- Cloud Collectors Overview
- Administration
- Administrative Access
- Shareable Service Accounts
- Add Accounts for AWS Cloud Collectors
- Add Accounts for Cisco Duo Cloud Collector
- Add Accounts for Google Cloud Collectors
- Add Accounts for Microsoft Cloud Collectors
- Add Accounts for Okta Cloud Collectors
- Add Accounts for Salesforce Cloud Collectors
- Add Accounts for Splunk Cloud Collectors
- Add Accounts for Trend Micro Cloud Collectors
- Define a Unique Site Name
- Sign Up for the Early Access Program
- Onboard Cloud Collectors
- Abnormal Security Cloud Collector
- AWS CloudTrail Cloud Collectors
- AWS CloudWatch Cloud Collector
- AWS S3 Cloud Collector
- AWS SQS Cloud Collector
- Azure Activity Logs Cloud Collector
- Azure Log Analytics Cloud Collector
- Azure Event Hub Cloud Collector
- Azure Storage Analytics Cloud Collector
- Cato Networks Cloud Collector
- Cisco Duo Cloud Collector
- Cisco Umbrella Cloud Collector
- Cribl Cloud Collector
- CrowdStrike Cloud Collectors
- GCP Pub/Sub Cloud Collector
- Microsoft Defender XDR (via Azure Event Hub) Cloud Collector
- Microsoft Entra ID Context Cloud Collector
- Microsoft Entra ID Logs Cloud Collector
- Microsoft 365 Exchange Admin Reports Cloud Collector
- Supported Sources from Microsoft 365 Exchange Admin Reports
- Migrate to the Microsoft 365 Exchange Admin Reports Cloud Collector
- Prerequisites to Configure the Microsoft 365 Exchange Admin Reports Cloud Collector
- Configure the Microsoft 365 Exchange Admin Reports Cloud Collector
- Troubleshooting the Microsoft 365 Exchange Admin Reports Cloud Collector
- Microsoft 365 Management Activity Cloud Collector
- Microsoft Security Alerts Cloud Collector
- Microsoft Sentinel (via Event Hub) Cloud Collector
- Netskope Alerts Cloud Collector
- Netskope Events Cloud Collector
- Okta Cloud Collector
- Okta Context Cloud Collector
- Palo Alto Networks Cortex Data Lake Cloud Collector
- Proofpoint On-Demand Cloud Collector
- Proofpoint Targeted Attack Protection Cloud Collector
- Salesforce Cloud Collector
- SentinelOne Alerts Cloud Collector
- SentinelOne Cloud Funnel Cloud Collector
- SentinelOne Threats Cloud Collector
- Splunk Cloud Collector
- Symantec Endpoint Security Cloud Collector
- Trend Vision One Cloud Collector
- Zscaler ZIA Cloud Collector
- Webhook Cloud Collectors
- Wiz Cloud Collector
- Troubleshooting Cloud Collectors
Prerequisites to Configure the Azure Log Analytics Cloud Collector
Before you configure the Azure Log Analytics Cloud Collector you must complete the following prerequisites:
Ensure that you have an Azure account with an active subscription.
Create a Microsoft Entra ID application – Create and register an application in the Microsoft Azure portal for generating authentication certificates and secrets, assigning API permissions, and granting administration consent.
Add a shareable Microsoft account – Create an account in Exabeam Cloud Collectors that can be shared across multiple Microsoft collectors.
Create a Log Analytics workspace and obtain the workspace ID. For more information, see Create a workspace in the Microsoft documentation.
Create a data collection rule for the Azure Log Analytics workspace.
Assign the Log Analytics Reader role to the Log Analytics Workspace that you created.
Create a Microsoft Entra ID Application for Azure Log Analytics Cloud Collector
Before you can begin onboarding any of the available Microsoft cloud collectors, you must create a Microsoft Entra ID application (formerly called Azure Active Directory) in the Microsoft Azure portal. The same application can support multiple Microsoft cloud collectors, as long as all of the relevant API permissions are assigned.
To create a Microsoft Entra ID application and prepare it for use by cloud collectors, follow the steps below to complete these required tasks:
During the procedure, make a note of the IDs you will need when you configure a new Microsoft cloud collector.
Create and Register a Microsoft Entra ID Application
Log into your Azure account by accessing the Azure portal.
From the available Azure Services, select Microsoft Entra ID (formerly called Azure Active Directory).
From the left navigation pane, select App Registrations, then click New Registration.
On the Register an application page, enter the following information:
Name – Specify a name for the new application. For example, Exabeam MS Entra ID App.
Supported account types – Select the account type Accounts in this organizational directory only.
Redirect URI – (Optional) Select the Web platform and specify a URI.
Click Register. When registration is complete, the Overview tab of the new application is displayed.
Copy and make a note of the values for both the Application (client) ID and the Directory (tenant) ID. You will need these values when configuring a Microsoft cloud collector.
Generate Certificates and Secrets
In your new Microsoft Entra ID application, click Certificates & secrets in the left navigation pane.
Decide which authentication method you want to use. Two methods are available: OAuth2 or certificate authentication. Depending on which method you plan to use, do one of the following:
OAuth2 method – Select the Client secrets tab, and continue with Step 3.
Certificate method – Click the Certificates tab and continue with Step 4.
On the Client Secrets tab, click New client secret and do the following:
Enter a Description and an Expire term for the secret.
Click Add. The new client secret is displayed on the Client secrets tab.
Copy and make a note of the Value. You will need this client secret value when you configure a Microsoft cloud collector. You will not be able to recover this value later if you don't make a note of it.
On the Certificates tab, click Upload certificate and do the following:
Use the File Selection icon (
) to upload an existing certificate (a public key) of file type .cer, .pem, or .crt.Enter a Description for the certificate.
Click Add. The new certificate is displayed on the Certificates tab.
Note
If you don't already have the certificate and private key files, create them.
Generate the X.509 asymmetric key by running the following command in the terminal:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 3650 -out certificate.pem
Two files are created in the directory where you ran the command:
certificate.pem – The certificate or public key
key.pem – The private key
The cloud collector supports RSA encryption algorithm with up to 16384 bits key length.
Use the certificates and secrets while creating a sharable Microsoft account for the cloud collector.
Add Accounts for Microsoft Cloud Collectors
To streamline the onboarding process, create a shareable account that can be used across one or more collectors that require a Microsoft account.
To set up a shareable Microsoft account in Cloud Collectors:
Log in to the Exabeam Security Operations Platform with your registered credentials as an administrator.
Navigate to Collectors > Cloud Collectors.
Click Accounts, then click New Account.
On the Add a New Account page, enter the following information, as shown in the image below:
VENDOR – Select Microsoft as the vendor.
NAME – Specify a name for the Microsoft account.
Authentication – Select an authentication method. Depending on how you created your Microsoft Entra ID application (formerly called Azure Active Directory) in the Azure portal, select either of the options below and provide the applicable IDs and certificates or secrets.
Certificate – If your application uses the certificate authentication method, enter the following information:
CLIENT ID – Enter the value of the Application (client) ID that was generated when you created and registered your Microsoft Entra ID application. If you did not make a note of the value, return to the Azure portal and navigate to the Overview tab of your application.
TENANT ID – Enter the value of the Directory (tenant) ID that was generated when you created and registered your Microsoft Entra ID application. If you did not make a note of the value, return to the Azure portal and navigate to the Overview tab of your application.
CERTIFICATE – Copy and enter the public key portion of the existing certificate you uploaded in the Azure portal when you selected the authentication method of your Microsoft Entra ID application.
PRIVATE KEY – Copy and enter the private key of the existing certificate.
OAuth2 – If your application uses the OAuth2 authentication method, enter the following information:
CLIENT ID – Enter the value of the Application (client) ID that was generated when you created and registered your Microsoft Entra ID application. If you did not make a note of the value, return to the Azure portal and navigate to the Overview tab of your application.
CLIENT SECRET – Enter the value of the client secret that was generated when you selected the authentication method of your Microsoft Entra ID application. If you did not make a note of the value, you will need to generate a new secret for the application in the Azure portal.
TENANT ID – Enter the value of the Directory (tenant) ID that was generated when you created and registered your Microsoft Entra ID application. If you did not make a note of the value, return to the Azure portal and navigate to the Overview tab of your application.
CLOUD – Select an Azure AD cloud environment from the list of available clouds.
Click Save.
Proceed to configure any cloud collector that requires the use of the Microsoft account.
When you onboard new cloud collectors that require this Microsoft account, you can reuse credentials between different collectors, provided that you assigned the required permissions when you created the Microsoft Entra ID application in the Azure portal. The required permissions for each Microsoft cloud collector are listed in a table in that procedure.
Create a Log Analytics Workspace
A Log Analytics workspace is a data repository to store all log data from Azure Monitors and other Azure services. To obtain the Workspace ID, you must create a Log Analytics workspace. For more information, see Create a workspace in the Microsoft documentation.
To create a Log Analytics Workspace use the following steps:
From the available Azure Services, click Log Analytics Workspace.
Click Create.
In the Basics section, select an existing resource group or create a new resource group in which you want to place this Log Analytics Workspace.
Under Instance details, specify a name for the Log Analytics Workspace name and select a region.
Click Review + Create.
The new workspace is added to the Log Analytics workspaces list and workspace ID is generated.
Record the Log Analytics Workspace ID to use it while configuring the cloud collector instance.
Events are streamed into the Log Analytics workspace that you created.
Create a Data Collection Rule
Based on the data sources that you create, events are streamed into your Log Analytics workspace. Create a data collection rule based on your requirement for the required data sources. For more information, see Data collection rules and Data sources in the Microsoft Documentation. The Azure Log Analytics Cloud Collector supports various data sources such as Azure virtual machines (VMs), and Storage account log.
To create a data collection rule:
Navigate to the Log Analytics workspace that you created.
Under Connect a data source, click the data source for which you want to create a data collection rule. The logs that come from this data source are pushed to your Log Analytics workspace.
On the Create Data Collection Rule page, specify required details for rule such as rule name, subscription, and region.
After entering details for next sections, click Review + Create.
You can also create a data collection rule using Diagnostic Settings for data sources Event Hubs and Storage Accounts. Ensure that you select Send to Log Analytics workspace and the name of your Log Analytics workspace.
For more information, see Data collection rules in Azure Monitor in the Microsoft documentation.
Assign the Log Analytics Reader Role
To assign the Log Analytics Reader role to your Azure Log Analytics workspace, use the following steps:
On the Azure portal, from the available Azure Services, click Log Analytics Workspace.
Click the name of the Log Analytics workspace that you created.
In the left pane, click Access control (IAM).
Click Add and then click Add role-assignment.
In the Add role assignment section, under Role, click Log Analytics Reader.
Click Next.
In the Members section, click Select Members.
Search for and select your Microsoft Entra ID application.
Click Next and then click Review + assign.
After the role is assigned to your Log Analytics workspace, the workspace has the reader permission to view the logs.