使用 Azure Monitor 将 Azure Active Directory 日志与 ArcSight 集成Integrate Azure Active Directory logs with ArcSight using Azure Monitor

Micro Focus ArcSight 是一种安全信息和事件管理 (SIEM) 解决方案,可帮助检测和响应平台中的安全威胁。Micro Focus ArcSight is a security information and event management (SIEM) solution that helps you detect and respond to security threats in your platform. 现在可以使用适用于 Azure AD 的 ArcSight 连接器,通过 Azure Monitor 将 Azure Active Directory (Azure AD) 日志路由到 ArcSight。You can now route Azure Active Directory (Azure AD) logs to ArcSight using Azure Monitor using the ArcSight connector for Azure AD. 此功能允许使用 ArcSight 监视租户中是否存在安全泄漏。This feature allows you to monitor your tenant for security compromise using ArcSight.

在本文中,你会了解如何使用 Azure Monitor 将 Azure AD 日志路由到 ArcSight。In this article, you learn how to route Azure AD logs to ArcSight using Azure Monitor.

先决条件Prerequisites

若要使用此功能,需满足以下条件:To use this feature, you need:

  • 包含 Azure AD 活动日志的 Azure 事件中心。An Azure event hub that contains Azure AD activity logs. 了解如何将活动日志流式传输到事件中心Learn how to stream your activity logs to an event hub.
  • ArcSight Syslog NG 守护程序 SmartConnector (SmartConnector) 或 ArcSight 负载均衡器的已配置实例。A configured instance of ArcSight Syslog NG Daemon SmartConnector (SmartConnector) or ArcSight Load Balancer. 如果事件发送到 ArcSight 负载均衡器,则它们会因此由负载均衡器发送到 SmartConnector。If the events are sent to ArcSight Load Balancer, they are consequently sent to the SmartConnector by the Load Balancer.

下载并打开适用于 Azure Monitor 事件中心的 ArcSight SmartConnector 配置指南Download and open the configuration guide for ArcSight SmartConnector for Azure Monitor Event Hub. 本指南包含安装和配置适用于 Azure Monitor 的 ArcSight SmartConnector 所需的步骤。This guide contains the steps you need to install and configure the ArcSight SmartConnector for Azure Monitor.

将 Azure AD 日志与 ArcSight 集成Integrate Azure AD logs with ArcSight

  1. 首先,完成配置指南“先决条件”部分中的步骤。First, complete the steps in the Prerequisites section of the configuration guide. 此部分包括下列步骤:This section includes the following steps:

    • 在 Azure 中设置用户权限,以确保某个用户具有“所有者”角色,可部署和配置连接器。Set user permissions in Azure, to ensure there's a user with the owner role to deploy and configure the connector.
    • 在具有 Syslog NG 守护程序 SmartConnector 的服务器上打开端口,以便可从 Azure 访问它。Open ports on the server with Syslog NG Daemon SmartConnector, so it's accessible from Azure.
    • 部署会运行 Windows PowerShell 脚本,因此必须启用 PowerShell 以在要部署连接器的计算机上运行脚本。The deployment runs a Windows PowerShell script, so you must enable PowerShell to run scripts on the machine where you want to deploy the connector.
  2. 按照配置指南“部署连接器”部分中的步骤来部署连接器。Follow the steps in the Deploying the Connector section of configuration guide to deploy the connector. 此部分会演示如何下载和提取连接器、配置应用程序属性以及从提取的文件夹运行部署脚本。This section walks you through how to download and extract the connector, configure application properties and run the deployment script from the extracted folder.

  3. 按照“在 Azure 中验证部署”部分中的步骤来确保连接器已设置并正常工作。Use the steps in the Verifying the Deployment in Azure to make sure the connector is set up and functions correctly. 检查下列各项:Verify the following:

    • 在 Azure 订阅中创建了必要的 Azure 函数。The requisite Azure functions are created in your Azure subscription.
    • Azure AD 日志流式传输到正确的目标。The Azure AD logs are streamed to the correct destination.
    • 部署中的应用程序设置保留在 Azure Function App 的“应用程序设置”中。The application settings from your deployment are persisted in the Application Settings in Azure Function Apps.
    • 使用适用于 ArcSight 连接器的 Azure AD 应用程序以及包含映射文件(CEF 格式)的存储帐户,在 Azure 中创建 ArcSight 的新资源组。A new resource group for ArcSight is created in Azure, with an Azure AD application for the ArcSight connector and storage accounts containing the mapped files in CEF format.
  4. 最后,完成配置指南部署后配置中的部署后步骤。Finally, complete the post-deployment steps in the Post-Deployment Configurations of the configuration guide. 此部分说明如何在实施应用服务计划时执行其他配置以防止函数应用在超时期限之后成为空闲状态、从事件中心配置资源日志流式传输以及更新 SysLog NG 守护程序 SmartConnector 密钥存储证书以将它与新创建的存储帐户相关联。This section explains how to perform additional configuration if you are on an App Service Plan to prevent the function apps from going idle after a timeout period, configure streaming of resource logs from the event hub, and update the SysLog NG Daemon SmartConnector keystore certificate to associate it with the newly created storage account.

  5. 配置指南还说明如何在 Azure 中自定义连接器属性以及如何升级和卸载连接器。The configuration guide also explains how to customize the connector properties in Azure, and how to upgrade and uninstall the connector. 还有一个部分是关于性能改进,包括升级到 Azure 消耗计划以及在事件负载大于单个 Syslog NG 守护程序 SmartConnector 可以处理的负载时配置 ArcSight 负载均衡器。There is also a section on performance improvements, including upgrading to an Azure Consumption plan and configuring an ArcSight Load Balancer if the event load is greater than what a single Syslog NG Daemon SmartConnector can handle.

后续步骤Next steps

适用于 Azure Monitor 事件中心的 ArcSight SmartConnector 配置指南Configuration guide for ArcSight SmartConnector for Azure Monitor Event Hub