Azure Activity

Azure Activity logs provide a comprehensive audit trail of all activities across your Azure subscription and resources. These logs are useful for security monitoring, compliance, and forensic investigations. This guide walks through how to set up Azure Activity logs in Scanner Collect using an HTTP receiver to ingest logs directly from your Azure infrastructure.

Overview

The integration uses the azure-to-scanner-collect infrastructure-as-code templates to automatically capture Azure Activity logs and forward them via HTTP to Scanner's HTTP receiver. The solution deploys Azure Function App, Event Hub, and Storage Account resources within your Azure subscription to process and relay logs securely.

How It Works

  1. Capture logs - Azure diagnostic settings route Activity Logs to the deployed Event Hub

  2. Process and authenticate - An Azure Function receives logs and authenticates requests using a Bearer token

  3. Forward to Scanner - Logs are sent to Scanner Collect via authenticated HTTPS to your HTTP receiver endpoint

  4. Index and analyze - Logs are normalized to ECS schema, indexed, and made available for search and detection

Step 1: Create a New Source

Navigate to the Collect tab in the Scanner UI.

  • Click Create New Source.

  • Click Select a Source Type.

  • Choose Microsoft Azure: Audit logs.

  • For Ingest Method, select HTTP Push.

  • For Destination, select Scanner.

Click Next.

Step 2: Configure the Source

  • Set a Display Name such as my-org-azure-activity.

  • Leave the Payload Format as the default: JSON: Generic.

Click Next.

Step 3: Configure Authentication

  • Keep the default Authentication Type: Bearer Token.

  • Generate a secure Bearer token. You can use a command like: echo "token_$(uuidgen | tr '[:upper:]' '[:lower:]')"

  • Note this token—you'll need to provide it as a parameter when deploying the Azure infrastructure.

Click Next.

Step 4: Set the Destination

  • Choose the Scanner index where Azure Activity logs should be stored for search and detection.

  • Leave the Source Label set to azure.

Click Next.

Step 5: Transform and Enrich

  • Keep the default transformation step: Normalize to ECS - Azure Audit

    • This maps Azure log fields to the Elastic Common Schema (ECS) to support cross-source queries and detections.

  • Keep Parse JSON Columns enabled to automatically extract data from any stringified JSON fields.

  • (Optional) Add additional transformation or enrichment steps as desired.

Click Next.

Step 6: Timestamp Extraction

The timestamp extraction is configured to:

  • First look in the timestamp field

  • Fall back to the time field if timestamp is not present

Leave these defaults as-is.

Click Next.

Step 7: Review and Create

  • Review your configuration.

  • Click Create Source.

After creation, Scanner will display a unique Endpoint URL like:

https://collect.your-org-and-region.scanner.dev/receiver/v1/http/<id>

Step 8: Deploy Azure Infrastructure

Go to the azure-to-scanner-collect repository and follow its README instructions to deploy the infrastructure. All the code being deployed is visible and explorable in the repository, so you can review exactly what will be created in your Azure subscription.

When deploying, provide:

  • The Scanner HTTP receiver endpoint URL from Step 7

  • The Bearer token from Step 3

Make sure to keep the "Send Activity Logs" option checked during deployment—this will automatically configure your Azure subscription to forward Activity logs to the infrastructure.

That's It

Once deployment is complete, logs will flow from Azure Activity Log → Event Hub → Azure Function → Scanner HTTP Receiver → S3 → Scanner index.

Your Azure Activity logs will now be indexed and searchable in Scanner, enabling real-time threat detection and forensic investigation across your Azure environment.

PreviousAuth0NextCloudflare

Last updated

Was this helpful?