1. Expel Support Center
  2. Connect your technology
  3. SIEM integrations

Azure Log Analytics setup for Workbench

  • Updated

Azure Log Analytics aggregates and provides search capabilities over data in an Azure deployment. Azure Log Analytics functions as a data store for Azure applications, but can also be queried manually.

Depending on policy and configuration, Azure Log Analytics can contain all kinds of data relevant to a security team. Most notably, after security audit policies are enabled on Azure VMs, they feed log data to Azure Log Analytics where it can be queried in the Analytics Portal.

In this article

About connecting your device

Connecting your device to Workbench allows Workbench to ingest the data. Azure Log Analytics data include a great deal of information that can take hours to manually review.

About console permissions in your devices

As you connect your devices to Workbench, you provide Workbench access to those devices through permissions in the devices. These permissions vary from 1 device technology to another, but we typically need at least Read access to your devices to pull in any logs from those devices into Workbench.

Without minimum permissions to your devices, the SOC analysts are limited in their insight into your technology. This can mean they surface more benign alerts to your team for further investigation, resulting in increasing the workload for your team, and resulting in alert fatigue.

If you grant Read access to your devices, we can investigate the device and the logs more deeply and surface relevant alerts to you in Workbench. Allowing Expel visibility into the console of your security devices helps our SOC analysts make better decisions on whether an alert is benign or malicious. It also allows our SOC analysts to perform health checks to make sure Workbench is not missing alerts from your security devices. Depending on what your organization purchased from Expel, the SOC analysts may even be able to contain and/or remediate the issues on your behalf.

Ultimately, the more permissions you can grant Workbench, the better and faster the SOC analysts can find and investigate alerts in your environment.

Step 1: Enable console access

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

  1. Sign into the Azure portal as a user who is assigned a limited administrator directory role or the Guest Inviter role.

  2. In the navigation pane, click Azure Active Directory.

  3. Under Manage, select Users.

  4. Select New guest user.

  5. On the New user page, click Invite user, fill out the email address (expel_analyst@expel.io), and optionally include a message.

  6. Under roles, add the role Global Reader role.

  7. Click Invite to automatically send the invitation to the guest user. After you send the invitation, the user account is automatically added to the directory as a guest.

Step 2: Enable Azure application access

  1. As an Azure administrator, log in to the Azure portal.

  2. Navigate to Azure Active Directory > App registrations and click +New registration.

  3. Fill in the application details. You can fill these in however you want, but we recommend this:

    • Name: Expel - Log Analytics API

    • Supported account types: Accounts in this organizational directory only (1st option).

  4. After you fill out the fields, click Register to create the new application.

  5. You should be navigated automatically to the settings page for the Expel Cloud Service app you just created. If not, navigate to Azure Active Directory > App Registrations > View all applications (if you don’t see the new app) Expel - Log Analytics API.

  6. Make a note of the Application (client) ID, Application secret, and the Directory (tenant) ID for use in later steps.

  7. Open API permissions. Click + Add a permission.

  8. Head over to Log Analytic Workspace > Access Control (IAM) > + Add and assign the Log Analytics Reader role to the application and user created in above steps.

Step 3: Configure Azure Log Analytics in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=azure_log_analytics.

  2. Fill in the fields like this:

    Screen Shot 2021-03-05 at 8.00.07 AM.png

    • For Name type the host name of the Azure Log Analytics device.

    • For Location type Cloud.

    • For Directory ID, type the ID of the AzureActive Directory (tenant) in the cloud instance.

    • For Application ID, type the ID of the application with access to Azure Log Analytics.

    • For Application secret, type the key used to authenticate the application.

    • For Workspace ID, type the ID of the workspace within Azure Log Analytics.

  3. Click Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.

To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

  • Was this article helpful?

  • 0 out of 0 found this helpful

Related articles