Microsoft Azure Management Plane

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.

Product	Samurai [Local] Collector	Samurai [Cloud] Collector
Microsoft Azure Management Plane

Use these instructions to create Log Analytics Workspace and to connect it to Microsoft Azure Activity Log.

You will also be able to create Azure Active Directory application and add Active Directory Audit and Sign-in Logs to Log Analytics Workspace. In addition, you can also configure Azure Application Gateway Log Analytics.

To complete this Integration you will need to:

1) From the Microsoft Azure Portal

• Create a Log Analytics Workspace
• Connect Log Analytics Workspace to Azure Activity Log
• Add Active Directory Audit and Sign-in Logs to Log Analytics Workspace
• Add Security Center Logs to Log Analytics Workspace with Continuous Export
• Register application for Microsoft Identity
• Configure Azure Application Gateway Log Analytics
• Add Access Controls Within Log Analytics Workspaces

2) From the Samurai XDR application:

• Complete the Microsoft Azure Management Plane integration

Create a Log Analytics Workspace

Perform the steps outlined within the Azure Documentation - Create Log Analytics workspace

1. Log in to the Microsoft Azure portal.
2. Enter Log Analytics in the search box and select Log Analytics workspaces
3. From the Create Resource menu, click IT & Management Tools.
4. Select Add
5. Select a relevant Subscription or create a new one
6. To create a new workspace, specify the following information
7. Specify an appropriate name for the new Log Analytics Workspace
8. Select a relevant Region based on your resources (refer to the Azure documentation linked above
9. Select Review + Create
10. On the newly created Log Analytics Workspace, locate the Workspace ID and record it - you will need this information to Complete the Microsoft Azure Management Plane integration

Send Azure Activity Log to Log Analytics

Perform the steps outlined within the Azure Documentation -  Send to Log Analytics Workspace

You may also need to refer to Create diagnostic settings

You can configure diagnostic settings in the Azure portal either from the Azure Monitor menu or from the menu for the resource.

Add Active Directory Audit and Sign-in Logs to Log Analytics Workspace

If you have the Microsoft Office 365 integration then you do not need to complete this section as Samurai XDR will already be ingesting Audit and Sign-in Logs, therefore please go to the next section - Add Security Center Logs to Log Analytics with Continuous Export

You can configure the diagnostic settings in the Azure portal either from the Azure Monitor menu or from the menu for the resource.

Perform the steps outlined within the Azure Documentation - Send Logs to Azure Monitor

1. Log in to the Azure portal using your Azure account.
2. In the left navigation pane, Select Azure Active Directory>Diagnostic settings->Add diagnostic setting. You can also select Export Settings from the Audit Logs or Sign-ins page to get to the diagnostic settings configuration page.

3. In the Diagnostic settings menu

   1. Specify a descriptive Name for this diagnostic setting. For example, ad-log-analytics.
   2. Under Category details select SigninLogs and AuditLogs

   3. Under Destination details select Send to Log Analytics workspace

   4. Select the relevant Subscription and  Log Analytics Workspace created in Create Log Analytics Workspace.

4. Click Save

Add Security Center Logs to Log Analytics Workspace with Continuous Export

Perform the steps outlined within the Azure Documentation - Setup continuous export

1. Log in to the Azure portal using your Azure account.
2. From the Defender for Cloud's menu, open Environment settings

3. Select the specific subscription for which you want to configure the data export.

4. From the sidebar of the setting page for that subscription, select Continuous export
5. Specify the following information:
   1. Select the Log Analytics workspace tab.
   2. Select the Security alerts checkbox.
   3. Select High, Medium, Low (all options) from the Security alerts list.
   4. Select Export Frequency > Streaming updates
   5. In the Export configuration section, select the resource group where this configuration will reside.
   6. In the Export target section, perform the following steps:
      1. Select the subscription where the Log Analytics Workspace was created from the Subscription list.
      2. Select the Log Analytics Workspace created earlier from the Select target workspace list.
6. Click Save.

Register application for Microsoft identity

Perform the steps outlined within the Azure Documentation - Register an application

1. Log in to the Azure portal using your Azure account.
2. In the left navigation pane, click Azure Active Directory.
3. Click App registrations. The App registrations page appears.
4. Click New application registration. The Register an application page appears.
5. Specify a descriptive Name. For example, NTT-log-analytics-monitoring.
6. Select Accounts in this organizational directory only.
7. Under the Redirect URI (optional), leave the field blank.
8. Click Register.
9. From the newly created application’s dashboard, copy and save the following information and you will need this when you Complete the Microsoft Azure Management Plane integration.
   • Application (client) ID
   • Directory (tenant) ID
10. From the new application’s menu, navigate to API permissions.
11. Click Add a permission.
12. Click APIs my organization uses.
13. Search for and select Log Analytics API. The Log Analytics API page appears.
14. Click Application permissions.
15. Select the Data.Read checkbox.
16. Click Add permissions.
17. In the dashboard for the application, click Grant admin consent for <tenant name>.
18. In the left navigation pane, click Certificates & secrets under the Manage section.
19. Click New client secret.
20. Specify a description and choose an expiration period.
21. Copy and save the value of the client secret - you will need this information to Complete the Microsoft Azure Management Plane integration

The expiration period for this secret key may depend on your company’s security policy. If a finite length is chosen, your company is responsible for providing a new key to NTT before expiration to ensure uninterrupted service.

Configure Azure Application Gateway Log Analytics

Perform the steps outlined within the Azure Documentation - Enable logging through the Azure Portal

1. Log in to the Azure portal using your Azure account
2. From the left navigation pane, under Monitoring, select Diagnostic settings
3. Select Turn on Diagnostics
4. The Diagnostics settings page appears
5. Perform the following steps:
   1. Specify ntt-export in the Diagnostic settings name field
   2. Select the Send to Log Analytics checkbox.
   3. Select the relevant Subscription
   4. Select the relevant Log Analytics workspace.
   5. Under LOG section, select the ApplicationGatewayAccessLog and ApplicationGatewayFirewallLog checkboxes
6. Click Save.

Add Access Controls Within Log Analytics Workspaces

Perform the steps outlined within the Azure Documentation - Assign Azure roles using the Azure portal

1. Navigate to Log Analytics Workspaces.
2. Select the relevant workspace.
3. Select Access Control (IAM) from the left navigation pane.
4. Click Add a role assignment.
   • Select Owner from the Role list.
   • Select Azure AD use, group, or service principal from the Assign
     access to list.
   • Search the Azure Active Directory Application.
     The name of the Azure Active Directory Application should match the one that was completed in Create Azure Active Directory Application
5. Click Save.
   
   

Complete the Microsoft Azure Management Plane integration

You will need to following information:

• Application (Client) ID (captured during steps within Register application for Microsoft Identity)
• Directory (Tenant) ID  (captured during steps within Register application for Microsoft Identity)
• Secret Key (created under Create Azure Active Directory Application)
• Workspace ID (captured under Create Log Analytics Workspace)

1. Login to your Samurai XDR tenant
2. Select Telemetry > Integrations
3. Select Create
4. Locate and click Microsoft Azure Management Plane
5. Click Next (we leverage a Samurai XDR Cloud Collector)
6. Enter a Name of Integration - name will appear in the XDR application for you to easily reference
7. Enter a Description (Optional) - if completed will appear in the XDR application for you to easily reference)
8. Enter your Application ID 
9. Enter your Tenant ID
10. Enter the Workspace ID
11. Enter your Secret Key
12. Click Finish

For general information on Integrations refer to the Integrations article.