Microsoft Azure Windows
- Aparna Rr
About The Device
Microsoft Azure Windows is a group of several operating systems including high end servers for professional computing and operating systems for personal use. The operating system logs events in three major categories System,Security and Application Event Logs.
Azure Diagnostics extension is an agent in Azure Monitor that collects monitoring data from the guest operating system of Azure compute resources including virtual machines like Windows and Linux.
For more information - Please refer: Azure Diagnostics extension overview - Azure Monitor
Device Information
Entity | Particulars |
|---|---|
Vendor Name | Microsoft |
Product Name | Azure Windows |
Type of Device | Hosted |
Collection Method
Log Type | Ingestion label | Preferred Logging Protocol - Format | Log Collection Method |
|---|---|---|---|
Windows Event (XML) | WINEVTLOG_XML | Cloud Log Stream - XML | C2C - Pull |
Device Configuration
Adaptive MxDR supports log collection using Azure Event Hub or Azure Storage
Prerequisites
An Azure subscription that you can sign in to with Global Administrator credentials.
Azure Event Hub to stream the logs or Azure Storage Account to store the logs
Azure Diagnostics extension Installed on Virtual Machines
Reference URLs
How to configure Event Hub Onboarding a Device Using Azure Event Hub in Google SecOps SIEM | Configure Azure Event Hub
How to create storage account Onboarding a Device Using Azure Storage in Google SecOps SIEM | Configure Azure Storage Account
For Supported Windows OS Versions compatible with Diagnostic Agent, Please refer : Azure Diagnostics extension overview - Azure Monitor
To Configure Azure Log Streaming to Event Hub
Log in to Azure Portal https://portal.azure.com/
Open Cloud Shell
In Cloud Shell, select Azure CLI as scripting language. If this is the first time performing this action, the system will prompt you to create a storage space. Please proceed to create the storage space for the user.
Open attached PrivateEventWin.json and PublicEventWin.json files in the notepad and provide appropriate details and save the file. For additional help, please refer Send data from Windows Azure diagnostics extension to Azure Event Hubs - Azure Monitor
Upload the saved file to Cloud Shell.
Run the following command:
az vm extension set \
--resource-group _______________ \
--vm-name _______________ \
--name IaaSDiagnostics \
--publisher Microsoft.Azure.Diagnostics \
--version 1.9.0.0 --protected-settings PrivateEventWin.json \
--settings PublicEventWin.jsonAfter successful command execution, Diagnostic Extension gets downloaded into the VM and automatically starts sending logs to Event Hub.
Use below link to get credentials for Azure Event Hub:
To Configure Azure Blob Storage to store Logs
Log in to Azure Portal: https://portal.azure.com/
Open Cloud Shell
In Cloud Shell, select PowerShell as scripting language. If this is the first time performing this action, the system will prompt you to create a storage space. Please proceed to create the storage space for the user.
Open the below attached dsconfig2023v1.json file in the notepad and add storage account name to line number 22 and save the file.
Upload the saved file to storage using Upload/Download files option.
Run below command to send logs to the blob storage.
Command : Set-AzVMDiagnosticsExtension -ResourceGroupName (Resource Group Name) -VMName (Virtual Machine Details) -DiagnosticsConfigurationPath (Configuration File path) -StorageAccountName (Storage Account Name) -StorageAccountKey <KEY> Example: Set-AzVMDiagnosticsExtension -ResourceGroupName ACN-HTN-TMP01-RG01 -VMName ACNHRDVMEGTEST04 -DiagnosticsConfigurationPath /home/ij/dsconfig2023v1.json -StorageAccountName acnhtntmp01sa01 -StorageAccountKey ddhjd49jd45dxhs56hhsndhdajajkskdj86dfshjj5ujsh4qjkslpsusfa5623This command will automatically installed the Azure Diagnostics Agent on windows machine and will push logs to store on blob storage.
To get credentials for Azure Storage : Onboarding a Device Using Azure Storage in Google SecOps SIEM | Get Credentials from Azure Storage
Integration Parameters
Configuration Parameters for Source type: Microsoft Azure Event Hub.
Property | Default Value | Description |
|---|---|---|
Event Hub Name |
| Name of the Event Hub where logs are being forwarded |
Event Hub Consumer Group | $Default | Used if consumer Group is other than default |
Event Hub Connection String |
| Mention the event hub Connection string URL NOTE : Ensure that you remove For example, change |
Configuration Parameters for Source type: Microsoft Azure Blob Storage.
Property | Default Value | Description |
AZURE URI |
| The URI pointing to a Azure Blob Storage blob or container. |
URI IS A | Directory which includes subdirectories | The type of object indicated by the URI. Other values are:
|
SOURCE DELETION OPTION | Never delete files | Source file deletion is not supported in Azure. This field's value must be set to |
Shared Key OR SAS Token |
| A shared key, a 512-bit random string in base64 encoding, authorized to access Azure Blob Storage. Required if not specifying an SAS Token. |
Related content
About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.
About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.