Microsoft Azure

The P-Microsoft Azure package offers an easy way to monitor entities on Active Directory Azure cloud environment, likewise provides the flexibility to be integrated with other active base packages.

Authors and Attributions
Esteban Herrera

Main Use Cases

  • Azure User Account Logon
  • Azure User Account Logon Failure
  • Azure User Account At Risk - Password Changed Required
  • Azure User Account Created
  • Azure User Account Deleted
  • Azure User Account Disabled
  • Azure User Account Locked
  • Azure User Account Unlocked
  • Azure User Account Modified
  • Azure User Account Password Reset

Download Instructions

The latest package can be downloaded from the ArcSight Marketplace, or internally from the Tofu iRock page.

Device Configuration

Cookbook configuration instructions for product packages
  • Activate Base Package 2.5.2.0 or higher has been installed
  • Ensure to have configured properly the Azure Cloud Connector - Connector Guide.
  • Ensure that the ESM is setup to sort packages by their IDs:
    • Open ESM server.properties (<ARCSIGHT_HOME>)/manager/config)
    • Add following line: export.archive.reference.sort.order=id
  • For ESM in Compact Mode: Restart the ESM Manager or For ESM in Distributed Mode: Restart the ESM Manager, Aggregator(s), and Correlator(s)

Package Installation Procedure

   
1. Download and extract the P-MicrosoftAzure_1.0.0.0.zip Files.PNG
2. Open a command prompt and navigate to <ARCSIGHT_HOME>  
3. Copy the PMicrosoftAzureInstallAndUpdate _1.0.0.0.bat OR PMicrosoftAzureInstallAndUpdate _1.0.0.0.sh file as well as the P-MicrosoftAzure_1.0.0.0.arb file to the current directory on the path where the ArcSight Console is installed i.e. C:\arcsight\console\current


For Windows: Just run PMicrosoftAzureInstallAndUpdate _1.0.0.0.bat
For Linux use: sh PMicrosoftAzureInstallAndUpdate _1.0.0.0.sh

4. You will be prompted to enter the manager hostname, port, username and password. For Windows the password is displayed in clear text, please be aware of your environment.

install1.PNG

Installation2.PNG

5. After the update, your packages in ArcSight ESM will look like the screenshot to the right.

If you run into any issues, the errors will be displayed in the command prompt window

Packageinstalledazure.PNG
6. You can now delete the files from ARCSIGHT_HOME Files.PNG

Content Configuration

Configuration for Entity Monitoring

Flow_Diagram.jpg

Filter URI L1 Entity Monitoring URI Microsoft Azure
Azure User Account Logon
/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logon
/All Filters/ArcSight Activate/Core/Product Filters/Microsoft Azure/Entity Authentication/Azure User Account Logon
Azure User Account Logon Failure
/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logon Failure
/All Filters/ArcSight Activate/Core/Product Filters/Microsoft Azure/Azure/Entity Authentication/User Account Logon Failure
Azure User Account Created
/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Created
/All Filters/ArcSight Activate/Core/Product Filters/Microsoft Azure/Azure User/Entity Management/Account Created
Azure User Account Disabled
/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Disabled
/All Filters/ArcSight Activate/Core/Product Filters/Microsoft Azure/Entity Management/Azure User Account Disabled
Azure User Account Deleted /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Deleted /All Filters/ArcSight Activate/Core/Product Filters/Microsoft Azure/Azure User/Entity Management/Account Deleted
Azure User Account Locked
/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Locked
/All Filters/ArcSight Activate/Core/Product Filters/Microsoft Azure/Entity Management/Azure User Account Locked
Azure User Account Unlocked
/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Unlocked
/All Filters/ArcSight Activate/Core/Product Filters/Microsoft Azure/Entity Management/Azure User Account Unlocked
Azure User Account Modified
/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Management/User Account Modification
/All Filters/ArcSight Activate/Core/Product Filters/Microsoft Azure/Entity Management/Azure User Account Modified
Extensibility

Ideas on how to extend the package for new log sources, new use cases.

Resources

The link below contains a table of all resources included in this package:

Test Plan

Uninstallation

Step Instructions
1. In Navigation Pane under Packages tab, select and right click on P-Microsoft Azure packages.

2. Select "Delete Packages".
Uninstall1.PNG
3. Click "Delete" Uninstall2.PNG
4. Select "Delete Resources" then Click "OK" Uninstall3.PNG
5. Click "OK" Uninstall4.PNG
7. Check to ensure the package has been removed from console  
Topic attachments
I Attachment Action Size Date Who Comment
Files.PNGPNG Files.PNG manage 13.5 K 23 Oct 2018 - 16:49 EstebanHerrera  
Flow_Diagram.jpgjpg Flow_Diagram.jpg manage 85.0 K 28 Nov 2018 - 20:43 EstebanHerrera  
Installation2.PNGPNG Installation2.PNG manage 28.4 K 23 Oct 2018 - 16:53 EstebanHerrera  
Packageinstalledazure.PNGPNG Packageinstalledazure.PNG manage 11.4 K 23 Oct 2018 - 16:49 EstebanHerrera  
Uninstall1.PNGPNG Uninstall1.PNG manage 14.6 K 23 Oct 2018 - 16:49 EstebanHerrera  
Uninstall2.PNGPNG Uninstall2.PNG manage 4.8 K 23 Oct 2018 - 16:49 EstebanHerrera  
Uninstall3.PNGPNG Uninstall3.PNG manage 5.8 K 23 Oct 2018 - 16:50 EstebanHerrera  
Uninstall4.PNGPNG Uninstall4.PNG manage 6.7 K 23 Oct 2018 - 16:50 EstebanHerrera  
Uninstall5.PNGPNG Uninstall5.PNG manage 13.5 K 23 Oct 2018 - 16:50 EstebanHerrera  
install1.PNGPNG install1.PNG manage 17.8 K 23 Oct 2018 - 16:49 EstebanHerrera  
Topic revision: r7 - 26 Apr 2019, EstebanHerrera


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback