Microsoft Azure Storage

Microsoft Azure Storage refers to the Microsoft Azure cloud storage solution. This service provides a massively scalable object store for data objects, a messaging store for reliable messaging, a file system service for the cloud, and a NoSQL store.

As an alternative to the Azure Log Analytics REST API, Wazuh offers access to a Microsoft Azure Storage account. You can export the activity logs of the Microsoft Azure infrastructure to the storage accounts.

This section explains using the Azure portal to archive your Microsoft Azure activity logs in a storage account.

Configuration

Azure

Configuring the activity log export

  1. Select the Audit Logs option from the Monitoring section within Microsoft Entra ID and click on Export Data Settings.

  2. Click Add diagnostic setting.

  3. Select the AuditLogs and Archive to the storage account checkbox, then select the subscription and Storage account to which you want to export the logs from the dropdown menu.

Wazuh server or agent

It is important to set the account_name and account_key of the storage account to authenticate. The image below shows an already configured storage account.

Check the credentials section for guidance on configuring Microsoft Azure Storage credentials.

  1. Apply the following configuration to the local configuration file /var/ossec/etc/ossec.conf of the Wazuh server or agent. This will depend on where you configured the Wazuh module for Azure:

    <wodle name="azure-logs">
    
        <disabled>no</disabled>
        <interval>1d</interval>
        <run_on_start>yes</run_on_start>
    
        <storage>
    
                <auth_path>/home/manager/Azure/storage_auth.txt</auth_path>
                <tag>azure-activity</tag>
    
                <container name="insights-activity-logs">
                    <blobs>.json</blobs>
                    <content_type>json_inline</content_type>
                    <time_offset>24h</time_offset>
                    <path>info-logs</path>
                </container>
    
        </storage>
    </wodle>
    

    Where

    • <auth_path> is the full path of where the workspace secret key is stored.

    • <container> contains useful parameters while fetching blog storage contents.

    • <container name="insights-activity-logs"> the log container that will be streamed.

    • <blobs>.json</blobs> is the blob format that will be downloaded.

    • <time_offset> is the timeframe dated backward. In this case, all logs within a 24-hour timeframe will be downloaded.

    • <content_type> is the format for storing the content of the blobs.

    Check the Wazuh module for Azure reference page to learn more about the parameters available and how to use them.

  2. Restart your Wazuh server or agent, depending on where you configured the Wazuh module for Azure.

    Wazuh agent:

    # systemctl restart wazuh-agent
    

    Wazuh server:

    # systemctl restart wazuh-manager
    

Use case

Here is an example of Microsoft Entra ID activity monitoring using the above configuration.

Create a new user

Create a new user in your Microsoft Azure environment using Microsoft Entra ID. A few minutes after creating the user, a new log will be available in a container named insights-activity-logs inside the Storage account specified when configuring the Activity log export.

Please refer to the creating a user section under the Azure Log Analytics use case.

You can check the results in the Wazuh dashboard.