# NG SIEM - Azure Logs Integration

<span style="color: rgb(0, 0, 0);">The **Azure Logs integration** enables you to collect logs from specific Azure services such as:</span>

- <span style="color: rgb(0, 0, 0);">**Microsoft Entra ID** (Sign-in, Audit, Identity Protection, Provisioning logs)</span>
- <span style="color: rgb(0, 0, 0);">**Azure Spring Apps**</span>
- <span style="color: rgb(0, 0, 0);">**Azure Firewall**</span>
- <span style="color: rgb(0, 0, 0);">**Microsoft Graph Activity**</span>
- <span style="color: rgb(0, 0, 0);">**Activity and Platform logs**</span>
- <span style="color: rgb(0, 0, 0);">Additional supported Azure services</span>

#### <span style="color: rgb(53, 152, 219);">**Example Use Cases**</span>

- <span style="color: rgb(0, 0, 0);">**Brute force sign-in detection**: Collect **Microsoft Entra ID sign-in logs** and configure an alert in the Observability Logs app to notify you if failed sign-in attempts exceed a defined threshold.</span>
- <span style="color: rgb(0, 0, 0);">**Capacity planning**: Collect **Azure Activity logs** to track when virtual machines fail to start due to quota limits, helping plan resource scaling.</span>

---

#### <span style="color: rgb(53, 152, 219);">**Data Streams**</span>

<span style="color: rgb(0, 0, 0);">The Azure Logs integration collects **log data streams** from the following sources:</span>

- <span style="color: rgb(0, 0, 0);">Activity Logs</span>
- <span style="color: rgb(0, 0, 0);">Platform Logs</span>
- <span style="color: rgb(0, 0, 0);">Microsoft Entra ID Logs (Sign-in, Audit, Identity Protection, Provisioning)</span>
- <span style="color: rgb(0, 0, 0);">Microsoft Graph Activity Logs</span>
- <span style="color: rgb(0, 0, 0);">Azure Spring Apps Logs</span>

<span style="color: rgb(0, 0, 0);">Logs provide a complete record of events that occur in your Azure environment, allowing you to detect threats, troubleshoot issues, and plan capacity.</span>

---

#### <span style="color: rgb(53, 152, 219);">**Azure Setup Prerequisites**</span>

<span style="color: rgb(0, 0, 0);">To successfully forward Azure logs, you will need:</span>

1. <span style="color: rgb(0, 0, 0);">**Diagnostic Settings**</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Configure diagnostic settings in Azure to export metrics and logs from source services (e.g., Entra ID, Activity Logs).</span>
    - <span style="color: rgb(0, 0, 0);">Logs must be sent to a supported destination for analysis and storage.</span>
2. <span style="color: rgb(0, 0, 0);">**Event Hubs**</span>
    
    
    - <span style="color: rgb(0, 0, 0);">One or more **Event Hubs** to temporarily store and stream logs exported by Azure services.</span>
    - <span style="color: rgb(0, 0, 0);">Log Collector will use Event Hubs as the ingestion point.</span>
3. <span style="color: rgb(0, 0, 0);">**Storage Account Container**</span>
    
    
    - <span style="color: rgb(0, 0, 0);">A **Storage Account container** to store checkpoint information about logs consumed by Log Collector.</span>
    - <span style="color: rgb(0, 0, 0);">This ensures logs are ingested reliably without duplication or loss.</span>


---

#### <span style="color: rgb(53, 152, 219);">**Step 1: Create an Event Hub for Microsoft Entra ID Logs**</span>

1. <span style="color: rgb(0, 0, 0);">**Go to Azure Portal &gt; Event Hubs &gt; Create Namespace**</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Select **Resource Group** or create a new one.</span>
    - <span style="color: rgb(0, 0, 0);">Choose a **Region** and a **Pricing Tier (Standard or Premium)**.</span>
    - <span style="color: rgb(0, 0, 0);">Click **Review + Create** → **Create**.</span>
2. <span style="color: rgb(0, 0, 0);">**Create an Event Hub** inside the namespace</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Navigate to the **Namespace** → Click **+ Event Hub**.</span>
    - <span style="color: rgb(0, 0, 0);">Set **Name**: entra-id-logs (Example)</span>
    - <span style="color: rgb(0, 0, 0);">Set **Partitions**: At least **2** (for redundancy).</span>
    - <span style="color: rgb(0, 0, 0);">Click **Create**.</span>
3. <span style="color: rgb(0, 0, 0);">**Create a Consumer Group (Optional)**</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Go to **Event Hub &gt; Consumer Groups**.</span>
    - <span style="color: rgb(0, 0, 0);">Add a new group (e.g., aquila-agent-group).</span>
4. <span style="color: rgb(0, 0, 0);">**Generate Connection String**</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Navigate to **Event Hubs Namespace &gt; Shared Access Policies**.</span>
    - <span style="color: rgb(0, 0, 0);">Click **+ Add Policy**.</span>
    - <span style="color: rgb(0, 0, 0);">Set Name: AquilaAgentPolicy.</span>
    - <span style="color: rgb(0, 0, 0);">Select **"Listen"** permission.</span>
    - <span style="color: rgb(0, 0, 0);">Copy **Primary Connection String** (used in the next steps).</span>

---

#### <span style="color: rgb(53, 152, 219);">**Step 2: Enable Diagnostic Settings for Microsoft Entra ID**</span>

1. <span style="color: rgb(0, 0, 0);">**Go to Azure Portal &gt; Microsoft Entra ID**.</span>
2. <span style="color: rgb(0, 0, 0);">Navigate to **Monitoring &gt; Diagnostic Settings**.</span>
3. <span style="color: rgb(0, 0, 0);">Click **+ Add Diagnostic Setting** and configure:</span>
    - <span style="color: rgb(0, 0, 0);">**Name**: entra-logs-to-aquila</span>
    - <span style="color: rgb(0, 0, 0);">**Log Categories**:</span>  
        <span style="color: rgb(0, 0, 0);">-Sign-in logs</span>  
        <span style="color: rgb(0, 0, 0);">-Audit logs</span>  
        <span style="color: rgb(0, 0, 0);">-Identity Protection logs</span>  
        <span style="color: rgb(0, 0, 0);">-Provisioning logs</span>
    - <span style="color: rgb(0, 0, 0);">**Destination**: Select **Event Hubs**.</span>
    - <span style="color: rgb(0, 0, 0);">**Choose the Event Hub Namespace** created earlier.</span>
    - <span style="color: rgb(0, 0, 0);">**Select the Event Hub (entra-id-logs)**.</span>
    - <span style="color: rgb(0, 0, 0);">Click **Save**.</span>

---

#### <span style="color: rgb(53, 152, 219);">**Step 3: Configure Azure Storage for Checkpointing**</span>

1. <span style="color: rgb(0, 0, 0);">**Create a Storage Account**</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Navigate to **Azure Portal &gt; Storage Accounts &gt; Create**.</span>
    - <span style="color: rgb(0, 0, 0);">Select **Resource Group** (same as Event Hub).</span>
    - <span style="color: rgb(0, 0, 0);">Set **Storage Account Name**: </span>
    - <span style="color: rgb(0, 0, 0);">**Disable Hierarchical Namespace** and **Enable TLS 1.2**.</span>
    - <span style="color: rgb(0, 0, 0);">Click **Create**.</span>
2. <span style="color: rgb(0, 0, 0);">**Create a Blob Container**</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Open the **Storage Account &gt; Containers**.</span>
    - <span style="color: rgb(0, 0, 0);">Click **+ Container**.</span>
    - <span style="color: rgb(0, 0, 0);">Set **Name**: </span>
    - <span style="color: rgb(0, 0, 0);">Set **Public Access Level**: Private.</span>
3. <span style="color: rgb(0, 0, 0);">**Copy Storage Account Keys**</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Go to **Storage Account &gt; Access Keys**.</span>
    - <span style="color: rgb(0, 0, 0);">Copy **Storage Account Name &amp; Key** for integration configuration.</span>

---

<p class="callout warning">**<span class="TextRun SCXW264382529 BCX0" data-contrast="none" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW264382529 BCX0" data-ccp-parastyle="heading 3">Please saved and provide this values to AQUILA Support Team.</span></span>**</p>

- <span style="color: rgb(0, 0, 0);">**Event Hub Name**: </span>
- <span style="color: rgb(0, 0, 0);">**Consumer Group**: </span>
- <span style="color: rgb(0, 0, 0);">**Event Hub Connection String**: </span>
- <span style="color: rgb(0, 0, 0);">**Storage Account Name**: </span>
- <span style="color: rgb(0, 0, 0);">**Storage Account Key**: </span>
- <span style="color: rgb(0, 0, 0);">**Storage Container Name**: </span>
- <span style="color: rgb(0, 0, 0);">**Resource Manager Endpoint(optional)**: </span>

---

<span style="color: rgb(0, 0, 0);">*<span class="TextRun SCXW71272603 BCX0" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW71272603 BCX0">If you need further </span><span class="NormalTextRun SCXW71272603 BCX0">assistance</span><span class="NormalTextRun SCXW71272603 BCX0">, kindly contact </span></span><span style="color: rgb(53, 152, 219);">**<span class="TextRun SCXW71272603 BCX0" data-contrast="none" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW71272603 BCX0">support@cytechint.com</span></span>**</span><span class="TextRun SCXW71272603 BCX0" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW71272603 BCX0"> for prompt </span><span class="NormalTextRun SCXW71272603 BCX0">assistance</span><span class="NormalTextRun SCXW71272603 BCX0"> and guidance.</span></span><span class="EOP SCXW71272603 BCX0" data-ccp-props="{}"></span>*</span>