We need your help in integration/adding of Microsoft azure with McAfee SIEM. Please guide me how to do so.
Please share the Prerequisites or steps..
Always thankful for community members..
There is currently not a Virtual Event Receiver compatible with Microsoft Azure cloud. The only way to get log collection in Azure is to forward the logs to a Event Receiver outside the Azure environment. The method we use is via Agent Collector installed on all hosts within Azure which forward their logs via encrypted channel to Event Receiver in our DMZ.
Thank you for your update. Are you already worked on it,if yes so please share a summarized document which may help to move step by step.
Yes, I am currently collecting Windows logs from multiple servers being hosted in an Azure environment. However, the Event Receiver does not live on the same network. Make sure any traffic that is traversing the internet is encrypted (you can enable encryption at the beginning of the collector installation)
1. Install the Agent Collector following the directions above.
2. You will then need to build and configure your Event Receiver OUTSIDE of the Azure network.
3. Point the collector agent to the Event Receiver IP.
4. Make sure routing and firewall rules are updated and allow the traffic.
Thats it. Should be good to go. Side note: We had issues with the Collector 11 in Azure. The Collector Agent service would fail almost instantly - check your logs for this problem. McAfee Support was able to provide a beta version of the Collector 11 that prevented the issue. I would not be surprised if you ran into the same issue with the Collector Agent currently available for download.
Best of Luck,
We are using a commercial solution to do that from skyformation.com. They have build a cloud services connectors middleware, that collects the events from the cloud services using their APIs, and send to our customers on-premise ESM.
The events they send are in CEF format and sent over syslog.
We have deployed their middleware so far next to our customer's ESM, and it pulls the events from the cloud services and send internally which means we are ok from Firewall/DMZ perspective.
AFAIK they have an Azure connector as well. We have deployed for our customers their office 365, Salesforce and Box connector so far and it works as you would expect.