008866d378 | ||
---|---|---|
.. | ||
GetAzureStorageLogsFunction.cs | ||
HoneyBucketLogParser.csproj | ||
LogDownloader.cs | ||
Readme.md | ||
host.json |
Readme.md
Azure Function
Prerequisites
- Ideally have access to Visual Studio or Visual Studio Code
- Install dotnet core 3.1, https://dotnet.microsoft.com/download/dotnet-core
- Install azure-cli, https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest
- Install azure-functions-core-tools, https://docs.microsoft.com/en-us/azure/azure-functions/functions-run-local
- Have the workspace ID and key of an Azure Log Analytics or Azure Sentinel workspace to hand. Details can be found here https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows.
Setup
-
Create a new Azure Function, you can follow this https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-first-azure-function guide but don't proceed to create the function itself.
- You will also need to create a system identity for this function so that we can enable it to query the keyvault
- Platform features -> Identity -> User assigned -> Set status to On and click Save.
- Copy the Object ID, you will need to use this to allow authentication to the KeyVault
-
Create a new Azure Storage account or make use of an existing one.
- Create a new private container called 'statedata'
- Inside 'statedata' create a blob called 'state'. This is a semicolon separated file which contains the storage accounts to check and the time of last check.
- XXXX=YYYY;XXXX=YYYY
- For the first run create entries similar to test123=2020-01-01T01:01:01.8914445Z
- Obtain the Azure Storage connection string for the container. https://docs.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string
-
Create a new Azure Keyvault.
- Add the following secrets
- BlobStorageAccountKeys - A semi-colon ';' separated list of storage accounts to check ie NAME:KEY;NAME:KEY
- NAME is the name of the storage account
- KEY is the access key taken from the storage account's 'Access Keys' page.
- BlobStorageConnectionString - The connection string to blob storage that will hold state data
- LogAnalyticsWorkspace - LA workspace found in the previous step
- LogAnalyticsKey - LA key found in the previous step
- BlobStorageAccountKeys - A semi-colon ';' separated list of storage accounts to check ie NAME:KEY;NAME:KEY
- Add permissions for the Azure function (use the Object ID generated in step #1) to access the keyvault via Access Policies
- Access policies -> Add Access Policy -> Secret Management, Select your function as the service principle, Save -> Save
- Note down the URL for each of the KeyVault secrets created.
- Add the following secrets
Publish the Azure Function
You can publish an Azure Function with Visual Studio or Visual Studio Code. Alternatively the following commands will get you started.
An important note on using the following commands, the Azure Function version must match what is defined in your codebase. Visual Studio will prompt to upgrade the function if this is different, the command below may not.
Run the following commands
az login
followed by
func azure functionapp publish nameoffunction --csharp --force
Configure
In the Azure Function Application settings set up a configuration mapping from environment variable to keyvault entry. You can find these settings in Platform features -> Configuration -> Application settings -> New application setting. You can find the SECRETURI references below in the respective properies of the keyvault entries created earlier.
- Name = BlobStorageAccountKeys Value = @Microsoft.KeyVault(SecretUri=https://SECRETURI)
- Name = BlobStorageConnectionString Value = @Microsoft.KeyVault(SecretUri=https://SECRETURI)
- Name = LogAnalyticsKey Value = @Microsoft.KeyVault(SecretUri=https://SECRETURI)
- Name = LogAnalyticsWorkspace Value = @Microsoft.KeyVault(SecretUri=https://SECRETURI)
Restart the Azure Function and check the logs entries don't contain any errors.
Testing
Access the Azure Storage account configured earlier. Debug logs will be generated and should be collected and processed by the Azure Function after an hour. The log entries generated by the Function should show the access. After an hour the entries will appear in the Sentinel workspace.