AzLog is a new free solution from Microsoft that pulls logs from Azure itself, and virtual machines in Azure, down to a local Windows system where you can consume them like you would other logs.
This is important because while cloud environments are often safer, we have an increasingly larger blind spot in our security monitoring as more and more IT resources are implemented in the cloud.
In this real training for free event we’ll explore how AzLog can help you shrink that blind spot by getting Azure security activity out of the cloud and into your SIEM.
AzLog currently gets a variety of logs from Azure, including:
- Azure Active Directory – this source is also available in the Office 365 Unified Audit Log which I’ve done webinars on before. The activity covered here is basically changes to users and groups, authentication, and other operations specific to Azure AD like registering applications that rely on AAD for authentication and identity.
- Activity Logs – this log is basically a record of what you do in Resource Manager (e.g. create VM) but also non-admin generated events like service health events, Azure alerts (e.g. Vm23 has been over 80% cpu for 5 minutes).
- Azure Security Center – this a higher value, lower frequency log of security relevant events that ASC notices (e.g. Failed RDP brute force attack, suspicious process execution)
- Diagnostics Logs – High volume events from the operation of various Azure resources. To me this is analogous to the Application/System logs on Windows systems.
- Virtual Machine Event Logs – Works a bit like Windows Event Forwarding / Windows Event Collection – a way to get Windows event logs out of VMs up in Azure
To pull these logs, you should install AzLog on a Windows system near your log management solution – so probably an on-prem VM for most folks. AzLog brings those logs in Azure down to its local storage which you can then consume like you do other on-prem logs.
In this webinar I’ll show you how to setup AzLog and we’ll explore the various local logs it creates. We’ll discuss the log formats it uses, how to interpret the data, which logs are most important to consume and much more.
We’ll also demonstrate integrating AzLog with LogRhythm our sponsor for this real training for free. LogRhythm normalizes Azure logs and makes it easy to correlate Azure activity with what’s happening on-prem as well – which produces a unified and central view of all your logs for security. With a growing cloud presence comes an increased attack surface; minimizing Time to Detect and Time to Respond are essential in securing critical infrastructure.
LogRhythm will highlight how to:
- Produce an audit trail, backed by archived logs, as Microsoft doesn’t have a long default for log storage and Azure storage can be expensive
- Leverage Azure fields for user and case investigations
- Overcome the challenge of dynamic endpoints (in cloud environments) to maintain a collection of VM hostnames for downstream analysis