Azure Security Center log integration

hi,

has anyone been able to make a succesful integration with Azure Security Center:
https://docs.microsoft.com/en-us/azure/security-center/security-center-integrating-alerts-with-log-integration

It uses JSON as a log format, I tried with nxlog json parsing, but had problems.

I’m about to set this up too. From the looks of it you’re meant to set up a
Windows server ($$), install some agent on it and that will download the
JSON Azure logs into a directory structure? Then you’re trying to use NXLOG
to parse those files and upload the data to graylog?

That sounds exactly what I am planning to do - did you get anywhere? Are
you saying the JSON format wasn’t supported by NXLOG?

hi,

Yes, it works that way. I got JSON files on the log integration server, read with NXLog and at first it seemed to work, but then I started to get just segments of events, not full events. Writing to the JSON files and reading with NXlog did not work properly. I was just wondering, if someone has figured out the correct way to do it.

but then I started to get just segments of events, not full events.

Are you feeding that into graylog over TCP or UDP? I could imagine UDP
would be a bad option and would match your symptoms

I use TCP with SSL, as with other log sources. The problem is somewhere else.

Our Ops team just installed the Azure audit agent and handed off to my
team. I think I am now where you are and have the same problem

I think the issue is due to Azure JSON data being multi-array? ie {
“field”: { subfield1": “value”, “subfield2”:“value2”}}

That isn’t support by graylog, so I guess it’s been dropped? I can’t see
any errors in graylog-server.log - shouldn’t such a drop be reported
somewhere?

I think we have stumbled on the same thing. I tried importing with nxlog,
but it seems nxlog is not supporting it either, or then I just configured
it the wrong way.

I wanted this working, and even though it’s a little crude, I did it with PowerShell.

Basically I snag all the AzureAD files, parse them, and load them via GELF.

$docs = Get-ChildItem C:\users\azlog\AzureActiveDirectoryJson -File

#declare an array to hold results
$results = @()

foreach ($d in $docs) {
   $content = Get-Content -Raw -Path "C:\users\azlog\AzureActiveDirectoryJson\$($d.Name)" | ConvertFrom-Json
   $records = $content.Records
   foreach ($r in $records) {
      $obj = New-Object PSObject
      $obj | Add-Member NoteProperty version "1.1"
      $obj | Add-Member NoteProperty host "Azure.azlog"
      $obj | Add-Member NoteProperty _azureid $r.id
      $obj | Add-Member NoteProperty _tenantId $r.tenantId
      $obj | Add-Member NoteProperty _activity $r.activity
      $obj | Add-Member NoteProperty short_message $r.activity
      $obj | Add-Member NoteProperty _azureEventDate $r.activityDate
      $obj | Add-Member NoteProperty _activityType $r.activityType
      $obj | Add-Member NoteProperty _activityOperationType $r.activityOperationType
      if ($r.actor.UserPrincipalName) { $obj | Add-Member NoteProperty _actor $r.actor.UserPrincipalName }
      for ($i=0; $i -le $r.targets.count; $i++) {
         if ($r.targets[$i].Name) {
            $obj | Add-Member NoteProperty "_target$($i)" $r.targets[$i].Name
         } ElseIf ($r.targets[$i].userPrincipalName) {
            $obj | Add-Member NoteProperty "_target$($i)" $r.targets[$i].userPrincipalName
         }
      }
      #post message to gelf
      Invoke-RestMethod -Method Post -Uri https://mygelfserver.mydomain.com:12201/gelf -Body (ConvertTo-Json $obj)
      }
   }
   Move-Item "C:\users\azlog\AzureActiveDirectoryJson\$($d.Name)" "C:\users\azlog\AzureActiveDirectoryJson\Archive\"
}

I have integrated other json Azure Metrics with:

https://pablodav.github.io/post/graylog/logstash_input/

Probably same could be used for Security Center Log integration.

Kind regards,
Pablo.