Microsoft Azure Monitor

Version: Azure Monitor

Azure Monitor is one of the Microsoft Azure cloud services. It provides a single source monitoring Azure resources/services. It allows the users to view, query, route, achieve and take actions on metrics, and logs collected from different Azure resources/services.

Netsurion Open XDR integrates with Azure Monitor, collects log from Azure Monitor and creates a detailed reports, alerts, dashboards and saved searches. These attributes of Netsurion Open XDR help users to view the critical and important information on a single platform.

Reports contain detailed overview of the activities that are associated with virtual machines, audit events such as authorization to services, and events that are performed by users with administrative privilege.

Alerts are provided as soon as any critical event are triggered by the Azure Monitor. With alerts, users will be able to get notifications about real time occurrences of events such as, failed authentication while accessing azure services, security events such as detection of trojan.

Visual/graphical representations, i.e. dashboard, consists of events such as administrative operation by source IP, security events by event name such as antimalware action taken, number/percentage of events available in each category, azure resources attacked by an adversary, etc.

After the Azure Monitor is configured to deliver events to the Netsurion Open XDR, the dashboards and reports can be configured into Netsurion Open XDR.

The following are the key Data Source Integration available in Netsurion Open XDR.

Alerts

Type Name Description
Security Azure Monitor – Azure service authentication failed This alert is triggered when the EventTracker receives a failed authentication for an Azure service.
Security Azure Monitor – Threat has been blocked This alert is triggered when the Azure Security blocks a malicious activity in Azure services.
Security Azure Monitor – Threat has been detected This alert is triggered when the Azure Security detects a malicious activity in Azure services.
Operations Azure Monitor – Azure resources alerts This alert is triggered when a custom defined alert is generated by Azure. For e.g. CPU exceeding the assigned threshold value.
Compliance Azure CIS – New policy assignment created This alert is triggered by EventTracker when it receives an event which contains information on new policy assignment being created.
Compliance Azure CIS – Network security group created/updated This alert is triggered by EventTracker when it receives an event which contains information on a network security group being created or updated.
Compliance Azure CIS – Network security group deleted This alert is triggered by EventTracker when it receives an event which contains information on deletion of a network security group.
Compliance Azure CIS – A Network security group rule has been created/updated This alert is triggered by EventTracker when it receives an event which contains information related to creation or update of a network security group rule.
Compliance Azure CIS – A network Security group rule has been deleted This alert is triggered by EventTracker when it receives an event which contains information related to deletion of a network security group rule.
Compliance Azure CIS – A Security solution has been created or updated This alert is triggered by EventTracker when it receives an event which contains information on changes on the active security solutions such as, create or update.
Compliance Azure CIS – A Security solution has been deleted This alert is triggered by EventTracker when it receives an event which contains information on changes on the active security solutions such as, delete.
Compliance Azure CIS – An SQL Server Firewall rule has been created/updated This alert is triggered by EventTracker when it receives an event which contains information on creation or update of a SQL server firewall rule.
Compliance Azure CIS – An SQL Server Firewall rule has been deleted This alert is triggered by EventTracker when it receives an event which contains information on deletion of a SQL server firewall rule.
Compliance Azure CIS – Security Policy has been updated This alert is triggered by EventTracker when it receives an event which contains information on update of an Azure security policy.

Reports

Type Name Description
Security Azure Monitor – Security Event Operations This report generates the summary of security related events such as, antimalware actions taken by Azure security or detections of double extension file execution, etc.
Operations Azure Monitor – Virtual machine operations This report provides a summary of events generated by virtual machines and virtual machine scale sets. Such as, restart VM. This report does not include any administrative actions.
Operations Azure Monitor – Virtual machine administrative operations This report generates the summary of all the administrative actions performed in virtual machine, or virtual machine scale sets such as, restore point create, delete, etc.
Operations Azure Monitor – Alerts generated by Azure resources This report generates, detailed information on custom alerts that are configured in the Azure services and is triggered. It includes, the alert description, alert name, and alert severity.
Compliance Azure Monitor – Audit Event authorization operations This report generates a summary of events related to audit activities, such as, SecretGet, Authentication, etc. This includes, values such as operations status, Source Ip address, requested URI, etc.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.x or later, and Microsoft Azure Platform.

Download Integration Guide and How-to Guide for configuration instructions and more information.