Microsoft Azure Platform
The JSA DSM for Microsoft Azure Platform parses events from the Microsoft Azure Activity log.
The Microsoft Azure Platform DSM collects events that occur at the platform level; such as resource creation, modification, or deletion. For a list of supported event types, see Microsoft Azure Platform DSM specifications.
To integrate Microsoft Azure Platform with JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the following RPMs from the https://support.juniper.net/support/downloads/ onto your JSA console
Protocol Common RPM
Protocol Event Hubs RPM
DSM Common RPM
-
Microsoft Azure Platform DSM RPM
Optional: Create a storage account.
Note:You must have a storage account to connect to an event hub.
Optional: Create an event hub.
Configure the Microsoft Azure Activity Logs to send events to a Microsoft Azure Event Hub.
Configure JSA to collect events from Microsoft Azure Event Hubs by using the Microsoft Azure Event Hubs protocol. For more information about the protocol, see Microsoft Azure Log Source Parameters for Microsoft Azure Event Hubs.
Note:Microsoft Azure Log Integration service is no longer used to send events to JSA. Microsoft Azure Log Integration service is deprecated and no longer supported by Microsoft.
Microsoft Azure Platform DSM Specifications
When you configure the Microsoft Azure Platform DSM, understading the specifications for the Microsoft Azure Platform DSM can help ensure a successful integration. For example, knowing what event format is supported before you begin can help reduce frustration during the configuration process:
Specification |
Value |
---|---|
Manufacturer |
Microsoft |
DSM name |
Microsoft Azure Platform |
RPM file name |
DSM-MicrosoftAzurePlatform- JSA_version-build_number .noarch.rpm |
Supported versions |
N/A |
Protocol |
Microsoft Azure Event Hubs |
Event format |
JSON |
Recorded event types |
Platform level activity logs. |
Automatically discovered? |
Yes Note:
This DSM automatically discovers only Activity Log Events that are forwarded directly from the Activity Log to the Event Hub. |
Includes identity? |
No |
Includes custom properties? |
No |
More information |
Microsoft Azure website (https://azure.microsoft.com) |
Configuring Microsoft Azure Event Hubs to Communicate with JSA
The Microsoft Azure Event Hubs protocol collects Azure Activity logs, Diagnostic logs, and Syslog events from the Microsoft Azure Event Hubs cloud storage.
To collect events from Microsoft Azure Event Hubs, you need to create a Microsoft Azure Storage Account and an Event Hub entity under the Azure Event Hub Namespace. For every Namespace, port 5671 and port 5672 must be open. For every Storage Account, port 443 must be open. The Namespace host name is usually [Namespace Name].servicebus.windows.net and the Storage Account host name is usually [Storage_Account_Name].blob.core.windows.net. The Event Hub must have at least one Shared Access Signature that is created with Listen Policy and at least one Consumer Group.
The Microsoft Azure Event Hubs protocol can't connect by using a proxy server.
Event Hub names must start with a letter or number and contain only letters, numbers, and the dash (-) character. Every dash (-) character must be immediately preceded and followed by a letter or number. Do not use consecutive dashes. All letters must be lowercase. The name must be from 3 - 63 characters.
Obtain a Microsoft Azure Storage Account Connection String.
The Storage Account Connection String contains authentication for the Storage Account Name and the Storage Account Key that is used to access the data in the Azure Storage account.
Log in to the (https://portal.azure.com).
From the dashboard, in the All resources section, select a Storage account.
From the Storage account menu, select Access keys.
Record the value for the Storage account name. Use this value for the Storage Account Name parameter value when you configure a log source in JSA.
From the Key 1 or Key 1 section, record the following values.
KEY - Use this value for the Storage Account Key parameter value when you configure a log source in JSA.
CONNECTION STRING - Use this value for the Storage Account Connection String parameter value when you configure a log source in JSA.
DefaultEndpointsProtocol=https;AccountName=[{Storage Account Name] ;AccountKey=[Storage Account Key];=core.windows.net
Most storage accounts use core.window.net for the end point suffix, but this value can change depending on it's location. For example, a government related storage account might have a different endpoint suffix value.
Note:You can use the Storage Account Name and Storage Account Key values or you can use the Storage Account Connection String value to connect to the Storage Account.
Obtain a Microsoft Azure Event Hub Connection String.
The Event Hub Connection String contains the Namespace Name, the path to the Event Hub within the namespace and the Shared Access Signature (SAS) authentication information.
Log in to the (https://portal.azure.com).
From the dashboard, in the All resources section, select an Event Hubs Namespace. Record this value to use as the Namespace Name parameter value when you configure a log source in JSA.
In the Entities section, select Event Hubs. Record this value to use for the Event Hub Name parameter value when you configure a log source in JSA.
In the Event Hub section, select an Event Hub from the list.
In the Settings section, select Shared access policies.
Select a POLICY that contains a Listen CLAIMS. Record this value to use for the SAS Key Name parameter value when you configure a log source in JSA.
Record the values for the following parameters:
Primary key or Secondary key - Use the value for the SAS Key parameter value when you configure a log source in JSA.
Connection string-primary key or Connection string-secondary key - Use this value for the Event Hub Connection String parameter value when you configure a log source in JSA.
Endpoint=sb://[Namespace Name].servicebus.windows.net /;SharedAccessKeyName=[SAS Key Name];SharedAccessKey=[SAS Key]=; EntityPath=[Event Hub Name]
Note:You can use the Namespace Name, Event Hub Name, SAS Key Name and SAS Key values, or you can use the Event Hub Connection String value to connect to the Event Hub.
In the Entities section, select Consumer groups. Record the value to use for the Consumer Group parameter value when you configure a log source in JSA.
Microsoft Azure Log Source Parameters for Microsoft Azure Event Hubs
If JSA does not automatically detect the log source, add a Microsoft Azure Event Hubs log source on the JSA Console by using the Microsoft Azure protocol.
When using the Microsoft Azure protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Microsoft Azure events from Microsoft Azure Event Hubs:
Parameter |
Value |
---|---|
Log Source type |
Microsoft Azure |
Protocol Configuration |
Microsoft Azure Event Hubs |
Log Source Identifier |
An identifiable name or IP address for the log source. When the Use as Gateway Log Source field is selected, the Log Source Identifier value is not used. |
Microsoft Azure Platform Sample Event Messages
Use these sample event messages as a way of verifying a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Microsoft Azure sample event messages when you use the Microsoft Azure Event Hubs protocol
Sample 1: The following sample event message shows a restart of a virtual machine.
LEEF:1.0|Microsoft|Azure Resource Manager|1.0|MICROSOFT.CLASSICCOMPUTE/VIRTUALMACHINES/RESTART/ ACTION|devTime=Jun 07 2016 17:04:26 devTimeFormat=MMM dd yyyy HH:mm:ss cat=MICROSOFT.CLASSICCOMPUTE src=10.0.0.2 usrName=name@example.com sev=4 resource=testvm resourceGroup=Test Resource Group description=Restart a Virtual Machine
JSA field name |
Highlighted payload field name |
---|---|
Event ID |
The LEEF header Event ID field. For example, MICROSOFT.CLASSICCOMPUTE/VIRTUALMACHINES/ RESTART/ ACTION. |
Event category |
cat |
Severity |
sev |
Source IP |
src |
Username |
usrName |
Device Time |
devTime |
Sample 2: The following sample event message shows the return of the access keys for the specified storage account.
{ "time": "2017-09-14T11:47:36.3237658Z", "resourceId": "/SUBSCRIPTIONS//RESOURCEGROUPS// PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/", "operationName": "MICROSOFT.STORAGE/ STORAGEACCOUNTS/LISTKEYS/ACTION", "category": "Action", "resultType": "Success", "resultSignature": "Succeeded.OK", "durationMs": 125, "callerIpAddress": "<IP_address>", "correlationId": "", "identity": {"authorization":{"scope":"/subscriptions//resourceGroups// providers/Microsoft.Storage/storageAccounts/","action":"Microsoft.Storage/storageAccounts/ listKeys/action","evidence":{"role":"Insights Management Service Role","roleAssignmentScope":"/ subscriptions/","roleAssignmentId":"","roleDefinitionId":"","principalId":"","principalType":"Se rvicePrincipal"}},"claims":{"aud":"https://management.azure.com/","iss":"https:// sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx/"," iat":"1505389356","nbf":"1505389356","exp":"1505393256","aio":"Y2VgYBBQEA5y0vTd4 PVnSpSp9qVwAA==","appid":"","appidacr":"2","e_exp":"262800","http://schemas.microso ft.com/ identity/claims/identityprovider":"https://sts.windows.net//","http://schemas.microsoft.com/ identity/claims/objectidentifier":"","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ nameidentifier":"","http://schmas.microsoft.com/identity/claims/ tenantid":"","uti":"xxxxxx__xxxxxxxxxxxxxx","ver":"1.0"}}, "level": "Information", "location": "global", "properties": {“statusCode":"OK","serviceRequestId":""}}
JSA field name |
Highlighted payload field name |
---|---|
Event ID |
operationName |
Event category |
The Event category is located in the resourceId field after the PROVIDERS keyword. For example, MICROSOFT.STORAGE. |
Source IP |
callerIpAddress |
Device Time |
time |
Sample 3: The following sample event message shows that a specified secret is retrieved from a given key vault.
{"eventHubsAzureRecord":{"time": "2016-03-02T 04:31:28.6127743Z","resourceId": "/ SUBSCRIPTIONS//RESOURCEGROUPS//PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/AZLOGTEST","operationName": "SecretGet","operationVersion": "2015-06-01","category": "AuditEvent","resultType": "Success","resultSignature": "OK" ,"resultDescription": "","durationMs": "18 7","callerIpAddress": "","correlationId": "","identity": {"claim": {"http://schemas. microsoft.com/identity/claims/objectidentifier": "","appid": "","http://schemas.xmlsoap.org/ws/ 2005/05/identity/claims/upn": ""}},"properties": {"clientInfo": "","requestUri": "","id": "https://.vault.azure.ne t/secrets/testsecret/","httpStatusCode": 200}}}
JSA field name |
Highlighted payload field name |
---|---|
Event ID |
operationName |
Event category |
The Event category is located in the resourceId field after the PROVIDERS keyword. For example, MICROSOFT.KEYVAULT. |
Device Time |
time |
Source IP |
callerIpAddress |
Sample 4: The following sample event message shows that a user successfully logged in to Microsoft SQL Server.
{"LogicalServerName":"servername","SubscriptionId":"42061870-6656-472f-9297-6a8f48a5e8b0","Resou rceGroup":"RESOURCEGROUP","package":"SecAudit","event":"audit_ event_shoebox","sessionName":"audit_session_for_shoebox","originalEventTimestamp":"2020-07-1 9T05:26:01.5293718Z","time":"2020-07-19T05:26:01.5260341Z","resourceId":"/SUBSCRIPTIONS/ACCOUNT/ RESOURCEGROUPS/RESOURCEGROUP/PROVIDERS/MICROSOFT.SQL/MANAGEDINSTANCES/SERVERNAME"," category":"SQLSecurityAuditEvents","operationName":"AuditEvent","properties": {"audit_schema_version":1,"event_time":"2020-07-19T05:26:01.166Z","sequence_number":1,"action_id ":"LGIS","action_name":"LOGIN SUCCEEDED","succeeded":"true","is_column_permission":"false","session_id":184,"server_principal_ id":286,"database_principal_id":0,"target_server_principal_id":0,"target_database_principal_ id":0,"object_id":0,"user_defined_event_id":0,"transaction_id":0,"class_type":"LX","class_ty pe_description":"LOGIN","securable_class_type":"LOGIN","duration_milliseconds":0,"response_rows" :0,"affected_rows":0,"client_ip":"10.242.142.140","permission_bitmask":"000000000000000000000000 00000000","sequence_group_id":"0AB33370-A776-485A-AD98- FBB08D58A684","session_server_principal_name":"LoginName","server_principal_name":"LoginName","s erver_principal_sid":"782fa7bb4f95374ba7fb6f346ccdafa6","database_principal_name":"","target_ser ver_principal_name":"","target_server_principal_sid":"","target_database_principal_name":"","ser ver_instance_name":"servername","database_name":"","schema_name":"","object_name":"","statement" :"-- network protocol: TCP/IP\r\nset quoted_identifier on\r\nset arithabort off\r\nset numeric_roundabort off\r\nset ansi_warnings on\r\nset ansi_padding on\r\nset ansi_nulls on\r\nset con-cat_null_yields_null on\r\nset cursor_close_on_commit off\r\nset implicit_transactions off\r\nset language us_english\r\nset dateformat mdy\r\nset datefirst 7\r\nset transac-tion isolation level read committed\r\n","additional_information":"<action_info xmlns=\"http://schemas.microsoft.com/ sqlserver/2008/sqlaudit_data\"><pooled_connection>1</ pooled_connection><client_options>0x28000020</client_options><client_options1>0x0001f438</ client_options1><connect_options>0x00000001</connect_options><packet_data_size>8000</ packet_data_size><address>10.153.63.59</address><is_dac>0</is_dac></ action_info>","user_defined_information":"","application_name":".Net SqlClient Data Provider”,"connection_id":"284D6271-94AD-4719-BA5AA2834CA24F82"," data_sensitivity_information":"","host_name":"HOSNAME","session_context":"","is_s erver_level_audit":"true","event_id":"F4FBD375-7F97-40F7-8C40-833D59CCC3D1"}}
JSA field name |
Highlighted payload field name |
---|---|
Event ID |
The Event ID is comprised from the category and action_name field values. For example, "category":"SQLSecurityAuditEvents" and "action_name":"LOGIN SUCCEEDED" results in an Event ID value of “sqlsecurityauditevents_login succeeded”. |
Event category |
The Event category is located in the resourceId field after the PROVIDERS keyword. For example, MICROSOFT.SQL. |
Device Time |
time |
Username |
server_principal_name |
Source IP |
client_ip |