How can we improve Microsoft Azure Security Center?

ArcSight

Allow for third party Security Information Event Management (SIEM) tools to be operated in the cloud to monitor the event logs. Solutions such as HP ArcSight are ideally suited to monitor event data to enrich the security analytics.

25 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Robert Rathbun shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

6 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Anonymous commented  ·   ·  Flag as inappropriate

    all the comments on this are 3 years old, and this can be done. Look in Azure Security Chttps://portal.azure.com/?cdnIndex=2&l=en.en-us#blade/Microsoft_Azure_Security/SecurityMenuBlade/6entre\Security solutions :

    Arcsight is a supported SIEM.
    Here's the list:
    IBM QRadar - The Microsoft Azure DSM and Microsoft Azure Event Hub Protocol are available for download from the IBM support website. You can learn more about the integration with Azure here.
    Splunk - Depending on your Splunk setup, there are two approaches:
    The Azure Monitor Add-On for Splunk is available in Splunkbase and an open source project. Documentation is here.
    If you cannot install an add-on in your Splunk instance (eg. if using a proxy or running on Splunk Cloud), you can forward these events to the Splunk HTTP Event Collector using this Function which is triggered by new messages in the event hub.
    SumoLogic - Instructions for setting up SumoLogic to consume data from an event hub are available here
    ArcSight - The ArcSight Azure Event Hub smart connector is available as part of the ArcSight smart connector collection here.
    Syslog server - If you want to stream Azure Monitor data directly to a syslog server, you can check out this GitHub repo.

  • Erik commented  ·   ·  Flag as inappropriate

    Any update? Agree with Ben (Collect all logs including Azure Portal logs to ArcSight)

  • Ben Virkler commented  ·   ·  Flag as inappropriate

    I think he's talking about going the other direction. At least that's what I'd like to do. We currently use ArcSight to collect logs from various systems across the enterprise and monitor for certain security-related events. We would like to feed logs from Azure (VM events/logs, Azure Portal audit logs, Azure AD logs) into ArcSight to leverage our existing monitoring/alerting investment.

Feedback and Knowledge Base