|
| 1 | +--- |
| 2 | +title: Configure Application Gateway for Containers for SIEM integration with Azure Sentinel |
| 3 | +description: Configure Application Gateway for Containers for SIEM integration with Azure Sentinel. |
| 4 | +services: application-gateway |
| 5 | +author: greg-lindsay |
| 6 | +ms.service: azure-application-gateway |
| 7 | +ms.subservice: appgw-for-containers |
| 8 | +ms.topic: article |
| 9 | +ms.date: 07/11/2024 |
| 10 | +ms.author: greglin |
| 11 | +--- |
| 12 | + |
| 13 | +# Configure Application Gateway for Containers for SIEM integration with Azure Sentinel |
| 14 | + |
| 15 | +By creating a SIEM integration with Application Gateway for Containers and Azure Sentinel, you streamline the security data collection across your digital environment. By following our QuickStart guide, you effortlessly set up Microsoft Sentinel to work in tandem with the Application Gateway for Container Access Logs. This setup allows you to monitor, detect, and examine potential threats and alerts generated from logs with precision. Additionally, by incorporating a solution from the content hub and configuring a data connector, you start importing access logs into Microsoft Sentinel without a hitch. To cap it off, you establish analytical rules, conduct test alerts, and utilize visualization tools for alerts, ensuring comprehensive oversight of your security landscape. |
| 16 | + |
| 17 | +In this QuickStart guide, you set up: |
| 18 | +- Integrate a log analytics workspace. |
| 19 | +- Configure a data connector into Microsoft Sentinel. |
| 20 | +- Establish an analytical rule, conduct a test alert, and visualize an alert for comprehensive oversight. |
| 21 | + [  ](./media/siem-integration-with-sentinel/sentinel-arch.png#lightbox) |
| 22 | + |
| 23 | +## Learn About The Services |
| 24 | +- [What is Azure Sentinel?](../../sentinel/overview.md) |
| 25 | + - Why use Sentinel: Sentinel offers security content that is pre-packaged in SIEM solutions, allowing you to monitor, analyze, investigate, notify, and integrate with many platforms and products, including Log Analytics Workspace. |
| 26 | +- [What is Azure Log Analytics Workspace?](../../azure-monitor/logs/log-analytics-workspace-overview.md) |
| 27 | + - Why use Log Analytics Workspace: Log Analytics workspace scales with your business needs, handling large volumes of log data efficiently and detects and diagnose issues quickly. |
| 28 | + |
| 29 | +## Prerequisites |
| 30 | + |
| 31 | +- You must have an active Log Analytics Workspace in order to ingest into Microsoft Sentinel. |
| 32 | +- Permissions for contributors to control Microsoft Sentinel at the subscription and resource group levels. |
| 33 | +- Permissions for contributors to install or manage Microsoft Sentinel solutions within the content hub. |
| 34 | + |
| 35 | +## Enable Sentinel for Log Analytics Workspace |
| 36 | + |
| 37 | +1. [Enable Azure Sentinel Workspace](../../sentinel/overview.md). |
| 38 | +2. Send Logs to Log Analytics Workspace: |
| 39 | + 1. In **Search resources, service, and docs**, type **Application Gateways for Containers**. |
| 40 | + 2. Go to your selected Application Gateway for Container Resource. |
| 41 | + 3. Go to Diagnostic Setting under Monitoring: |
| 42 | + 1. Select a name, check box **allLogs** which include the Application Gateway for Container Access Logs. |
| 43 | + 2. Select **Send to Log analytics Workspace** with your desired subscription and your log analytics workspace. |
| 44 | + [  ](./media/siem-integration-with-sentinel/logging.png#lightbox) |
| 45 | + |
| 46 | + > [!NOTE] |
| 47 | + > It takes a few minutes for AccessLogs to populate into your log analytics workspace. |
| 48 | + |
| 49 | +3. View data ingested to Microsoft Sentinel: |
| 50 | + 1. In **Search resources, service, and docs**, type **Azure Sentinel**. |
| 51 | + 2. Go to your selected Sentinel Resource. |
| 52 | + 3. Select **Logs**. |
| 53 | + 4. On the left-side bar, go to **Tables** where a section called **LogManagement** appear with digested access logs. |
| 54 | + 5. Preview all logs by hovering over access logs and click **Run**. |
| 55 | +  |
| 56 | + |
| 57 | +## Create Analytics Rule |
| 58 | + |
| 59 | +1. In **Search resources, service, and docs**, type **Azure Sentinel**. |
| 60 | +2. Go to your selected Sentinel Resource. |
| 61 | +3. Select **Analytics** under configuration. |
| 62 | +4. Click **Create** and Select **Schedule Query Rule**. |
| 63 | +5. Enter name, description, and leave the rest as default and go to the next page. |
| 64 | +  |
| 65 | + |
| 66 | +6. Create rule query based on your access logs: |
| 67 | + - Example Scenario: A user sends encrypted data through a specific URL. |
| 68 | + - Goal: Detect threats from a HostName with RequestURI **"/secret/path"**. |
| 69 | + - Create query: |
| 70 | + |
| 71 | + ```bash |
| 72 | + # Example Query |
| 73 | + AGCAccessLogs |
| 74 | + | where HostName == "4.150.168.211" or RequestUri contains "/secret/path" |
| 75 | + ``` |
| 76 | + |
| 77 | + This query filters `AGCAccessLogs` based on conditions related to hostname and request URI. |
| 78 | + |
| 79 | +8. Detect associated IPs by Entity Mapping: |
| 80 | + <img src="./media/siem-integration-with-sentinel/entity-mapping.png" alt="A screenshot of the entity mapping." width="80%"> |
| 81 | + |
| 82 | +9. Set Query Scheduling: |
| 83 | + - Run for every 5 hours. |
| 84 | + - Look up data for every 5 hours. |
| 85 | +11. **Review + Create**. |
| 86 | + |
| 87 | + |
| 88 | +## Test Incident |
| 89 | + |
| 90 | +1. Send traffic into the URL to create an incident: |
| 91 | + - Now we're ready to send some traffic with **/secret/path** to our sample application, via the FQDN (fully qualified domain name) assigned to the frontend. Use the following command to get the FQDN: |
| 92 | +
|
| 93 | + ```bash |
| 94 | + fqdn=$(kubectl get gateway gateway-01 -n test-infra -o jsonpath='{.status.addresses[0].value}') |
| 95 | + ``` |
| 96 | +
|
| 97 | +2. Curling this FQDN should return responses from the backend as configured on the HTTPRoute: |
| 98 | +
|
| 99 | + ```bash |
| 100 | + curl --insecure https://$fqdn/secret/path |
| 101 | + ``` |
| 102 | +
|
| 103 | + |
| 104 | +## Visualize Test Incidents |
| 105 | +
|
| 106 | + 1. After the incident occurred, view the details in **Threat Management** under incidents. |
| 107 | + 2. Select an incident and open the pane on the right-hand side of the page. |
| 108 | + 3. Click **View Full Details**. |
| 109 | + 4. Select **Investigate**. |
| 110 | +
|
| 111 | + [  ](./media/siem-integration-with-sentinel/investigate.png#lightbox) |
| 112 | +
|
| 113 | + > [!Note] |
| 114 | + > The **Investigate** option will only show up if the incident has any linked entities. |
| 115 | +
|
| 116 | +5. In Investigate, you can visualize the associated entities and similar alerts. |
| 117 | + |
| 118 | + [ ](./media/siem-integration-with-sentinel/mapping.png#lightbox) |
| 119 | +
|
| 120 | +6. Click on the entity to view **Insights** and delve deeper into the investigation. |
| 121 | +
|
| 122 | + [  ](./media/siem-integration-with-sentinel/insights.png#lightbox) |
| 123 | +
|
| 124 | +
|
| 125 | +[Automate Playbook and Alerts](../../azure-monitor/../sentinel/automation/automation.md) to create an alert for extra security measures and communication. |
| 126 | +
|
| 127 | +Congratulations, you can now create security barriers on your logs and investigate any incidents! |
0 commit comments