Question

soloman00 on Tue, 27 Feb 2018 15:44:52


The Microsoft documentation seems to indicate an Azure storage account is required.  I do not use VMs and Azure storage.  I only use Azure AD and want to integrate the Azure AD logs with Arcsight.  I am using Azlog and did not set up an Azure storage account.  I followed the microsoft directions and installed the Arcsight collector software and configured it.

Events are showing up in Arsight, but it's gibberish.

My Questions are:

Is a storage account required in this case?  Do I need to do something else to translate the logs to meaningful data in Arcisght?



Sponsored



Replies

Femisulu on Wed, 28 Feb 2018 20:24:58


Can you please share which Azure documentation you are referring to? AFAIK, Storage account is required depending on how much log data you plan to ingest. We have different tiers and pricing of storage offerings based on your need. I may need some more information on what you are trying to do to be more prescriptive. https://azure.microsoft.com/en-us/pricing/details/storage/ 

soloman00 on Mon, 12 Mar 2018 20:39:22


The documentation I am referring to here:

https://docs.microsoft.com/en-us/azure/security/security-azure-log-integration-ad

Because Azure AD has a maximum log retention of 30 days, I want to pull the Azure AD events into my SIEM solution, Arcsight.  I don't want to use Azure storage, because Arcsight is an on prem solution with it's own storage.

Femisulu on Wed, 28 Mar 2018 10:56:27


Perhaps an ArcSight compatible smart-connector could be useful in your scenario to normalize and convert the ingested AD events into a readable Common Event Format (CEF) for reporting and analysis.

You have the option to purchase one from the AchSight Marketplace or build one using HPE's FlexConnector SDK - this tutorial will be useful if you choose to go down the "build" path. Hope this helps.