Collect Azure Firewall logs

This document explains how to export Azure Firewall logs to Google Security Operations using Azure Storage Account. The parser first attempts to process the input as JSON, extracting data from the Recordsfield. If the Recordfield is empty, the parser then uses a series of Grok patterns and conditional statements to extract relevant fields from the message, handling different formats and variations in the Azure Firewall logs.

Before you begin

Ensure you have the following prerequisites:

• Google SecOps instance
• An active Azure tenant
• Privileged access to Azure

Configure Azure Storage Account

1. In the Azure console, search for Storage accounts .
2. Click + Create.
3. Specify values for the following input parameters:
   • Subscription: Select the subscription.
   • Resource Group: Select the resource group.
   • Region: Select the region.
   • Performance: Select the performance (Standard recommended).
   • Redundancy: Select the redundancy (GRS or LRS recommended).
   • Storage account name: Enter a name for the new storage account.
4. Click Review + create.
5. Review the overview of the account and click Create.
6. From the Storage Account Overviewpage, select the Access keyssubmenu in Security + networking.
7. Click Shownext to key1or key2.
8. Click Copy to clipboardto copy the key.
9. Save the key in a secure location for later use.
10. From the Storage Account Overviewpage, select the Endpointssubmenu in Settings.
11. Click Copy to clipboardto copy the Blob serviceendpoint URL; for example, https://<storageaccountname>.blob.core.windows.net .
12. Save the endpoint URL in a secure location for later use.

How to configure Log Export for Azure Firewalls Logs

1. Sign in to the Azure Portalusing your privileged account.
2. Go to Firewallsand select the required firewall.
3. Select Monitoring > Diagnostic Services.
4. Click + Add diagnostic setting.
   • Enter a descriptive name for the diagnostic setting.
5. Select allLogs.
6. Select the Archive to a storage accountcheckbox as the destination.
   • Specify the Subscriptionand Storage Account.
7. Click Save.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

• SIEM Settings > Feeds > Add New
• Content Hub > Content Packs > Get Started

How to set up the Azure firewall feed

1. Click the Azure Platformpack.
2. Locate the Azure firewalllog type and click Add new feed.

3. Specify values for the following fields:

   • Source Type: Microsoft Azure Blob Storage V2.
   • Azure URI: The blob endpoint URL.
     • ENDPOINT_URL/BLOB_NAME
       • Replace the following:
         • ENDPOINT_URL : The blob endpoint URL ( https://<storageaccountname>.blob.core.windows.net )
         • BLOB_NAME : The name of the blob (such as, <logname>-logs )

   • Source deletion options: Select the deletion option according to your ingestion preferences.

   • Maximum File Age: Includes files modified in the last number of days. Default is 180 days.

   • Shared key: The shared key (a 512-bit random string in base-64 encoding) used to access Azure resources.

   Advanced options

   • Feed Name: A prepopulated value that identifies the feed.
   • Asset Namespace: Namespace associated with the feed .
   • Ingestion Labels: Labels applied to all events from this feed.

4. Click Create feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

UDM Mapping

Log field	UDM mapping	Logic
@timestamp	metadata.event_timestamp	Converts the raw log field @timestamp to UDM Format.
category	security_result.rule_type	Maps the raw log field category to UDM.
operationName	metadata.product_event_type	Maps the raw log field operationName to UDM.
properties.Action	security_result.action	Maps the raw log field properties.Action to UDM, converting ALLOW to ALLOW , DENY to BLOCK , and any other value to UNKNOWN_ACTION .
properties.DestinationIp	target.ip	Maps the raw log field properties.DestinationIp to UDM.
properties.DestinationPort	target.port	Maps the raw log field properties.DestinationPort to UDM.
properties.DnssecOkBit	additional.fields.value.bool_value	Maps the raw log field properties.DnssecOkBit to UDM.
properties.EDNS0BufferSize	additional.fields.value.number_value	Maps the raw log field properties.EDNS0BufferSize to UDM.
properties.ErrorMessage	additional.fields.value.string_value	Maps the raw log field properties.ErrorMessage to UDM.
properties.ErrorNumber	additional.fields.value.number_value	Maps the raw log field properties.ErrorNumber to UDM.
properties.Policy	security_result.detection_fields.value	Maps the raw log field properties.Policy to UDM.
properties.Protocol	network.ip_protocol	Maps the raw log field properties.Protocol to UDM if it's not HTTPS or HTTP .
properties.Protocol	network.application_protocol	Maps the raw log field properties.Protocol to UDM if it's HTTPS or HTTP .
properties.QueryClass	network.dns.questions.class	Maps the raw log field properties.QueryClass to UDM using a lookup table for mapping DNS query classes.
properties.QueryId	network.dns.id	Maps the raw log field properties.QueryId to UDM.
properties.QueryName	network.dns.questions.name	Maps the raw log field properties.QueryName to UDM.
properties.QueryType	network.dns.questions.type	Maps the raw log field properties.QueryType to UDM using a lookup table for mapping DNS record types.
properties.RequestSize	network.sent_bytes	Maps the raw log field properties.RequestSize to UDM.
properties.ResponseCode	network.dns.response_code	Maps the raw log field properties.ResponseCode to UDM using a lookup table for mapping DNS response codes.
properties.ResponseFlags	additional.fields.value.string_value	Maps the raw log field properties.ResponseFlags to UDM.
properties.ResponseSize	network.received_bytes	Maps the raw log field properties.ResponseSize to UDM.
properties.Rule	security_result.rule_name	Maps the raw log field properties.Rule to UDM.
properties.RuleCollection	security_result.detection_fields.value	Maps the raw log field properties.RuleCollection to UDM.
properties.RuleCollectionGroup	security_result.detection_fields.value	Maps the raw log field properties.RuleCollectionGroup to UDM.
properties.SourceIp	principal.ip	Maps the raw log field properties.SourceIp to UDM.
properties.SourcePort	principal.port	Maps the raw log field properties.SourcePort to UDM.
properties.msg	security_result.description	Maps the raw log field properties.msg to UDM after extracting other fields from it.
records.category	security_result.rule_type	Maps the raw log field records.category to UDM.
records.operationName	metadata.product_event_type	Maps the raw log field records.operationName to UDM.
records.properties.msg		This field is used for extracting multiple fields using Grok patterns and doesn't have a direct mapping to UDM.
records.resourceId	metadata.product_log_id	Maps the raw log field records.resourceId to UDM.
resourceId	metadata.product_log_id	Maps the raw log field resourceId to UDM.
time	metadata.event_timestamp	Converts the raw log field time to UDM Format.
	metadata.vendor_name	This field is populated by the parser with the value Microsoft Inc. .
	metadata.product_name	This field is populated by the parser with the value Azure Firewall Application Rule .
	metadata.log_type	This field is populated by the parser with the value AZURE_FIREWALL .
	additional.fields.key	This field is populated by the parser with the key for the additional field.
	security_result.detection_fields.key	This field is populated by the parser with the key for the detection field.
	network.application_protocol	This field is populated by the parser with the value DNS for DNS logs.
	metadata.event_type	This field is populated by the parser based on the log message. It can be NETWORK_CONNECTION , GENERIC_EVENT , STATUS_UPDATE , or NETWORK_DNS .

Need more help? Get answers from Community members and Google SecOps professionals.