Monitor Azure

andy_groll · February 11, 2021, 7:38pm

Does anybody use InsightIDR to monitor Azure?
We have created a Azure Event Hub according to https://docs.rapid7.com/insightidr/microsoft-azure/.
We are getting logs from Azure just fine.
I am wondering if someone else has done this? Looking for some ideas / help with queries.

In this article you can see an Azure dashboard was created. I cannot find any further documentation on how to get something like that done.

Thank you.

michael_planer · February 16, 2021, 7:33pm

are you getting the Azure logs into IDR? If so, are you trying to set up custom alerts?

Here’s an example of a custom alert query I set up for Azure Security Center.

(source_json.properties.riskEventTypes.0 = anonymizedIPAddress OR unfamiliarFeatures OR maliciousIPAddress OR malwareInfectedIPAddress OR suspiciousIPAddress OR leakedCredentials OR investigationsThreatIntelligence) AND result!=FAILED_OTHER

andy_groll · February 16, 2021, 8:59pm

Michael,

Thank you for your reply. Yes, I am getting Azure logs into IDR. And yes, I am trying to set up alerts as well as a dashboard.

So far I have for my Azure Dashboard:
Ingress Auth by Service - groupby(service)
Azure Operations - where(category)groupby(operationName)
Ingress by Country Code - where(geoip_country_code != /US|CA|IN/) groupby(geoip_country_code)
Ingress by location - groupby(location)

My manager wants alerts for:
International + Successful Login
US + Successful Login + IP is a cloud provider
Same IP address Logging into multiple accounts
User logging in using different devices (variance in Operating system, Browser version, etc)

olivier_pinchard · February 16, 2021, 9:13pm

Hi,

Here are some dashboard card examples to help you track Successful
Sing-Ins and Failed Sign-Ins in Azure:

(upload://i2LfBxVRmHiqs3wrBRj5i5XNh2i.png) Successful Sign-ins Successful Sign-ins2 Failed Sign-ins1 Failed Sign-ins2 Failed Sign-ins3
Failed Sign-ins4 Failed Sign-ins5 Failed Sign-ins6 Failed Sign-ins7 Failed Sign-ins8 Failed Sign-ins9 Failed Sign-ins10 Failed Sign-ins11

andy_groll · February 17, 2021, 1:10pm

Michael,
Olivier,

Thank you very much to both of you. This is great and helps me and others to learn more about it.
I am (and I am sure others too) are glad to have such a discussion board with great people that help each other for everyone’s benefit.

SDavis · February 7, 2022, 2:24pm

@andy_groll,

Also take a look at the dashboard library pre-built dashboards for ease of creation:

Simply click on the Dashboards and Reports tab in IDR on the left side, and then click the Dashboard Library located on the far right of the Dashboards and Reports screen.

SDavis · February 8, 2022, 1:57pm

No worries, glad to be able to help!