Microsoft Azure Log Analytics

Microsoft Azure Log Analytics is a service that monitors your Microsoft Azure infrastructure, offering query capabilities that allow you to perform advanced searches specific to your data.

The Azure Log Analytics solution helps you to analyze and search Azure activity logs in all your Azure subscriptions, providing information about the operations performed with the resources of your subscriptions.

You can query data collected by Log Analytics using the Azure Log Analytics REST API, which uses the Microsoft Entra ID authentication scheme. You need a qualified application or client to use the Azure Log Analytics REST API. You must configure this manually on the Microsoft Azure portal. The section below shows how to set up the application and gives a use case:

Configuration

Azure

Setting up the application

The process below details creating an application using the Azure Log Analytics REST API. It is also possible to configure an existing application. Please skip the Creating the application step if you already have an existing application.

Creating the application

We navigate to the Microsoft Entra ID panel on the Microsoft Azure portal to create a new application for Azure Log Analytics.

  1. Select the App registrations option from the Microsoft Entra ID panel. Then, select New registration.

  2. Define the user-facing display name for the application and select Register.

Granting permissions to the application
  1. Select All applications from App registration and refresh it. The new application will appear. In our case, the display name is LogAnalyticsApp.

  2. Go to the Overview section and save the Application (client) ID for later authentication.

  3. Go to the API permissions section and add the Data.Read permission to the application.

  4. Search for the Log Analytics API.

  5. Select the Read Log Analytics data permission from Applications permissions.

  6. Use an admin user to Grant admin consent for the tenant.

Granting the application access to the Azure Log Analytics API
  1. Access Log Analytics workspaces and create a new workspace or choose an existing one.

  2. Copy the Workspace ID value from the Overview section.

  3. Go to the Access control (IAM) section, click Add and select Add role assignment to add the required role to the application.

  4. Select the Log Analytics Reader role from the Job functions role tab.

  5. Select User, group, or service principal from the Members tab. Click Select members and find the App registration created previously.

  6. Click Review + assign to finish.

Sending logs to the Workspace

You need to create a diagnostic setting to collect logs and send them to the Azure Log Analytics Workspace created in the previous steps.

  1. Return to Microsoft Entra ID, scroll down on the left menu bar, and select the Diagnostic settings section.

  2. Click on Add diagnostic setting.

  3. Choose the log categories you want to collect from under Categories. Check the Send to Log Analytics workspace option under Destination details. Select the Log Analytics Workspace you created in the previous steps.

  4. Click on Save.

Azure Log Analytics will stream the selected categories to your workspace.

Wazuh requires valid credentials to pull logs from Azure Log Analytics. Look at the credentials section to learn how to generate a client secret to access the App registration.

Wazuh server or agent

You need to authorize the Wazuh module for Azure to access your Azure Log Analytics. For more information about setting up authorization, see the Configuring Azure credentials section.

  1. Apply the following configuration to the local configuration file /var/ossec/etc/ossec.conf of the Wazuh server or agent. This will depend on where you configured the Wazuh module for Azure:

    <wodle name="azure-logs">
        <disabled>no</disabled>
        <run_on_start>no</run_on_start>
    
        <log_analytics>
            <auth_path>/var/ossec/wodles/credentials/log_analytics_credentials</auth_path>
            <tenantdomain>wazuh.com</tenantdomain>
    
            <request>
                <tag>azure-auditlogs</tag>
                <query>AuditLogs</query>
                <workspace>d6b...efa</workspace>
                <time_offset>1d</time_offset>
            </request>
    
        </log_analytics>
    </wodle>
    

    Where:

    • <auth_path> is the full path of where the workspace secret key is stored.

    • <tenantdomain> is the tenant domain name. You can obtain this from the Overview section in Microsoft Entra ID.

    • <workspace> is the workspace ID that you need for authentication.

    • <time_offset> is the timeframe dated backwards. In this case, all logs within a 24-hour timeframe will be downloaded.

  2. Restart your Wazuh server or agent, depending on where you configured the Wazuh module for Azure.

    Wazuh agent:

    # systemctl restart wazuh-agent
    

    Wazuh server:

    # systemctl restart wazuh-manager
    

The configuration above allows Wazuh to search through any query using the tag value as the identifier.

Check the reference for more information about the Wazuh module for Azure.

Use case

Here is an example of monitoring the infrastructure activity using the previously created Azure application.

Creating a user

Follow the steps outlined below to create a user on Microsoft Entra ID:

  1. Navigate to Entra ID and select All users.

  2. Click on New User.

  3. Choose the option to Create a new user.

  4. Provide the necessary details for the user you want to create, and then choose the Create option to complete the creation.

Visualizing the events on the Wazuh dashboard

Once set up, you can check the results in the Wazuh dashboard.