Skip to main content

How to set up Azure Activity Logs for Defense.com SIEM

This guide explains how to configure Azure Activity Logs to integrate with Defense.com.

Alan Butcher avatar
Written by Alan Butcher
Updated over a month ago

Overview

Defense.com SIEM can ingest Azure Activity Logs to track administrative, security, alert, and policy events in your Azure subscription. This setup provides your analysts with visibility into critical activities.

Prerequisites

Before starting, ensure:

  • You have Azure portal access with permissions to manage subscriptions and resources.

  • The Microsoft.OperationalInsights resource provider is registered for your subscription. To check:

    1. Go to Subscriptions in the Azure portal.

    2. Select your subscription, then click Resource Providers.

    3. Verify Microsoft.OperationalInsights is registered. If not, register it.

Step 1: Create a resource group

A resource group is a logical collection of Azure resources. All resources are deployed and managed in a resource group. To create a resource group:

  1. Sign in to the Azure portal.

  2. In the left navigation, select Resource groups, and then select Create.

  3. For Subscription, select the name of the Azure subscription in which you want to create the resource group.

  4. Type a unique name for the resource group. The system immediately checks to see if the name is available in the selected Azure subscription.

  5. Select a region for the resource group.

  6. Select Review + Create.

  7. On the Review + Create page, select Create.

Step 2: Create an Event Hub Namespace

Set up an Event Hub Namespace to stream Azure Activity Logs.

  1. In the Azure portal, navigate to Event Hubs and click Create.

  2. Configure the namespace with these settings:

    Name: (e.g CustomerName>-Defensecom-SIEM)

    Pricing Tier: Basic

    Subscription: Your subscription (e.g., Pay-As-You-Go)

    Resource Group: Your resource group (e.g., siem)

    Location: Your region (e.g., UK South)

    Throughput Units: 1

  3. Disable Auto-Inflate and Make this namespace zone redundant unless needed.

  4. Click Create and wait for the namespace to deploy.

  5. In the new namespace, go to Shared Access Policies and create a policy:

    • Name: activitylogs

    • Permissions: Select Manage (includes Send and Listen).

    • Save the policy.

Step 3: Configure Activity Log Diagnostic Settings

Stream Activity Logs to the Event Hub Namespace.

  1. In the Azure portal, go to Activity Log.

  2. Click Diagnostic settings, then Add diagnostic setting.

  3. Set up the diagnostic setting:

    • Name: Defense.com SIEM

    • Check Stream to an event hub.

    • Subscription: Select your subscription.

    • Event Hub Namespace: Choose the namespace from Step 1

    • Event Hub Name: Select Create in selected namespace.

    • Event Hub Policy Name: Choose the activitylogs policy.

  4. Enable logging for these event types:

    • Administrative

    • Security

    • Alert

    • Policy

  5. Click Save. This creates an event hub named insights-activity-logs in your namespace. Note: This may take up to 30 minutes.

Step 4: Set Up Event Hub Access for Defense.com

Create a policy to allow Defense.com to retrieve logs.

  1. In the Azure portal, go to the Event Hubs Namespace from Step 1.

  2. Find the insights-activity-logs event hub.

  3. Select Shared Access Policies and create a new policy:

    • Name: DefenseActivityLogs

    • Permissions: Select Listen.

  4. Copy the Primary Connection String for this policy.

  5. Securely share the Primary Connection String and Event Hub Name with Defense.com via ticket at https://my.defense.com/support/tickets, we recommend providing the credentials via a https://www.onetimesecret.com link.

That's it! 🎉Defense.com will start ingesting your Azure Activity Logs.

Did this answer your question?