Azure Integration for Logs

Title :- Azure Integration for Logs

Summary – InsightFinder can source the logs from Microsoft Azure and correlate it with other data to generate anomalies and root causes. Below documentation is a walk through of how to configure Azure and InsightFinder integration.

Project Creation :-

1. Go to “Settings”->“System Settings”. Click on “Add New Project”.
2. Select “Microsoft Azure” from the list and click on “Create Project” on the next page.
3. This is where you will start configuring the project.
   1. Client Id, Client Secret, Tenant Id, Subscription id, – Use your MS Azure authentication key information here.
   2. Data Type – Log
4. Click on “Verify” and you will be taken to the next page if verification is successful.
5. Select “Workspace” from the dropdown and add table by clicking on “Add” and then selecting the table from the list. You need to select the field in that table for instance and timestamp in the fields in that row. These selections will be based on what you want to configure for your analytics in the InsightFinder.

   

6. Then on the next page, you can type in the “Project Name” and “System Name” and click on Register. You can also define detection keywords and Incident labels.
   1. Detection keywords/regular expressions are used to detect which log entries will produce allowlist alerts.
   2. Incident labels/regex are used to identify which log entries indicate incidents.

   

7. Once a project is successfully created, you will see a message like below.

Once a project is successfully created, you can see the data streaming using the Log Analysis page.

MS Azure Credentials for Project Configuration :-

Information needed – Microsoft Azure credentials are required for the authentication step.

1. You need to have a subscription with MS Azure. When you click into the subscription, you will get your subscription Id.
   
2. Go to “Azure Active Directory” and then “App Registration”. Register a new app. Once your app is registered, you can go into the app and get a client Id and tenant ID.
3. Then you can generate the client secret by going to the “certificates & secrets” page.
4. Next step is to add permission to the app. Go to the IAM page for a subscription. And “Add role assignment”.
5. Select the “Reader” role for this app.
6. On the next screen, select “User, group or service principal”. A side bar will appear on the right. Search for your app there, select it and complete that step. You app will get the reader role.
7. Once you complete it, you are ready with all the required credentials to integrate with InsightFinder.

Creating log analytic workspace –

1. Go to Azure home and search for “Log Analytics workspaces” and click on “Create”.
2. You can go to this link directly – https://portal.azure.com/#create/Microsoft.LogAnalyticsOMS
3. Select your subscription, resource group, assign a name and select region.
4. Click on “Review + Create”. On the next page review your settings and click “Create”. You should have your log analytics workspace ready to go.