0f28f8b863 | ||
---|---|---|
.. | ||
ZoomLogs | ||
azuredeploy.json | ||
azuredeploy_kv.json | ||
host.json | ||
profile.ps1 | ||
proxies.json | ||
readme.md | ||
requirements.psd1 | ||
zoom_logs_template.zip |
readme.md
Deploy a Function App for collecting Zoom data into Azure Sentinel
This function app will listen for Zoom API events and will write them to Log Analyitcs on arrival.
Deploy the Function App
The easiest way is via the provided ARM templates:
1: Deploy via Azure ARM Template
- Deploy the template.
- Deploy permissions for the function to the Key Vault.
Alternatively you can deploy the elements manually.
2: Deploy via VS Code
Note: You will need to prepare VS code for Azure function development. See https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-first-function-powershell#prerequisites
- Download the Zip file of the Azure Funciton app from Github.
- Extract to a location on your local host.
- Open VS Code.
- Click File -> Open Folder.
- Select the top level folder from extracted files.
- Type Crtl+Shift+P.
- Click Azure Functions: Deploy to function app. You maybe asked to sign in to Azure.
- Click Create New function app in Azure (advanced).
- Provide a unique name like "ZoomLogs". Press Enter.
- Click Windows.
- Click Consumption.
- Click PowerShell.
- Click Create new Resource Group.
- Press enter to accept the name.
- Click Create a new storage Account.
- Press enter to accept the name.
- Click Create new Application Insights resource.
- Press enter to accept the name.
- Pick a location to deploy in.
- Deployment will begin.
- Wait for the deployment to complete, then click upload settings in the bottom right.
- Click yes to all to upload.
- Go to the Azure Portal.
- Go to the resource group that was created. Click the Function.
- Click Stop.
- Click Platform Features Tab.
- Click Identity.
- Click On under system assigned. Click Save. Click Yes.
Create a Key Vault
- Go to the Azure Portal.
- Go to the resource group that was created. Click Add.
- Type Key Vault.
- Create a Key vault.
- Go to the resource created.
- Click Access Policies.
- Click Add Access Policy.
- Select Secret Management from Configure from template.
- Click Select Principal.
- Search for the name of the function app. Click Select.
- Click Add.
- Click Save.
- Click Secrets.
- Click Generate.
- Enter WorkspaceKey. Paste in your Azure Sentinel Workspace Key. Click Create.
- Click Generate.
- Click WorkspaceKey and copy the current version string to a temporary location.
Configure Settings for the Function
- Go to the Azure Portal.
- Go to the resource group that was created. Click the Function.
- Click Platform Features Tab.
- Click Configuration under General.
- Click edit next to workspaceKey.
- Update the value using the string copied from KeyVault.
- @Microsoft.KeyVault(SecretUri=https:///secrets/workspaceKey/)
- Click Ok.
- Click edit next to workspaceId.
- Update the value with your Sentinel Workspace Id.
- Click Ok.
- Click Save.
Configure your Zoom API app.
You also need to configure your Zoom account to sent events to your Function App. To do this go to https://marketplace.zoom.us/ and log in with a user who has admin access to your Zoom account.
- Select ‘Develop’ in the top right hand corner and click ‘Build App’.
- Select ‘Webhook Only’ as your app type.
- Give your app a name.
- Fill out the required Basic Information and click continue.
- Under the Feature Tab enable the ‘Event Subscriptions’ toggle and click ‘Add new event subscription’.
- Set a subscription name and in the Event notification endpoint URL enter your Function App URL. This will be in the format of https://.azurewebsites.net/api/. You can find this you app URL in the Azure Portal.
- Click ‘Add Events’ and select the events you want to receive in Azure Sentinel. Then click done.
- Copy your feature Verification token for your event subscription and save it.
- Click ‘Save’ and ‘Continue’.
Once you have done this you need to add your verification code to your previously deployed Function App. To do this go to the Function App in the Azure Portal.
- Click Platform Features Tab.
- Click Configuration under General.
- Click Edit next to ZoomVerification.
- Enter your Zoom app's verification token.
- Restart your function app.
If sucessfully deployed you should start to see events appear in your Azure Sentinel workpsace as soon as they are generated. If you run into issues there are a number of options for monitoring and deugging your Function App.