Microsoft Azure Monitor
Version: Azure Monitor
Azure Monitor is one of the Microsoft Azure cloud services. It provides a single source monitoring Azure resources/services. It allows the users to view, query, route, achieve and take actions on metrics, and logs collected from different Azure resources/services.
Netsurion Open XDR integrates with Azure Monitor, collects log from Azure Monitor and creates a detailed reports, alerts, dashboards and saved searches. These attributes of Netsurion Open XDR help users to view the critical and important information on a single platform.
Reports contain detailed overview of the activities that are associated with virtual machines, audit events such as authorization to services, and events that are performed by users with administrative privilege.
Alerts are provided as soon as any critical event are triggered by the Azure Monitor. With alerts, users will be able to get notifications about real time occurrences of events such as, failed authentication while accessing azure services, security events such as detection of trojan.
Visual/graphical representations, i.e. dashboard, consists of events such as administrative operation by source IP, security events by event name such as antimalware action taken, number/percentage of events available in each category, azure resources attacked by an adversary, etc.
After the Azure Monitor is configured to deliver events to the Netsurion Open XDR, the dashboards and reports can be configured into Netsurion Open XDR.
The following are the key Data Source Integration available in Netsurion Open XDR.
Alerts
| Type | Name | Description |
|---|---|---|
| Security | Azure Monitor – Azure service authentication failed | This alert is triggered when the EventTracker receives a failed authentication for an Azure service. |
| Security | Azure Monitor – Threat has been blocked | This alert is triggered when the Azure Security blocks a malicious activity in Azure services. |
| Security | Azure Monitor – Threat has been detected | This alert is triggered when the Azure Security detects a malicious activity in Azure services. |
| Operations | Azure Monitor – Azure resources alerts | This alert is triggered when a custom defined alert is generated by Azure. For e.g. CPU exceeding the assigned threshold value. |
| Compliance | Azure CIS – New policy assignment created | This alert is triggered by EventTracker when it receives an event which contains information on new policy assignment being created. |
| Compliance | Azure CIS – Network security group created/updated | This alert is triggered by EventTracker when it receives an event which contains information on a network security group being created or updated. |
| Compliance | Azure CIS – Network security group deleted | This alert is triggered by EventTracker when it receives an event which contains information on deletion of a network security group. |
| Compliance | Azure CIS – A Network security group rule has been created/updated | This alert is triggered by EventTracker when it receives an event which contains information related to creation or update of a network security group rule. |
| Compliance | Azure CIS – A network Security group rule has been deleted | This alert is triggered by EventTracker when it receives an event which contains information related to deletion of a network security group rule. |
| Compliance | Azure CIS – A Security solution has been created or updated | This alert is triggered by EventTracker when it receives an event which contains information on changes on the active security solutions such as, create or update. |
| Compliance | Azure CIS – A Security solution has been deleted | This alert is triggered by EventTracker when it receives an event which contains information on changes on the active security solutions such as, delete. |
| Compliance | Azure CIS – An SQL Server Firewall rule has been created/updated | This alert is triggered by EventTracker when it receives an event which contains information on creation or update of a SQL server firewall rule. |
| Compliance | Azure CIS – An SQL Server Firewall rule has been deleted | This alert is triggered by EventTracker when it receives an event which contains information on deletion of a SQL server firewall rule. |
| Compliance | Azure CIS – Security Policy has been updated | This alert is triggered by EventTracker when it receives an event which contains information on update of an Azure security policy. |
Reports
| Type | Name | Description |
|---|---|---|
| Security | Azure Monitor – Security Event Operations | This report generates the summary of security related events such as, antimalware actions taken by Azure security or detections of double extension file execution, etc. |
| Operations | Azure Monitor – Virtual machine operations | This report provides a summary of events generated by virtual machines and virtual machine scale sets. Such as, restart VM. This report does not include any administrative actions. |
| Operations | Azure Monitor – Virtual machine administrative operations | This report generates the summary of all the administrative actions performed in virtual machine, or virtual machine scale sets such as, restore point create, delete, etc. |
| Operations | Azure Monitor – Alerts generated by Azure resources | This report generates, detailed information on custom alerts that are configured in the Azure services and is triggered. It includes, the alert description, alert name, and alert severity. |
| Compliance | Azure Monitor – Audit Event authorization operations | This report generates a summary of events related to audit activities, such as, SecretGet, Authentication, etc. This includes, values such as operations status, Source Ip address, requested URI, etc. |
Documentation
The configuration details are consistent with Netsurion Open XDR 9.x or later, and Microsoft Azure Platform.
Download Integration Guide and How-to Guide for configuration instructions and more information.