Microsoft Azure

OverviewResources

Once Azure Monitor is configured to deliver events to EventTracker Manager; alerts, dashboards, and reports can be configured into EventTracker.

Compliance

Alerts

Azure CIS: New policy assignment created – This alert is triggered by EventTracker when it receives an event which contains information on new policy assignment being created.
Azure CIS: Network security group created/updated – This alert is triggered by EventTracker when it receives an event which contains information on a network security group being created or updated.
Azure CIS: Network security group deleted - This alert is triggered by EventTracker when it receives an event which contains information on deletion of a network security group.
Azure CIS: A Network security group rule has been created/updated - This alert is triggered by EventTracker when it receives an event which contains information related to creation or update of a network security group rule.
Azure CIS: A network Security group rule has been deleted - This alert is triggered by EventTracker when it receives an event which contains information related to deletion of a network security group rule.
Azure CIS: A Security solution has been created or updated - This alert is triggered by EventTracker when it receives an event which contains information on changes on the active security solutions such as, create or update.
Azure CIS: A Security solution has been deleted - This alert is triggered by EventTracker when it receives an event which contains information on changes on the active security solutions such as, delete.
Azure CIS: An SQL Server Firewall rule has been created/updated - This alert is triggered by EventTracker when it receives an event which contains information on creation or update of a SQL server firewall rule.
Azure CIS: An SQL Server Firewall rule has been deleted - This alert is triggered by EventTracker when it receives an event which contains information on deletion of a SQL server firewall rule.
Azure CIS: Security Policy has been updated - This alert is triggered by EventTracker when it receives an event which contains information on update of an Azure security policy.

Reports

Azure Monitor - Audit Event authorization operations: This report generates a summary of events related to audit activities, such as, SecretGet, Authentication, etc. This includes, values such as operations status, Source Ip address, requested URI, etc.

Operations

Alerts

Azure Monitor: Azure resources alerts – This alert is triggered when a custom defined alert is generated by Azure. For e.g. CPU exceeding the assigned threshold value.

Reports

Azure Monitor - Virtual machine operations: This report provides a summary of events generated by virtual machines and virtual machine scale sets. Such as, restart VM. This report does not include any administrative actions.
Azure Monitor - Virtual machine administrative operations: This report generates the summary of all the administrative actions performed in virtual machine, or virtual machine scale sets such as, restore point create, delete, etc.
Azure Monitor - Alerts generated by Azure resources – This report generates, detailed information on custom alerts that are configured in the Azure services and is triggered. It includes, the alert description, alert name, and alert severity.

Security

Alerts

Azure Monitor: Azure service authentication failed – This alert is triggered when the EventTracker receives a failed authentication for an Azure service.
Azure Monitor: Threat has been blocked – This alert is triggered when the Azure Security blocks a malicious activity in Azure services.
Azure Monitor: Threat has been detected - This alert is triggered when the Azure Security detects a malicious activity in Azure services.

Reports

Azure Monitor - Security Event Operations: This report generates the summary of security related events such as, antimalware actions taken by Azure security or detections of double extension file execution, etc.

Scope

The configuration details in this guide are consistent with EventTracker version 9.x and later, Microsoft Azure Platform.

Documentation

To configure Microsoft Azure to send logs to EventTracker, refer to the How-to Guide.

For more information, please refer to the Integration guide.