Monitoring Azure platform and services

The Azure Monitor Logs collects and organizes logs and performance data from monitored resources, including Azure services, virtual machines, and applications. This insight is sent to Wazuh using the Azure Log Analytics REST API or by directly accessing the contents of a Microsoft Azure Storage account. The Wazuh module for Azure enables centralized logging, threat detection, and compliance management of your Microsoft Azure environments from your Wazuh deployment.

The Wazuh module for Azure requires dependencies and credentials to access your Microsoft Azure logs. These dependencies are available by default on the Wazuh manager, but you must install them when you use a Wazuh agent for the integration. Take a look at the Prerequisites section before proceeding.

Prerequisites

Installing dependencies

You can configure the Wazuh module for Azure either in the Wazuh manager or in a Wazuh agent. This choice depends solely on how you access your Azure infrastructure in your environment.

You only need to install dependencies when configuring the integration with Azure in a Wazuh agent. The Wazuh manager already includes all the necessary dependencies.

Python

The Wazuh module for Azure is compatible with Python 3.8–3.12. While later Python versions should work as well, we can't assure they are compatible. If you do not have Python 3 already installed, run the following command on your monitored endpoint.

# yum update && yum install python3

You can install the required modules with Pip, the Python package manager. Most UNIX distributions have this tool available in their software repositories. Run the following command to install pip on your endpoint if you do not have it already installed.

# yum update && yum install python3-pip

We recommend using Pip 19.3 or later to simplify the installation of the dependencies. Run this command to check your pip version.

# pip3 --version

An example output is as follows.

pip 22.0.2 from /usr/lib/python3/dist-packages/pip (python 3.10)

If your pip version is less than 19.3, run the following command to upgrade the version.

# pip3 install --upgrade pip

Azure Storage client library for Python

You need the libraries in the command below to set up your Wazuh agent endpoint and monitor your Microsoft Azure platform and services.

# pip3 install azure-storage-blob==12.20.0 azure-storage-common==2.1.0 azure-common==1.1.25 cryptography==3.3.2 cffi==1.14.4 pycparser==2.20 six==1.14.0 python-dateutil==2.8.1 requests==2.25.1 certifi==2022.12.07 chardet==3.0.4 idna==2.9 urllib3==1.26.18 SQLAlchemy==2.0.23 pytz==2020.1

Configuring Azure credentials

The Wazuh module for Azure must have access credentials to connect to Azure successfully. The credentials required vary depending on the type of monitoring. These include:

  • Access credentials for Microsoft Graph and Azure Log Analytics

  • Access credentials for Microsoft Azure Storage

The following sections provide an overview of how you can create these credentials.

Getting access credentials for Microsoft Graph and Azure Log Analytics

You need valid application_id and application_key values to authenticate connection from the Wazuh module for Azure.

Follow the steps below to obtain an application_id and application_key:

  1. Go to Microsoft Entra ID and navigate to the registered application.

  2. Go to the Certificates & secrets section of the chosen application, then generate a secret key by selecting New client secret.

  3. Give the key a descriptive name and specify the duration for which the key should remain active, then select Add.

  4. Copy the Value and the Secret ID. Ensure you securely store these values, as you can only view them once. The Value is the application_key.

  5. Copy the application_id value for your registered application from the Overview section.

Getting access credentials for Microsoft Azure Storage

The Microsoft Azure Storage requires valid account_name and account_key values. You can obtain them in the Access keys section of Storage accounts on your Azure environment. Follow the Microsoft guide to create a storage account.

The section below shows the steps to retrieving the Microsoft Azure Storage account key.

  1. Go to the Storage accounts section of your Microsoft Azure environment and select the account of interest.

  2. Navigate to Access keys located on the left pane to access the account_name and account_key values.

Wazuh Azure authentication file

To authenticate your Microsoft Azure environment to Wazuh, you must store your credentials in a file using the format field = value.

The fields expected to be present in the credentials file depend on the type of service or activity you are monitoring.

Microsoft Azure Log Analytics and Graph

The file must contain only two lines, one for the application_id and another for the application_key obtained previously:

application_id = <YOUR_APPLICATION_ID>
application_key = <YOUR_APPLICATION_KEY>
Microsoft Azure Storage

The file must contain only two lines, one for the account_name and the other one for the account_key obtained previously:

account_name = <YOUR_ACCOUNT_NAME>
account_key = <YOUR_ACCOUNT_KEY>

Specify the authentication file in the /var/ossec/etc/ossec.conf configuration file using the <auth_path> tag, regardless of the service or activity you monitor. Take a look at the following example:

<wodle name="azure-logs">
  <disabled>no</disabled>
  <run_on_start>yes</run_on_start>

  <log_analytics>
     <auth_path>/var/ossec/wodles/credentials/log_analytics_credentials</auth_path>
      <tenantdomain>wazuh.com</tenantdomain>
      <request>
          <query>AzureActivity</query>
          <workspace>12345678-90ab-cdef-1234-567890abcdef</workspace>
          <time_offset>1d</time_offset>
      </request>
  </log_analytics>

  <graph>
     <auth_path>/var/ossec/wodles/credentials/graph_credentials</auth_path>
      <tenantdomain>wazuh.com</tenantdomain>
      <request>
          <query>auditLogs/directoryAudits</query>
          <time_offset>1d</time_offset>
      </request>
  </graph>

<storage>
     <auth_path>/var/ossec/wodles/credentials/storage_credentials</auth_path>
      <container name="insights-activity-logs">
          <blobs>.json</blobs>
          <content_type>json_inline</content_type>
          <time_offset>24h</time_offset>
      </container>
  </storage>
</wodle>

For more information on <auth_path>, look at the Wazuh module for Azure reference page.

Adding more than one request block simultaneously in the same configuration is possible. The Wazuh module for Azure would process each request sequentially. The above configuration is an example. It includes Microsoft Azure Log Analytics, Graph, and Storage configuration blocks.

Reparse

Warning

The reparse option will fetch and process all the logs from the starting date until the present. This process may generate duplicate alerts.

To fetch and process older Azure logs, you must run the Wazuh module for Azure using the --reparse option.

The la_time_offset value sets the time as an offset for the starting point. If you don't provide a la_time_offset value, the Wazuh module for Azure returns to the date it processed the first file.

The following code block shows an example of running the Wazuh module for Azure on a Wazuh manager using the --reparse option:

# /var/ossec/wodles/azure/azure-logs --log_analytics --la_auth_path credentials_example --la_tenant_domain 'wazuh.example.domain' --la_tag azure-activity --la_query "AzureActivity" --workspace example-workspace --la_time_offset 50d --debug 2 --reparse

The --debug 2 parameter gets a verbose output. This output is helpful to show that the script works, especially when handling a large amount of data.