Azure Datadog Log Forwarder Deleted

Set up the azure integration.

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.

Strategy

Monitor Azure logs where @evt.name is "MICROSOFT.WEB/SITES/DELETE", @evt.outcome is Success, and the @resourceID contains DATADOG and LOG. This rule does not work if the the Azure resource group or Azure function does not contain DATADOG or LOG.

Triage and response

  1. Verify the Azure function (@resourceId) is responsible for forwarding logs to Datadog.
  2. Determine if there is a legitimate reason for deleting the Azure function.
  3. If activity is not expected, investigate activity from the service principal (@identity.authorization.evidence) or user ({{@usr.id}}).