Azure Sentinel – How to audit Management Groups

Posted by

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

Hi folks!!  
Simone is back to you. 

Probably, most of you know that when you enable Azure Activity connector in Azure Sentinel Connector’ s blade almost every audit log generated from Azure resources is saved in the AzureActivity Table.  
Well, almost does not mean all :) In fact, from the Azure portal we can only manage the subscriptions level, but some audits created by the Root management group are not collected by default by the Azure Sentinel collectors. 

For example, operations logged by the Microsoft.Management resource provider are not available at root level as creation/move/delete of subscriptions.  
To keep under control these logs we can configure the audit using the Azure Monitor REST API following the steps below: 

 

  1. Under management groups take the “tenant root group ID” (ManagementGroupID) and Name 
    sifriger_1-1625049836482.png 

  2. Open the link Management Group Diagnostic Settings - Get - REST API (Azure Monitor) | Microsoft Docs  
    Try to get the setting from tenant root  
    sifriger_2-1625049836483.png 

  3. Sign in and fill the fields with ManagementGroupID and Name and click RUN at the bottom of the page: 
    sifriger_3-1625049836485.png 

  4. Now we should create or update Diagnostic Setting 
    Management Group Diagnostic Settings – Create Or Update – REST API (Azure Monitor) | Microsoft Docs –  
    Click on Try 
    sifriger_4-1625049836486.png
     
  5. Fill the fields with TenantId and Name as already done before at 3 Step: 
    sifriger_5-1625049836487.png

  6. Copy the JSON schema Template from this link Resource Manager template samples for diagnostic settings - Azure Monitor | Microsoft Docs: 

  7. Modify the setting related to the repository (Log Analytics, Event Hub, Storage Account), and define the categories that you wish to collect, in our case Administrative and Policy 
    sifriger_6-1625049836488.png

  8. in case you don’t need the other setting, you can delete the specific line: 
    sifriger_7-1625049836490.png

  9. Paste the Json in the box “body” and click RUN: 

        { 

            "type": "Microsoft.Insights/diagnosticSettings", 

            "apiVersion": "2017-05-01-preview", 

            "name": "[parameters('settingName')]", 

            "properties": { 

                "workspaceId": "[parameters('workspaceId')]", 

                "logs": [ 

                    { 

                        "category": "Administrative", 

                        "enabled": true 

                    }, 

                    { 

                        "category": "Policy", 

                        "enabled": true 

                    } 

                ] 

            } 

        } 

 

sifriger_8-1625049836491.png
 

Do you like automation and powershell?  
No problem!! My colleague @Martin Schvartzman  wrote and share a cool powershell script.  

 

Let's check it 

https://github.com/martin77s/Azure/blob/master/PS/Enable-DiagnosticSettingsMG.ps1 

 

I hope it will help you, save some time as well as some headaches! 

 

See you next time! 

Simone 

 

This articles are republished, there may be more discussion at the original link. But if you found this helpful, you're more than welcome to let us know!

This site uses Akismet to reduce spam. Learn how your comment data is processed.