keys section of Storage accounts. Check the credentials reference for more information about the different authentication options available.

Applying the following configuration, the integration will be executed every day using a credentials file for authentication. The contents of the insights-operational-logs will be processed, downloading every blob available with .json extension from the last 24 hours. The content for these blobs is expected to be in json_inline format.

<wodle name="azure-logs">

    <disabled>no</disabled>
    <interval>1d</interval>
    <run_on_start>yes</run_on_start>

    <storage>

            <auth_path>/home/manager/Azure/storage_auth.txt</auth_path>
            <tag>azure-activity</tag>

            <container name="insights-operational-logs">
                <blobs>.json</blobs>
                <content_type>json_inline</content_type>
                <time_offset>24h</time_offset>
            </container>

    </storage>
</wodle>

Check the Azure module reference page to learn more about the parameters available and how to use them.

Wazuh rules

Thanks to the following rules, already included in Wazuh ruleset by default, it it possible to monitor the infrastructure activity and get the related alerts:

<rule id="87803" level="3">
    <decoded_as>json</decoded_as>
    <field name="azure_tag">azure-storage</field>
    <description>Azure: Storage</description>
</rule>

<rule id="87813" level="3">
    <if_sid>87803</if_sid>
    <field name="operationName">\.+</field>
    <description>Azure: Storage: $(OperationName)</description>
</rule>

Alert visualization

Once the Wazuh configuration is set and the azure-logs module is running using the previous configuration, the event from the user creation example exported to Storage will be processed. The results can be check in Wazuh UI.