Does anybody use InsightIDR to monitor Azure?
We have created a Azure Event Hub according to https://docs.rapid7.com/insightidr/microsoft-azure/.
We are getting logs from Azure just fine.
I am wondering if someone else has done this? Looking for some ideas / help with queries.
In this article you can see an Azure dashboard was created. I cannot find any further documentation on how to get something like that done.
are you getting the Azure logs into IDR? If so, are you trying to set up custom alerts?
Here’s an example of a custom alert query I set up for Azure Security Center.
(source_json.properties.riskEventTypes.0 = anonymizedIPAddress OR unfamiliarFeatures OR maliciousIPAddress OR malwareInfectedIPAddress OR suspiciousIPAddress OR leakedCredentials OR investigationsThreatIntelligence) AND result!=FAILED_OTHER
Thank you for your reply. Yes, I am getting Azure logs into IDR. And yes, I am trying to set up alerts as well as a dashboard.
So far I have for my Azure Dashboard:
Ingress Auth by Service - groupby(service)
Azure Operations - where(category)groupby(operationName)
Ingress by Country Code - where(geoip_country_code != /US|CA|IN/) groupby(geoip_country_code)
Ingress by location - groupby(location)
My manager wants alerts for:
International + Successful Login
US + Successful Login + IP is a cloud provider
Same IP address Logging into multiple accounts
User logging in using different devices (variance in Operating system, Browser version, etc)
Thank you very much to both of you. This is great and helps me and others to learn more about it.
I am (and I am sure others too) are glad to have such a discussion board with great people that help each other for everyone’s benefit.
Also take a look at the dashboard library pre-built dashboards for ease of creation:
Simply click on the Dashboards and Reports tab in IDR on the left side, and then click the Dashboard Library located on the far right of the Dashboards and Reports screen.