Coder Social home page Coder Social logo

azure-ad-logscale-ingester's Introduction

CrowdStrike Logscale Ingester

Twitter URL

CrowdStrike LogScale ingester for Azure AD logs

This repository contains a collection of Azure Functions to process events in Event Hub and ingest the available events into LogScale via the HTTP Event Collector (HEC).

This Function App deployment is based on Azure Active Directory's Diagnostic Settings to stream logs to an Event Hub. From there the deployed Function App streams the logs to LogScale's HTTP Event Collector (HEC).

The Function App provides options for which AAD logs (Separated into Event Hub Instances) to ingest into logscale as well as auxiliary Event Hub Instances within the same Event Hub Namespace.

Set Up

1. Set up a LogScale repository, parser, and ingest token

Refer to Logscale Documentation for:

The following script can be copied and pasted for the custom parser:

parseJson(@rawstring)
| split("records", strip=true) // Split into individual events 
| drop([@rawstring, _index]) // Clean up

2. Create a Resource Group within Azure

The Resource Group is a container where the following parts are going to reside. We recommend creating a new Resource group to have all the components for this integration bundled up. Please refer to the Microsoft documentation for creating a new Resource Group.

3. Create the Event Hub Namespace and Function App

The Event Hub Namespace will contain one or more Event Hubs Instances which are going to be created automatically with the next step. Please refer to the Microsoft documentation for Event Hub Namespace setup instructions. Once created, please add an access policy for the Function App in the "Shared access policies" tab with the "Listen" claim and note the "Connection string–primary key" which will be used in the Application Setting after the Function App has been deployed with the functions.

Additionally, an empty Function App needs to be created, as it will house all of the functions for ingesting the Azure AD events into LogScale. The Instance details should be setup as follows with the Resource Group, Function App Name, and Region being flexible.
FunctionAppSettings

4. Set up Azure Active Directory's Diagnostic Settings to steam the events to the Event Hub Namespace

The setup for the Azure Active Directory's Diagnostic Settings can be found in this resource.

5. Setup Visual Studio Code and deploy the functions into the Function App

1. Install Visual Studio Code and the Azure Functions extension in Visual Studio Code
2. Clone the repository within Visual Studio code or download the repository and open it in Visual Studio Code
3. In the Azure Extension, initialize the local project within the workspace window (Python 3.9.x)
4. Once the function app is initiated, you can deploy the functions by clicking the "Deploy .../Deploy to Function App ..." button in the workspace window.
5. Select the created Function App from main step 3.

6. Set the Application Settings for the Function App

Navigate to the Function app within the Azure portal and verify in the "Functions" tab that the functions were deployed correctly.
The Application Settings are required, as they contain the values for the variables used for the Functions, aside from the standard variables, which do not need to be modified, there are 3 Application Settings which need to be added and modified with the corresponding values:

  • AzureEventHubConnectionString (From main step 3)
  • LogScale URL (The LogScale HEC URL "https://your-logscale-url.com/api/v1/ingest/hec/raw")
  • LogScale Ingest token (From main step 1) The following Application settings needs be added via the "Advanced Edit" option prior to the closing bracket of the configuration with the last 3 values adjusted to the values mentioned above:
  {
    "name": "AAD_AUDIT_LOG_CONSUMER_GROUP",
    "value": "$Default",
    "slotSetting": false
  },
  {
    "name": "AAD_AUDIT_LOG_HUB_NAME",
    "value": "insights-logs-auditlogs",
    "slotSetting": false
  },
  {
    "name": "AAD_MANAGEDIDENTITY_SIGNIN_LOG_CONSUMER_NAME",
    "value": "insights-logs-noninteractiveusersigninlogs",
    "slotSetting": false
  },
  {
    "name": "AAD_MANAGEDIDENTITY_SIGNIN_LOG_HUB_NAME",
    "value": "insights-logs-noninteractiveusersigninlogs",
    "slotSetting": false
  },
  {
    "name": "AAD_NON_INTERACTIVE_SIGNIN_LOG_CONSUMER_GROUP",
    "value": "$Default",
    "slotSetting": false
  },
  {
    "name": "AAD_NON_INTERACTIVE_SIGNIN_LOG_HUB_NAME",
    "value": "insights-logs-noninteractiveusersigninlogs",
    "slotSetting": false
  },
  {
    "name": "AAD_SERVICE_PRINCIPAL_SIGNIN_LOG_CONSUMER_GROUP",
    "value": "$Default",
    "slotSetting": false
  },
  {
    "name": "AAD_SERVICE_PRINCIPAL_SIGNIN_LOG_HUB_NAME",
    "value": "insights-logs-serviceprincipalsigninlogs",
    "slotSetting": false
  },
  {
    "name": "AAD_SIGNIN_LOG_CONSUMER_GROUP",
    "value": "$Default",
    "slotSetting": false
  },
  {
    "name": "AAD_SIGNIN_LOG_HUB_NAME",
    "value": "insights-logs-signinlogs",
    "slotSetting": false
  },
  {
    "name": "AzureEventHubConnectionString",
    "value": "<Your Event Hub Connection String>",
    "slotSetting": false
  },
  {
    "name": "LogScaleIngestToken",
    "value": "<Your LogScale Ingest Token>",
    "slotSetting": false
  },
  {
    "name": "LogScaleURL",
    "value": "<Your LogScale URL>/api/v1/ingest/hec/raw",
    "slotSetting": false
  }

Notes

  • Batching of multiple events coming from Azure as a single log in LogScale

Future Additions

  • Dashboard are currently not available, however will be published as a LogScale package on the Marketplace once available
  • A more streamlined deployment method is currently in testing, which will replace the VS Code ARM deployment with a single "Deploy to Azure" Button


WE STOP BREACHES

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.