1. Expel Help Center
  2. Connect Your Technology
  3. L-P Integrations
  4. Microsoft

Microsoft Azure Log Analytics Setup for Workbench

Azure Log Analytics aggregates and provides search capabilities over data in an Azure deployment. Azure Log Analytics functions as a data store for Azure applications, but can also be queried manually.

Depending on policy and configuration, Azure Log Analytics can contain all kinds of data relevant to a security team. Most notably, after security audit policies are enabled on Azure VMs, they feed log data to Azure Log Analytics where it can be queried in the Analytics Portal.

Prerequisites

  1. You must be able to log into Microsoft Entra as a user assigned the Global Administrator or User Administrator role.

Quick Links

About console permissions in your devices

If you grant Read access to your devices, we can investigate the device and the logs more deeply and surface relevant alerts to you in Workbench. Allowing Expel visibility into the console of your security devices helps our SOC analysts make better decisions on whether an alert is benign or malicious. For more information, see Why Expel Asks for Console Access.

Step 1: Enable Console and Cross-Tenant Access for Expel

Note
If your organization has already created a new Expel account for console access and enabled cross-tenant access for another Microsoft integration, you may skip to Step 2. The same "<Your Organization GUID>@soc.expel.io" account provides access across all Microsoft services.

Enable Console Access for a New Account

Expel requires console access to allow analysts to perform investigation and triage. Without this additional level of information, details cannot be verified by our analysts and an investigation cannot be initiated. For more information, see Why Expel Asks for Console Access.

  1. Log in to the Microsoft Entra Admin Center as a user assigned the Global Administrator or User Administrator role.
  2. Navigate to Entra ID > Users > All Users.
  3. Select User > Invite external user.
  4. On the Basics tab, include the following:
    • Email - enter  "<Your Organization GUID>@soc.expel.io". For example, a123bc45-aa12-123b@soc.expel.io
    • Display Name - enter "Expel SOC".
  5. On the Assignments tab, configure the following:
    • Select Add role.
    • Search for and select Global Reader. Note: This role provides read-only access across most Microsoft 365 and Azure management consoles.
  6. Select Review + invite and then Invite.

The user account will be added to your directory as a guest, and an invitation will be sent to the
email provided.

Enable Cross-Tenant Access

In this step you will add Expel as an external organization and configure inbound trust.

  1. Still in the Microsoft Entra Admin Center, navigate to Entra ID > External Identities > Cross-tenant access settings.
  2. Select the Organizational settings tab.
  3. Select Add organization.
  4. On the Add organization pane, enter Expel’s tenant ID: 1cde81fd-b430-4035-b24d-709921922876
  5. Select Expel from the search results, and then select Add.
  6. In the Organizational settings list, locate the Expel row and select Inbound access.
  7. On the "Inbound access settings - Expel" page, select the Trust settings tab, and configure the following:
    • Select Customize settings.
    • Enable Trust multifactor authentication from Microsoft Entra tenants.
    • Enable Trust compliant devices.
    • Enable Trust Microsoft Entra hybrid joined devices.
    • Under Automatic redemption, enable Automatically redeem invitations with the tenant Expel.
  8. Select Save.

Step 2: Enable Azure application access

  1. As an Azure administrator, log in to the Azure portal.
  2. Navigate to App registrations and click +New registration.

  3. Fill in the application details. You can fill these in however you want, but we recommend this:

    • Name: Expel - Log Analytics API
    • Supported account types: Accounts in this organizational directory only (1st option).
  4. After you fill out the fields, click Register to create the new application.
  5. You should be navigated automatically to the settings page for the Expel Cloud Service app you just created. If not, navigate to App Registrations > View all applications (if you don’t see the new app) Expel - Log Analytics API.
  6. Make a note of the Application (client) ID, Application secret, and the Directory (tenant) ID for use in later steps.
  7. Open API permissions.
  8. Click Add a permission.
  9. Add the following permission: Log Analytics API > Data.Read.
  10. Navigate to Log Analytic Workspace > Access Control (IAM) > Add.
    Note
    The decision to which Log Analytic Workspace to assign the role and user depends on where your security data lives and what information you want to make available to Expel.
  11. Assign the Log Analytics Reader role to the application and user created in the above steps.

Step 3: Configure Azure Log Analytics in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=azure_log_analytics.

  2. Fill in the fields like this:

    Screen Shot 2021-03-05 at 8.00.07 AM.png
    • For Name type the host name of the Azure Log Analytics device.
    • For Location type Cloud.
    • For Directory ID, type the ID of the Microsoft Entra ID (tenant) in the cloud instance.
    • For Application ID, type the ID of the application with access to Azure Log Analytics.
    • For Application secret, type the key used to authenticate the application.
    • For Workspace ID, type the ID of the workspace within Azure Log Analytics.

  3. Click Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.

To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Related articles