SIEM Integration with Azure

Lot of customers ask how to integrate their existing SIEM engines with Azure. The information is not readily available and hence many customer find difficulties in integrating their SIEM engines with Azure. In this post, I’m sharing some resources and points that’ll simplify this integration.

For Azure, I’d categorize Azure resources (you can call them as SIEM sources) into three high level areas:

  1. Virtual Machines (Both Windows and Linux)
  2. Azure Portal & Infrastructure
  3. Azure Services such as SQL Database, Storage, Azure AD etc.

For each of these, Azure provides APIs and mechanisms to export the their logs into your SIEM Engines. I had recently published a blog post along with Azure Security Team that provides details into these APIs and mechanisms. You can find the post here: Security logging and analysis options in Azure.

I’d like to emphasize, especially for Virtual Machines, you need not do anything different from what you’ve been doing in on-premises. Whether you are using HP ArcSight or IBM qRadar or Splunk or any other SIEM engine, the mechanism they used on-premised should also work in Azure. Mostly, these tools use Windows Event Forwarding (WEF) or WMI to collect events from Windows machines, and syslog for Linux machines. These interfaces are supported in Azure also and should work just as they work in on-premises. You would need to consider the data transfer between you on-premises SIEM server and agents in Azure.

Hope you find this useful.