Collect Microsoft Azure Key Vault logging logs
This document describes how you can collect the Azure Key Vault logging logs by setting up a Google Security Operations feed.
For more information, see Data ingestion to Google SecOps .
An ingestion label identifies the parser which normalizes raw log data to structured
UDM format. The information in this document applies to the parser with the AZURE_KEYVAULT_AUDI
ingestion label.
Before you begin
Ensure that you have the following prerequisites:
- Azure subscription that you can sign in to
- Azure Key Vault environment (tenant) in Azure
- Global administrator or Azure Key Vault administrator role
- Azure storage account to store the logs
Configure a storage account
- Sign in to the Azureportal.
- In the Azureconsole, search for Storage accounts.
-
Select the storage account that the logs must be pulled from, and then select Access key. To create a new storage account, do the following:
- Click Create.
- Enter a name for the new storage account.
-
Select the subscription, resource group, region, performance, and redundancy for the account. We recommend setting the performance to standard , and the redundancy to GRS or LRS .
-
Click Review + create.
-
Review the overview of the account and click Create.
-
Click Show keysand make a note of the shared key for the storage account.
-
Select Endpointsand make a note of the Blob serviceendpoint.
For more information about creating a storage account, see the Create an Azure storage accountsection in the Microsoft documentation .
Configure Azure Key Vault logging
- In the Azureportal, go to Key vaultsand select the key vault that you want to configure for logging.
- In the Monitoringsection, select Diagnostic settings.
- Select Add diagnostic setting. The Diagnostics settingswindow provides the settings for the diagnostic logs.
- In the Diagnostic setting namefield, specify the name for diagnostic setting.
- In the Category groupssection, select the auditcheckbox.
-
In the Retention (days)field, specify a log retention value that complies with your organization's policies. Google SecOps recommends a minimum of one day of log retention.
You can store the Azure Key Vault logging logs in a storage account or stream the logs to Event Hubs. Google SecOps supports log collection using a storage account.
Archive to a storage account
- To store logs in storage account, in the Diagnostics settingswindow, select the Archive to a storage accountcheckbox.
- In the Subscriptionlist, select the existing subscription.
- In the Storage accountlist, select the existing storage account.
Set up feeds
There are two different entry points to set up feeds in the Google SecOps platform:
- SIEM Settings > Feeds > Add New Feed
- Content Hub > Content Packs > Get Started
How to set up the Azure key vault logging feed
- Click the Azure Platformpack.
- Locate the Azure Key Vault logginglog type and click Add new feed.
-
Specify values for the following fields:
- Source Type: Microsoft Azure Blob Storage V2.
- Azure URI: specify the Blob serviceendpoint that you obtained previously along with one of the container names of that storage account. For example,
https://xyz.blob.core.windows.net/abc/. - Source deletion option: specify the source deletion option.
- Maximum File Age: Includes files modified in the last number of days. Default is 180 days.
- Key: specify the shared key that you obtained previously.
Advanced options
- Feed Name: A prepopulated value that identifies the feed.
- Asset Namespace: Namespace associated with the feed.
- Ingestion Labels: Labels applied to all events from this feed.
-
Click Create feed.
For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .
For more information about Google SecOps feeds, see Google SecOps feeds documentation .
For information about requirements for each feed type, see Feed configuration by type .
Need more help? Get answers from Community members and Google SecOps professionals.
