Azure Log Analytics is a service that monitors your infrastructure offering query capabilities that allow you to perform advanced searches specific to your data.
The Log Analytics solution helps you to analyze and search the Azure activity log in all your Azure subscriptions, providing information about the operations performed with the resources of your subscriptions.
The data collected by Log Analytics can be consulted through the Azure Log Analytics REST API. The Azure Log Analytics API uses the Azure Active Directory authentication scheme.
A qualified application or client is required to use the Azure Log Analytics REST API. This must be configured manually on the Microsoft Azure portal.
The process explained below details the creation of an application that will use the Azure Log Analytics REST API. It is also possible to configure an existing application. If this is the case, skip the Creating the application step.
In the Azure Active Directory panel, select the option App registrations. Then, select New registration.
Go to the Overview section and save the Application (client) ID for later authentication.
Go to the API permissions section and add the required permissions to the application.
Search for the Log Analytics API.
Select the Read Log Analytics data permission from Applications permissions.
Grant admin consent for the tenant domain used for the permission added in the previous step. This must be done by an admin user.
Access Log Analytics workspaces and create a new workspace or choose an existing one.
In the Overview section, copy the
Workspace Idvalue. The Wazuh configuration needs it to make requests to the API.
In the Access control (IAM) section, click Add and select Add role assignment to add the required role to the application.
In the Role tab, select the Log Analytics Reader role.
In the Members tab, select User, group, or service principal under Assign access to. Then, click Select members under Members and find the App registration created previously.
Click Review + assign to finish.
To collect logs and send them to the Log Analytics Workspace created in the previous steps, you need to create a diagnostic setting.
Go back to Azure Active Directory, scroll down on the left menu bar, and select the Diagnostic settings section. Click on Add diagnostic setting.
Choose the log categories you want to collect from, under Logs Categories. Check the Send to Log Analytics workspace option under Destination details. Select the Log Analytics Workspace you created in previous steps.
Click on Save.
Now, Azure Log Analytics can stream new logs in the selected categories to your workspace.
Wazuh requires valid credentials to pull logs from Log Analytics. Take a look at the credentials section to learn how to generate a client secret so you can access the App registration.
Here is an example of monitoring the activity of the infrastructure using the previously mentioned Azure application.
An easy way to test this is to create a new user in Azure Active Directory. A few minutes after the creation of the user, a new log will be available for Log Analytics reflecting this change. The log can be checked using the
AuditLogs query, by accessing Log Analytics and running the
Proceed with configuring the
azure-logs module in the local configuration (
ossec.conf). The key and ID of the application saved during the configuration of the application will be used here, as well as the workspace ID. In this case, both fields were saved in a file for authentication. Check the credentials reference for more information about this topic.
Through the following configuration, Wazuh is ready to search for any query accepted by Azure Log Analytics. This example configuration includes a representative
tag and will be scheduled for every Monday at 02:00, using an offset of one day, which means only the log data from the last day will be parsed:
<wodle name="azure-logs"> <disabled>no</disabled> <run_on_start>no</run_on_start> <log_analytics> <auth_path>/var/ossec/wodles/credentials/log_analytics_credentials</auth_path> <tenantdomain>wazuh.onmicrosoft.com</tenantdomain> <request> <tag>azure-auditlogs</tag> <query>AuditLogs</query> <workspace>d6b...efa</workspace> <time_offset>1d</time_offset> </request> </log_analytics> </wodle>
Check the reference for more information about the Azure module.
tenantdomain is mandatory. It can be obtained from the Overview section in the Azure Active Directory.
The following rules are already included in Wazuh by default. With them, it it possible to monitor the infrastructure activity and get the related alerts.
<rule id="87801" level="5"> <decoded_as>json</decoded_as> <field name="azure_tag">azure-log-analytics</field> <description>Azure: Log analytics</description> </rule> <rule id="87810" level="3"> <if_sid>87801</if_sid> <field name="Type">AzureActivity</field> <description>Azure: Log analytics activity</description> </rule> <rule id="87811" level="3"> <if_sid>87810</if_sid> <field name="OperationName">\.+</field> <description>Azure: Log analytics: $(OperationName)</description> </rule>
Once the Wazuh configuration is set and the
azure-logs module is running using the previous configuration, the event will be processed. The results can be checked in the Wazuh dashboard: