Azure Log Analytics aggregates and provides search capabilities over data in an Azure deployment. Azure Log Analytics functions as a data store for Azure applications, but can also be queried manually.

Depending on policy and configuration, Azure Log Analytics can contain all kinds of data relevant to a security team. Most notably, after security audit policies are enabled on Azure VMs, they feed log data to Azure Log Analytics where it can be queried in the Analytics Portal.

Step 1: Enable console access

  1. Sign into the Azure portal as a user who is assigned a limited administrator directory role or the Guest Inviter role.

  2. In the navigation pane, click Microsoft Entra ID.

  3. Under Manage, select Users.

  4. Select New guest user.

  5. On the New user page, click Invite user, fill out the email address (expel_analyst@expel.io), and optionally include a message.

  6. Under roles, add the role Global Reader role.

  7. Click Invite to automatically send the invitation to the guest user. After you send the invitation, the user account is automatically added to the directory as a guest.

Step 2: Enable Azure application access

  1. As an Azure administrator, log in to the Azure portal.

  2. Navigate to App registrations and click +New registration.

  3. Fill in the application details. You can fill these in however you want, but we recommend this:

    • Name: Expel - Log Analytics API

    • Supported account types: Accounts in this organizational directory only (1st option).

  4. After you fill out the fields, click Register to create the new application.

  5. You should be navigated automatically to the settings page for the Expel Cloud Service app you just created. If not, navigate to App Registrations > View all applications (if you don’t see the new app) Expel - Log Analytics API.

  6. Make a note of the Application (client) ID, Application secret, and the Directory (tenant) ID for use in later steps.

  7. Open API permissions.

  8. Click Add a permission.

  9. Add the following permission: Log Analytics API > Data.Read.

  10. Navigate to Log Analytic Workspace > Access Control (IAM) > Add.

    Note

    The decision to which Log Analytic Workspace to assign the role and user depends on where your security data lives and what information you want to make available to Expel.

  11. Assign the Log Analytics Reader role to the application and user created in the above steps.

Step 3: Configure Azure Log Analytics in Workbench

  1. In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=azure_log_analytics.

  2. Fill in the fields like this:

    Screen Shot 2021-03-05 at 8.00.07 AM.png
    • For Name type the host name of the Azure Log Analytics device.

    • For Location type Cloud.

    • For Directory ID, type the ID of the Microsoft Entra ID (tenant) in the cloud instance.

    • For Application ID, type the ID of the application with access to Azure Log Analytics.

    • For Application secret, type the key used to authenticate the application.

    • For Workspace ID, type the ID of the workspace within Azure Log Analytics.

Tip

This page was accurate at the time of writing, but changes happen. If you find the instructions are outdated, let us know via your engagement manager or account representative.