cancel
Showing results for 
Search instead for 
Did you mean: 
davidp64
Level 10

How to add Microsoft Azure as data source..

Hello Team,

We need your help in integration/adding of Microsoft azure with McAfee SIEM. Please guide me how to do so.


Please share the Prerequisites or steps..


Always thankful for community members..


......David

0 Kudos
6 Replies
davidp64
Level 10

Re: How to add Microsoft Azure as data source..

Dear Team,

We need your help.Kindly update.

0 Kudos
btkarp
Level 9

Re: How to add Microsoft Azure as data source..

There is currently not a Virtual Event Receiver compatible with Microsoft Azure cloud. The only way to get log collection in Azure is to forward the logs to a Event Receiver outside the Azure environment. The method we use is via Agent Collector installed on all hosts within Azure which forward their logs via encrypted channel to Event Receiver in our DMZ.

0 Kudos
davidp64
Level 10

Re: How to add Microsoft Azure as data source..

Hi Btkarp,

Thank you for your update. Are you already worked on it,if yes so please share a summarized document which may help to move step by step.

...David

0 Kudos
btkarp
Level 9

Re: How to add Microsoft Azure as data source..

Yes, I am currently collecting Windows logs from multiple servers being hosted in an Azure environment. However, the Event Receiver does not live on the same network. Make sure any traffic that is traversing the internet is encrypted (you can enable encryption at the beginning of the collector installation)

McAfee KnowledgeBase - How to install SIEM Collector for WMI event collection

1. Install the Agent Collector following the directions above.

2. You will then need to build and configure your Event Receiver OUTSIDE of the Azure network.

3. Point the collector agent to the Event Receiver IP.

4. Make sure routing and firewall rules are updated and allow the traffic.

Thats it. Should be good to go. Side note: We had issues with the Collector 11 in Azure. The Collector Agent service would fail almost instantly - check your logs for this problem. McAfee Support was able to provide a beta version of the Collector 11 that prevented the issue. I would not be surprised if you ran into the same issue with the Collector Agent currently available for download.

Best of Luck,

Ben

0 Kudos
yagoal
Level 7

Re: How to add Microsoft Azure as data source..

We are using a commercial solution to do that from skyformation.com. They have build a cloud services connectors middleware, that collects the events from the cloud services using their APIs, and send to our customers on-premise ESM.

The events they send are in CEF format and sent over syslog.

We have deployed their middleware so far next to our customer's ESM, and it pulls the events from the cloud services and send internally which means we are ok from Firewall/DMZ perspective.

AFAIK they have an Azure connector as well. We have deployed for our customers their office 365, Salesforce and Box connector so far and it works as you would expect.

0 Kudos
avatorus
Level 7

Re: How to add Microsoft Azure as data source..

Hi,

you can try this read article - Integrate logs from Azure resources into your SIEM systems | Microsoft Docs

It's universal solution from Microsoft.

Best regards.

0 Kudos