USM Anywhere™

Collect Azure Resource Logs

Microsoft Azure resource logs (previously referred to as diagnostic logs) provide insight into operations performed within an Azure resource, such as Internet Information Services (IIS) or SQL Server. USM Anywhere discovers and collects these logs through the Azure APIs. A USM Anywhere Sensor deployed in your Azure environment is preconfigured to automatically discover logs from your Azure storage account. You can enable or disable the predefined jobs from the Azure Sensor Setup Wizard (see Azure Log Collection) or within the USM Anywhere Scheduler (see Enable Predefined Jobs).

To supplement the default log location or to add log collection for Azure Web Apps, you can create custom log collection jobs that operate through the Azure Sensor app.

Note: What an Azure log job collects depends on whether you granted contributor permissions to one of your resources or to your entire Azure subscription for the USM Anywhere application. Depending on the Azure Credentials configured for the deployed Azure Sensor, the sensor could have access to individual resource groups or the whole subscription. For more details, see Creating an Application and Obtaining Azure Credentials.

Azure Monitor (formerly Azure Insights) provides base-level infrastructure metrics and logs for most services in Azure. It helps you to track user activities within an Azure subscription, including when users log on, deploy or shut down virtual machines (VMs), and more. Through the Azure Monitor Representational State Transfer (REST) API, USM Anywhere captures those logs and creates events.

You need to perform a specific configuration of Azure Monitor in the Azure console for USM Anywhere to collect the Azure-related logs. You need to enable the archive to a storage account option on the Azure subscription, which then enables USM Anywhere to automatically detect and create a job for the Azure-related jobs. When you complete the Log Collection step for your Azure Sensor setup, you can enable this default job, which runs every 20 minutes.

You can also enable or disable this default job in the Job Scheduler. When you select the job in this page, you can review the history for the scheduled job.

Review the history for the default Azure Insight log collection job

Azure Security Center is an Azure service that continuously monitors your Azure environment and applies analytics to automatically detect a wide range of potentially malicious activity. It surfaces these detections as security alerts. Security Center performs this function by collecting data from your virtual machines, which is enabled for all virtual machines in your subscription by default. You can also customize this data collection in the Security Center policy.

You do not need to perform a specific configuration of the Azure Security Alerts in the Azure console to be able to collect these logs. USM Anywhere automatically detects these logs and creates a job for Azure Security Alerts logs. When you complete the Log Collection step for your Azure Sensor setup, you can enable this default job, which runs every 20 minutes.

You can also enable or disable this default job in the Job Scheduler. When you select the job in this page, you can review the history for the scheduled job.

Review the history for the default Azure Security Alerts log collection job

For individual VMs running IIS with Azure diagnostics enabled, you can designate storage for the IIS logs. USM Anywhere automatically detects these logs through the Azure APIs and Azure SDKs. For each Azure Storage Container locations with Azure IIS Logs that it detects, USM Anywhere creates a default log collection job. When you complete the Log Collection step for your Azure Sensor setup, you can enable these default jobs, which run every five minutes.

Note: This type of IIS implementation is different than Azure Web Apps, which is a platform service and uses a different logging configuration. For information about collecting logs for web apps, see Azure Web Apps Logs.

You can also enable or disable this default job in the Job Scheduler. When you select the job in this page, you can review the history for the scheduled job. You could choose to disable this default job based on the IIS log locations that USM Anywhere discovers and create a custom Azure IIS log collection job for a location that you specify.

Specify the parameters to collect Azure IIS logs

When you configure the new job, set the App Action option to Process Azure IIS Logs. You must also specify the Resource Group, Storage Account, and Blob Container for the custom log collection job. For more information about scheduling an Azure log collection job, see Creating a New Azure Log Collection Job.

For individual VMs running SQL Server with Azure diagnostics enabled, you can designate storage for the IIS logs. You must configure this to use Azure Table Storage. To simplify the tracking of related security issues, USM Anywhere treats the SQL service as an asset, and maps events and other security issues directly with the SQL service. When it detects Azure Storage Table locations with Azure SQL Server Logs, USM Anywhere creates a default log collection job for each. When you complete the Log Collection step for your Azure Sensor setup, you can enable these default jobs, which run every five minutes.

Important: USM Anywhere collects SQL Server logs stored as tables only. It does not collect SQL Server logs stored as Binary Large OBjects (BLOB)s.

Microsoft Azure has recently deprecated table storage and recommends that users select the BLOB storage option. However, you must use the Azure Tables storage option for your SQL Server logs to make them available for collection by the USM Anywhere Sensor.

If you want to supplement this automatic Azure log collection in USM Anywhere, you can create an additional Azure SQL Server log collection job.

Specify the parameters to collect Azure SQL Server logs

When you configure the new job, set the App Action option to Process Azure SQL Server Logs. You must also specify the Resource Group, Storage Account, and Table Container for the custom log collection job. For more information about creating a new Azure log collection job, see Creating a New Azure Log Collection Job.

Azure App Service Web Apps is a fully managed compute platform that is optimized for hosting websites and web applications. A web app represents the compute resources that Azure provides for hosting a website or web application and these compute resources may be on shared or dedicated virtual machines (VMs). For each deployed web app in your Azure environment, you can enable diagnostic logging to capture and store the web server and application information.

Important: When configuring Azure Web Apps logs, you must use the W3C format and select the following fields:

date, time, s-sitename, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs(User-Agent), cs(Cookie), cs(Referer), cs-host, sc-status, sc-substatus, sc-win32-status, sc-bytes, cs-bytes, time-taken

Unlike the other supported Azure logs, the USM Anywhere Sensor does not perform an automatic discovery job for Web Apps to look for the storage location. If you want USM Anywhere to collect the log data for your Web Apps, you must create a new log job and specify the storage location parameters.

Specify the parameters to collect Azure Web Apps logs

When you configure the new job, set the App Action option to Process Azure Web Apps Logs. You must also specify the Resource Group, Storage Account, and Blob Container for the custom log collection job. For more information about creating a new Azure log collection job, see Creating a New Azure Log Collection Job.

For individual VMs running Windows with Azure diagnostics enabled, Azure stores the Windows Events logs by default. USM Anywhere automatically detects these logs through Azure APIs and Azure SDKs. When it detects Azure Storage Container locations with Azure Windows Logs, USM Anywhere creates a default log collection job for each. When you complete the Log Collection step for your Azure Sensor setup, you can enable these default jobs, which run every five minutes.

If you want to supplement this automatic Azure log collection in USM Anywhere, you can create an additional Azure Windows log collection job.

Specify the parameters to collect Azure Windows logs

When you configure the new job, set the App Action option to Process Azure Windows Logs. You must also specify the Resource Group, Storage Account, and Blob Container for the custom log collection job. For more information about creating a new Azure log collection job, see Creating a New Azure Log Collection Job.

Related Video Content

To view other related training videos, click here.