Monitoring Azure Active Directory Domain Services

291 views
Skip to first unread message

Martin Gluckman

unread,
May 19, 2023, 9:39:12 AM5/19/23
to Wazuh mailing list
Dear Friends,

Does anyone have any practical experience monitoring Azure Active Directory Domain Services with Wazuh?

Want to be able to track track user logons and gather auditing information.

Please let me know your views and experiences.

Kindest wishes,

Martin

Martin Gluckman

unread,
May 19, 2023, 9:47:20 AM5/19/23
to Wazuh mailing list
Something like this?

1.Enable Auditing in AADDS: Enable security auditing on your Azure Active Directory Domain Services. This would include enabling audit policies for logon events. The policies you would be most interested in are: "Audit account logon events" and "Audit logon events".

2.Set Up Azure Log Analytics: Configure Azure Log Analytics to collect the logs. You can send the logs generated by AADDS to Azure Log Analytics. This provides a centralized location where logs can be stored and analyzed.

3.Configure Azure Function to send logs to Wazuh: Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save costs. You can use an Azure Function to retrieve the logs from Log Analytics and then send them to the Wazuh manager.

4.Configure Wazuh Rules: The Wazuh rules need to be configured to understand and process the logs that are being received from Azure AD. Rules should be set up to alert on events of interest, such as logon events.

Kindly,

Martin

Martin Gluckman

unread,
May 21, 2023, 5:19:56 AM5/21/23
to Wazuh mailing list
Some thoughts:

1. **Enable Auditing in Azure Active Directory Domain Services (AADDS)**: Make sure that you've enabled audit log generation in your Azure AD configuration. The relevant settings are under Azure AD's "Audit logs" or "Sign-ins" tabs in the Azure portal.

2. **Set Up Azure Monitor**: Use Azure Monitor to collect and analyze the log data. Azure Monitor can collect logs from a wide range of sources, including Azure AD.

3. **Configure Azure Event Hubs to Forward Logs**: Azure Event Hubs is a big data streaming platform and event ingestion service that can receive and process millions of events per second. You can use Event Hubs to forward your logs to the Wazuh server. The logs from Azure Monitor can be streamed to an Event Hub, which can then be integrated with Wazuh.

4. **Wazuh Integration with Azure Event Hubs**: On the Wazuh side, you will have to configure the Wazuh manager to receive data from Azure Event Hubs. You will need to modify the `ossec.conf` file (located by default in `/var/ossec/etc/ossec.conf`) to include the Azure configuration block and your specific Azure Event Hub parameters.

5. **Customize Wazuh Rules and Decoders**: Based on the logs you want to analyze and the alerts you want to generate, you may need to customize Wazuh's rules and decoders. Wazuh's decoders are responsible for extracting information from the raw log data, and its rules are responsible for generating alerts based on that information.

Thoughts?

Guido Iván García

unread,
May 22, 2023, 4:35:23 PM5/22/23
to Wazuh mailing list
Hello Martin, thanks for posting in the community!!

Wazuh can process the logs from the following Azure AD activity reports, each one of them requiring a different query to be executed:

Report type                   Query
Directory audits            auditLogs/directoryaudits
Sign-ins                          auditLogs/signIns
Provisioning                  auditLogs/provisioning

To monitor Azure Active Directory effectively, I recommend referring to the official Wazuh documentation on Monitoring Azure Active Directory. This resource will provide you with detailed information and instructions on how to configure and use Wazuh for this purpose: Wazuh - Monitoring Azure Active Directory


The Wazuh "azure-logs" module requires dependencies to work as well as the right credentials to access the logs. Take a look at this link before proceeding:
Wazuh - Monitoring activity and services - Prerequisites

Also, check the azure-logs module reference for more information about how to use the different parameters available.

I hope this helps. Let me know if you have any specific questions or if there is anything else I can do to help.
Regards,
Guido
Reply all
Reply to author
Forward
0 new messages