Using Azure Storage
Azure Storage refers to the Microsoft Azure cloud storage solution, a service that provides a massively scalable object store for data objects, a messaging store for reliable messaging, a file system service for the cloud, and a NoSQL store.
As an alternative to the Azure Log Analytics REST API, Wazuh offers the possibility to access Azure Storage accounts in a simple way. The activity logs of the Microsoft Azure infrastructure can be exported to the storage accounts.
This section explains how to use the Azure portal to archive the Azure activity log in a storage account and how to configure the
azure-logs module. A use case is included to show a practical example.
Configuring the Activity log export
To export the logs, search for the Activity log service. It can be found by typing "Activity" in the search engine. From there, access the Audit Logs section and click on Export Data Settings.
Click on Add diagnostic setting.
Check the AuditLogs box and the Archive to storage account, selecting the name of the subscription and the Storage account to export the logs.
Azure Storage use case
This is a basic example of how to monitor the activity of the infrastructure. A new user will be created, resulting in an Azure Activity Log that will be exported to Storage if the Activity Log export was configured successfully.
Creating a user
An easy way to test this configuration is to create a new user in Azure Active Directory. A few minutes after the creation of the user, a new log will be available in a container named insights-logs-auditlogs inside the Storage account specified when configuring the Activity log export.
Proceed to configure the
azure-logs module in the local configuration (
ossec.conf). It is important to set the account_name and account_key of the Storage account to authenticate. This information can be found in the Access keys section of Storage accounts. Check the credentials reference for more information about the different authentication options available.
Applying the following configuration, the integration will be executed every day using a credentials file for authentication. The contents of the
insights-operational-logs will be processed, downloading every blob available with
.json extension from the last
24 hours. The content for these blobs is expected to be in
<wodle name="azure-logs"> <disabled>no</disabled> <interval>1d</interval> <run_on_start>yes</run_on_start> <storage> <auth_path>/home/manager/Azure/storage_auth.txt</auth_path> <tag>azure-activity</tag> <container name="insights-operational-logs"> <blobs>.json</blobs> <content_type>json_inline</content_type> <time_offset>24h</time_offset> </container> </storage> </wodle>
Check the Azure module reference page to learn more about the parameters available and how to use them.
Thanks to the following rules, already included in Wazuh ruleset by default, it it possible to monitor the infrastructure activity and get the related alerts:
<rule id="87803" level="3"> <decoded_as>json</decoded_as> <field name="azure_tag">azure-storage</field> <description>Azure: Storage</description> </rule> <rule id="87813" level="3"> <if_sid>87803</if_sid> <field name="operationName">\.+</field> <description>Azure: Storage: $(OperationName)</description> </rule>