Does anybody use InsightIDR to monitor Azure?
We have created a Azure Event Hub according to https://docs.rapid7.com/insightidr/microsoft-azure/.
We are getting logs from Azure just fine.
I am wondering if someone else has done this? Looking for some ideas / help with queries.
In this article you can see an Azure dashboard was created. I cannot find any further documentation on how to get something like that done.
Thank you.
are you getting the Azure logs into IDR? If so, are you trying to set up custom alerts?
Here’s an example of a custom alert query I set up for Azure Security Center.
(source_json.properties.riskEventTypes.0 = anonymizedIPAddress OR unfamiliarFeatures OR maliciousIPAddress OR malwareInfectedIPAddress OR suspiciousIPAddress OR leakedCredentials OR investigationsThreatIntelligence) AND result!=FAILED_OTHER
Michael,
Thank you for your reply. Yes, I am getting Azure logs into IDR. And yes, I am trying to set up alerts as well as a dashboard.
So far I have for my Azure Dashboard:
Ingress Auth by Service - groupby(service)
Azure Operations - where(category)groupby(operationName)
Ingress by Country Code - where(geoip_country_code != /US|CA|IN/) groupby(geoip_country_code)
Ingress by location - groupby(location)
My manager wants alerts for:
International + Successful Login
US + Successful Login + IP is a cloud provider
Same IP address Logging into multiple accounts
User logging in using different devices (variance in Operating system, Browser version, etc)
Hi,
Here are some dashboard card examples to help you track Successful
Sing-Ins and Failed Sign-Ins in Azure:
(upload://i2LfBxVRmHiqs3wrBRj5i5XNh2i.png) 
Michael,
Olivier,
Thank you very much to both of you. This is great and helps me and others to learn more about it.
I am (and I am sure others too) are glad to have such a discussion board with great people that help each other for everyone’s benefit.