can someone explaion to me the diffference between the NSG flow and the NSG diagnostics.
Should i enable both or just one for security investigation purposes?
Regards,
Kelly
Searched online couldnt find much information
NSG flow logs as the name suggests allows you to collect and build analytics on top of the ingress/egress IP packets which flows through your NSG (primary objective is to analyze network traffic). Note that flow logs can only be integrated with the storage account i.e.e the BLOB service (or ADLS) and no additional integration is available by default with Event Hub for now.
Diagnostics log as the name suggests are a higher-level abstraction of log entity i.e. they provide log details are tenant/resource group (or resources) scope. Note that the diagnostic logs can be streamed to Event Hub and in addition can also be integrated with services such as Azure Monitoring and Storage account (BLOB store or ADLS).
Related
Are the resource logs (which are part of platform logs) from Azure supported in QRadar or do we need to build a custom parser for each of the resource type in the subscription?
I read the DSM documentation of QRadar, and it mentions platform activity logs, but not resource logs. Let’s take an example where we get gateway logs, websocket connection logs, request logs, etc. from our Azure deployment. Are all resource logs supported by QRadar to be taken from event hub and integrate to QRadar (list of supported resource logs by QRadar)?
if I understand your question correctly you are looking to extend existing parsers to QR without having to implement custom properties.
For this IBM has published the "IBM QRadar Content Extension for Azure":
https://exchange.xforce.ibmcloud.com/hub/extension/7a89f51852efa37de0809457ef1006dd
I recommend installing another extension "Microsoft Azure Security Center Connected Assets & Risks Connector" (https://exchange.xforce.ibmcloud.com/hub/extension/0dbfab6a22bca7add7a99fa19fdd426f), which allows you to monitor other risk events via ASC and integrate assets that are not yet parsed into the QR.
And probably the best scenario how to solve issue with Azure log data is to run side-by-side QR + Sentinel and use Azure Sentinel and turn on Data Connectors for Azure specific resources. This keeps you up to date with integration, data parsing and current buildin rules. We have this scenario deployed and it is for selected sources (Exchange, Teams, risk signins, etc.) and we monitor them via buildin rules in Sentinel. Subsequently, we integrate them into the QR see. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-qradar/ba-p/1488333. We finally store the logs in QRadar, but we use Sentinel for Azure-specific rules and then integrate the incidents into QR.
Regards.
I'm using an Azure IoT Hub. I'm still in the development phase. It used to work fine, but now the hub is disconnecting the devices almost immedially after they connect. Where can I see some logs or info about why the hub is disconnecting? And if I have to activate some services, which ones?
You may need to turn on diagnostics for IoT Hub for logging the device connection events and errors. Once the logs and alerts are ON for connected devices, you will get alerts, error logs when errors occur. The troubleshooting link to begin with can be https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-troubleshoot-connectivity which captures details about how to enable diagnostics, alerts and other possible troubleshooting methods. This section 'Resolve connectivity errors' has description on how to look for common issues when you receive an alert and this seems to have dependency on Azure monitor logs to be enabled. It also furnishes information in terms of problem resolution guides for the most common errors.
There are couple of services integrated with IoT Hub like Azure Monitor and Azure Resource Health that help to provide you with the data required for keeping your IoT solution running in healthy state. Azure Resource Health helps to monitor whether your IoT hub is up and running. Here is a related link on iot hub health monitor and diagnose problems that can be a additional reference for you.
Azure Monitor stores log data in a Log Analytics workspace, which is an Azure resource and a container where data is collected, aggregated, and serves as an administrative boundary as conveyed in Azure monitor logs. Data in Azure Monitor Logs is retrieved using a log query written with the Kusto query language, which allows you to quickly retrieve, consolidate, and analyze collected data.
Built in audits if a Log Profile exists, but not the destination stores. Would like to specify the Storage Account/Event Hub/Log Analytics Workspace.
Can I enforce those settings? In that approach, to also utilize modern diagnostic settings and send to a storage account and log analytics workspace.
Two (2) options to configure diagnostic settings (besides doing this manually on each resources):
Azure Resource Template (ARM)
This requires you to have a deeper understanding of Azure and Resources. However, it gives you all the flexibility to configure any type of resources and targets (storage, event hub or log analytics). This option does not come with additional feature to check compliancy and remediate any configuration drift.
See Microsoft documentation here
Azure Policy
Configuration can be done through the portal (look for 'policy' under 'all services'). However, only the following resources are covered: Services Bus, Search Services, Event Hub, Stream Analytics, Data Lake Gen 1. On the other hand it comes with compliancy dashboard and remediation.
See Microsoft documentation here
I'm developing a basic Azure IoT Remote Monitoring solution with the Azure Solution Accelerator "Remote Monitoring". When I start to actually pay for services and stop using a free account, very soon the cash starts to pile up and there seem to be very many resources created behind the scenes. I'm wondering which resources I really need and which one I could throw away to save money. These are the resources that I have:
App Service plan
App Service
Network interface
Network security group
Public IP address
Virtual network
Storage account
Azure Cosmos DB account
Device Provisioning Service
Event Hubs Namespace
App Service
App Service plan
IoT Hub
Key vault
Logic app
Azure Maps Account
API Connection
Disk
Storage account (2)
Stream Analytics job
Time Series Insights environment
Time Series Insights event source
Virtual machine
CosmosDB is probably one of the more expensive resources in your list so if you can find a way to swap some other datastore for it you can save some money.
Take a look at Remote Monitoring architectural choices. The Azure IoT Remote Monitoring solution accelerator is an open-source, MIT licensed, solution accelerator. To help you speed up your IoT development process, it shows common IoT scenarios such as:
Device connectivity
Device management
Stream processing
The Remote Monitoring solution follows the recommended Azure IoT reference architecture.
This article describes the key architectural and technical choices made in each of the Remote Monitoring subsystems. However, the technical choices Microsoft made in the Remote Monitoring solution aren't the only way to implement a remote monitoring IoT solution. You should regard the technical implementation as a baseline for building a successful application and you should modify it to:
Fit the available skills and experience in your organization.
Meet your vertical application needs.
In Log analytics for network security groups, Microsoft describes how to enable "Counter logs" that keep track of how many times the security rules for NSGs are invoked.
I've followed the instructions in the article, enabling the NetworkSecurityGroupRuleCounter for my NSG, but I don't get any events. I am sure that my Inbound and Outbound rules are being invoked; I can successfully use them to block incoming and outgoing traffic for VMs in the group.
As you can see, the setting is enabled as shown in the article. Is there something else that's needed to make the Counter logs show up?
This turned out to be a software fault and not a configuration issue. I finally got an engineer at Microsoft to look at this problem. They restarted an agent on a host machine, which fixed the issue.
Have you tried choosing a different storage account to see if the logs are recorded?
How exactly are you analyzing the logs?
Is the Storage account created in Azure Resource Manager?
Check and make sure that the Storage account that you have chosen for the logs is created in Azure Resource manager.