Azure Configuration Guide for Cloud SIEM

Overview

Cloud SIEM applies detection rules to all processed logs in Datadog to detect threats, like a targeted attack, a threat intel listed IP communicating with your systems, or an insecure resource modification. The threats are surfaced as Security Signals in the Security Signals Explorer for triaging.

This guide walks you through configuring Microsoft Azure to send logs to Datadog so that you can start detecting threats on your Azure Platform logs.

The Azure Native integration (available for customers on Datadog's US3 site) has different log collection setup instructions. If you are using the Azure Native integration, select US3 in the Datadog Site dropdown menu and follow the instructions in Microsoft Azure log collection.

Click the button below and fill in the form on Azure portal. After completing the form, the Azure resources required to send activity logs into your Datadog account are deployed for you.

Deploy to Azure

  1. Select an existing resource group or create a new one.
  2. Select a region.
  3. Select true for Send Activity Logs.
  4. Enter your Datadog API key.
  5. Enter names for your resources. See Optional Parameters for more information.
  6. Click Create + review.
  7. After the validation passes, click Create.

After the deployment is completed successfully, go to Log Explorer and enter service:azure in the search query to view your Azure logs.

The section walks you through the manual installation steps so that you can send Azure Platform logs to Datadog:

  1. Create a resource group
  2. Create an Event Hubs namespace
  3. Create an Azure event hub
  4. Create an Azure Function App
  5. Add a new function to your Function App
  6. Forward Azure services logs to the event hub

Create a resource group

If you want to use an existing resource group, skip to Create an Event Hubs namespace.

  1. Go to Azure Resource groups page.
  2. Click Create.
  3. Enter a name for the resource group.
  4. Optionally, click Next: Tags if you want to add tags.
  5. Click Review + create.
  6. After the validation passes, click Create.

Create an Event Hubs namespace

  1. Navigate to Azure Event Hubs.
  2. Click Create.
  3. In the Resource group dropdown menu, select the resource group you want to add the Event Hub to.
  4. Enter a name for the namespace.
  5. Select a location for the namespace. Note: The Event Hub must be in the same Location as the resource you want to submit logs from. For activity logs or other account-wide log sources, you can choose any region.
  6. Select a pricing tier.
  7. Leave the throughput units (for standard tier) or processing units (for premium tier) as it is.
  8. Click Review + create.
  9. After validation succeeds, click Create.
  10. After the deployment is completed successfully, click Go to resource.

Create an event hub

  1. In the Event Hubs namespace you just created, click + Event Hub.
  2. Enter a name for the event hub.
  3. Optionally, configure the partition count and retention options.
  4. Click Review + create.
  5. After validation succeeds, click Create.

Create an Azure Function App

Create a new Function App. If you are using an existing function app, skip to Add a new function to your Function App.

  1. Navigate to Function App.
  2. Click Create.
  3. Select a resource group for the function app.
  4. Enter a name for the function app.
  5. Leave the selection to deploy to code.
  6. In the Runtime stack dropdown menu, select Node.js.
  7. Select a region for your function app.
  8. Select an operating system and plan type.
  9. Click Next: Storage.
  10. Select a storage account in the dropdown menu.
  11. Click Review + create.
  12. After validation succeeds, click Create.
  13. After the deployment is completed successfully, click Create a function.

Add a new function to your Function App

  1. Navigate to the function app if you are using an existing one. Click Functions in the left side menu.
  2. Click Create.
  3. Select Azure Event Hub trigger.
  4. Enter a name for the new function.
  5. In Event Hub connection, click New.
  6. In the Event Hub connection dropdown menu, select the event hub you created earlier.
  7. Click OK.
  8. In the Event Hub name, enter the name of the event hub you created earlier.
  9. Click Create.

Add the Datadog Azure function

  1. In the new function, select Code + Test in the left side menu.
  2. Copy and paste the Datadog-Azure function code to your index.js file.
  3. Replace <DATADOG_API_KEY> with your Datadog API on line 22 of the function code.
  4. If you are not using the Datadog US1 site, replace DD_SITE with your Datadog site parameter on line 23 of the function code.
  5. Click Save.
  6. Click Integrations in the left side menu.
  7. Click Azure Event Hubs.
  8. Set Event parameter name to eventHubMessages.
  9. Event Hub Cardinality must be set to Many.
  10. Set Event Hub Data Type to empty.
  11. Click Save.
  12. Verify your setup is correct by running the function and then checking the Datadog log explorer for the test message. The test log event must be in valid JSON format. For example:
    {
        is_test:true,
        name: "Datadog Test"
    }
    

Forward Azure services logs to Event Hub

Forward Activity logs to Event Hub

  1. Navigate to Azure Activity log.
  2. Click Export Activity Logs.
  3. Click Add diagnostic settings.
  4. Enter a name for the diagnostic setting.
  5. Select the categories of logs you want to send to Datadog.
  6. Select Stream to an event hub.
  7. Select the event hub namespace created previously.
  8. Click Save.

Forward resource logs to Event Hub

  1. Navigate to the resource from which you want to send resource logs.
  2. Under Monitor in the left side menu, click Diagnostic settings.
  3. Click Add diagnostic setting.
  4. Enter a name for the diagnostic setting.
  5. Select allLogs.
  6. Under the Destination details section, select Stream to an event hub.
  7. Select the event hub namespace created previously.
  8. Click Save.

Go to Log Explorer and enter service:azure in the search query to view your Azure logs.

Use Cloud SIEM to triage Security Signals

Cloud SIEM applies out-of-the-box detection rules to all processed logs, including the Azure Platform logs you have just set up. When a threat is detected with a detection rule, a Security Signal is generated and can be viewed in the Security Signals Explorer.

  • Go to the Cloud SIEM Signals Explorer to view and triage threats. See Security Signals Explorer for further details.
  • See out-of-the-box detection rules that are applied to your logs.
  • Create new rules to detect threats that match your specific use case.

Further Reading