Azure Log Analytics aggregates and provides search capabilities over data in an Azure deployment. Azure Log Analytics functions as a data store for Azure applications, but can also be queried manually.
Depending on policy and configuration, Azure Log Analytics can contain all kinds of data relevant to a security team. Most notably, after security audit policies are enabled on Azure VMs, they feed log data to Azure Log Analytics where it can be queried in the Analytics Portal.
About console permissions in your devices
As you connect your devices to Workbench, you provide Workbench access to those devices through permissions in the devices. These permissions vary from 1 device technology to another, but we typically need at least Read access to your devices to pull in any logs from those devices into Workbench.
Without minimum permissions to your devices, the SOC analysts are limited in their insight into your technology. This can mean they surface more benign alerts to your team for further investigation, resulting in increasing the workload for your team, and resulting in alert fatigue.
If you grant Read access to your devices, we can investigate the device and the logs more deeply and surface relevant alerts to you in Workbench. Allowing Expel visibility into the console of your security devices helps our SOC analysts make better decisions on whether an alert is benign or malicious. It also allows our SOC analysts to perform health checks to make sure Workbench is not missing alerts from your security devices. Depending on what your organization purchased from Expel, the SOC analysts may even be able to contain and/or remediate the issues on your behalf.
Ultimately, the more permissions you can grant Workbench, the better and faster the SOC analysts can find and investigate alerts in your environment.
Step 1: Enable console access
-
Sign into the Azure portal as a user who is assigned a limited administrator directory role or the Guest Inviter role.
-
In the navigation pane, click Microsoft Entra ID.
-
Under Manage, select Users.
-
Select New guest user.
-
On the New user page, click Invite user, fill out the email address (expel_analyst@expel.io), and optionally include a message.
-
Under roles, add the role Global Reader role.
-
Click Invite to automatically send the invitation to the guest user. After you send the invitation, the user account is automatically added to the directory as a guest.
Step 2: Enable Azure application access
-
As an Azure administrator, log in to the Azure portal.
-
Navigate to App registrations and click +New registration.
-
Fill in the application details. You can fill these in however you want, but we recommend this:
-
Name: Expel - Log Analytics API
-
Supported account types: Accounts in this organizational directory only (1st option).
-
-
After you fill out the fields, click Register to create the new application.
-
You should be navigated automatically to the settings page for the Expel Cloud Service app you just created. If not, navigate to App Registrations > View all applications (if you don’t see the new app) > Expel - Log Analytics API.
-
Make a note of the Application (client) ID, Application secret, and the Directory (tenant) ID for use in later steps.
-
Open API permissions.
-
Click Add a permission.
-
Add the following permission: Log Analytics API > Data.Read.
-
Navigate to Log Analytic Workspace > Access Control (IAM) > Add.
Note
The decision to which Log Analytic Workspace to assign the role and user depends on where your security data lives and what information you want to make available to Expel.
-
Assign the Log Analytics Reader role to the application and user created in the above steps.
Step 3: Configure Azure Log Analytics in Workbench
-
In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=azure_log_analytics.
-
Fill in the fields like this:
-
For Name type the host name of the Azure Log Analytics device.
-
For Location type Cloud.
-
For Directory ID, type the ID of the Microsoft Entra ID (tenant) in the cloud instance.
-
For Application ID, type the ID of the application with access to Azure Log Analytics.
-
For Application secret, type the key used to authenticate the application.
-
For Workspace ID, type the ID of the workspace within Azure Log Analytics.
-