Azure-Sentinel/DataConnectors/AzureStorage
Ross Bevington 008866d378 Moved location 2020-04-17 09:57:46 +01:00
..
GetAzureStorageLogsFunction.cs Moved location 2020-04-17 09:57:46 +01:00
HoneyBucketLogParser.csproj Moved location 2020-04-17 09:57:46 +01:00
LogDownloader.cs Moved location 2020-04-17 09:57:46 +01:00
Readme.md Moved location 2020-04-17 09:57:46 +01:00
host.json Moved location 2020-04-17 09:57:46 +01:00

Readme.md

Azure Function

Prerequisites

Setup

  1. Create a new Azure Function, you can follow this https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-first-azure-function guide but don't proceed to create the function itself.

    • You will also need to create a system identity for this function so that we can enable it to query the keyvault
    • Platform features -> Identity -> User assigned -> Set status to On and click Save.
    • Copy the Object ID, you will need to use this to allow authentication to the KeyVault
  2. Create a new Azure Storage account or make use of an existing one.

    • Create a new private container called 'statedata'
    • Inside 'statedata' create a blob called 'state'. This is a semicolon separated file which contains the storage accounts to check and the time of last check.
      • XXXX=YYYY;XXXX=YYYY
      • For the first run create entries similar to test123=2020-01-01T01:01:01.8914445Z
    • Obtain the Azure Storage connection string for the container. https://docs.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string
  3. Create a new Azure Keyvault.

    • Add the following secrets
      • BlobStorageAccountKeys - A semi-colon ';' separated list of storage accounts to check ie NAME:KEY;NAME:KEY
        • NAME is the name of the storage account
        • KEY is the access key taken from the storage account's 'Access Keys' page.
      • BlobStorageConnectionString - The connection string to blob storage that will hold state data
      • LogAnalyticsWorkspace - LA workspace found in the previous step
      • LogAnalyticsKey - LA key found in the previous step
    • Add permissions for the Azure function (use the Object ID generated in step #1) to access the keyvault via Access Policies
      • Access policies -> Add Access Policy -> Secret Management, Select your function as the service principle, Save -> Save
    • Note down the URL for each of the KeyVault secrets created.

Publish the Azure Function

You can publish an Azure Function with Visual Studio or Visual Studio Code. Alternatively the following commands will get you started.

An important note on using the following commands, the Azure Function version must match what is defined in your codebase. Visual Studio will prompt to upgrade the function if this is different, the command below may not.

Run the following commands az login followed by func azure functionapp publish nameoffunction --csharp --force

Configure

In the Azure Function Application settings set up a configuration mapping from environment variable to keyvault entry. You can find these settings in Platform features -> Configuration -> Application settings -> New application setting. You can find the SECRETURI references below in the respective properies of the keyvault entries created earlier.

  • Name = BlobStorageAccountKeys Value = @Microsoft.KeyVault(SecretUri=https://SECRETURI)
  • Name = BlobStorageConnectionString Value = @Microsoft.KeyVault(SecretUri=https://SECRETURI)
  • Name = LogAnalyticsKey Value = @Microsoft.KeyVault(SecretUri=https://SECRETURI)
  • Name = LogAnalyticsWorkspace Value = @Microsoft.KeyVault(SecretUri=https://SECRETURI)

Restart the Azure Function and check the logs entries don't contain any errors.

Testing

Access the Azure Storage account configured earlier. Debug logs will be generated and should be collected and processed by the Azure Function after an hour. The log entries generated by the Function should show the access. After an hour the entries will appear in the Sentinel workspace.