Guy Williams

Azure Monitor & RSA NetWitness Integration

Blog Post created by Guy Williams Employee on Mar 19, 2019

Customers that use Azure cloud infrastructure require the ability to enable their Security Operations Center (SOC) to monitor infrastructure changes, service health events, resource health, autoscale events, security alerts, diagnostic logs, Azure Active Directory Sign-In and Audit logs, etc. The RSA Netwitness Platform is an evolved SIEM that natively supports many 3rd party sources like Azure Active Directory Logs, Azure NSG Flow Logs, and now Azure Monitor Activity and Diagnostic Logs for depth of visibility and insights to enable SOC analysts and threat hunters.


Azure Monitor Activity and Diagnostic Logs background:


The Azure Activity Log is a subscription log that provides insight into subscription-level events that have occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. Using the Activity Log, you can determine the ‘what, who, and when’ for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. You can also understand the status of the operation and other relevant properties. The Activity Log does not include read (GET) operations or operations for resources that use the Classic/"RDFE" model.


Azure Monitor diagnostic logs are logs emitted by an Azure service that provide rich, frequent data about the operation of that service. Azure Monitor makes available two types of diagnostic logs:

  • Tenant logs - These logs come from tenant-level services that exist outside of an Azure subscription, such as Azure Active Directory logs.
  • Resource logs - These logs come from Azure services that deploy resources within an Azure subscription, such as Network Security Groups or Storage Accounts.


Azure Monitor Activity Logs:


Azure Monitor Diagnostic Logs:


Azure Monitor Active Directory Logs:


Azure Monitor Activity, Diagnostic and Azure Active Directory Logs can be exported to an Event Hub. The RSA NetWitness Platform’s Azure Monitor plugin collects the logs from this Event Hub.




                                                                                                   *In Log Collection, Remote Collectors send

                                                                                                    Events to the Local Collector and the Local

                                                                                                    Collector sends events to the Log Decoder


Configuration Guide: Azure Monitor Event Source Configuration Guide

Collector Package on RSA Live: "MS Azure Monitor Log Collector Configuration"

Parser on RSA Live: CEF