It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda XDR

Integrating Azure

  • Last updated on

Barracuda XDR retrieves Audit Logs, Sign In Logs, and Activity Logs from Microsoft Azure. These items are read from the Azure Event Hub.

This video has no sound.

Requirements

To optimize performance and cost, configure the storage account with the lowest possible retention period (Such as one hour only with a force to delete), because the account's primary role is short-term storage.

For more information, see https://learn.microsoft.com/en-us/entra/fundamentals/licensing.

Integrating Microsoft Azure requires you follow these procedures, below:

  • Part 1: Setting Up Azure Event Hub

    • To create Event Hub Namespaces

  • Part 2: Configuring Storage Accounts

    • To initialize Storage Accounts

    • To set up Event Hub Entities

    • To set up an Event Hub Shared Access Policy

  • Part 3: Updating Diagnostic Settings

    • To update diagnostic settings for the sign in log

    • To update diagnostic settings for for the audit log and activity log

    • To set up Microsoft Defender for Cloud

  • Part 4: Barracuda XDR Dashboard Setup for Azure


Part 1: Setting Up Azure Event Hub

To create Event Hub Namespaces
  1. Navigate to the Azure Event Hub.

    EventHubNamespaces.png

  2. Create three event hub namespaces dedicated to each of the following:

    1. Activity Logs

    2. Audit Logs

    3. Sign In Logs

      WARNING
      The Event Hub Namespace Name must:

      • Contain at least eight characters.

      • Not contain special characters.

      In Pricing Tier, select Basic.

      In Networking, select Public Access.

      NOTES
      We recommend the following naming convention:

      • xdr-azure-activity-logs

      • xdr-azure-audit-logs

      • xdr-azure-sign-in-logs

      CreateNamespaces.png

  3. Click Review and Create.

    ListofEventHubs.png

The deployment may take a while.


Part 2: Configuring Storage Accounts

Configuring storage accounts requires the following procedures, below:

  • To initialize Storage Accounts

  • To set up Event Hub Entities

  • To set up an Event Hub Shared Access Policy

To initialize storage accounts
  1. Navigate to Storage Accounts.

    • Audit Logs

    • Sign In Logs

    • Activity Logs
      NOTES
      We recommend the following naming convention:

      • xdr-azure-activity-logs

      • xdr-azure-audit-logs

      • xdr-azure-sign-in-logs

      CreateStorage Account.png

  2. Click Review and Create.

The deployment may take a while.

EvenHubEntity.png

To set up Event Hub Entities

  1. In Microsoft Azure, navigate to Event Hubs.

  2. In Event Hubs, select the check box of an Event Hub Namespace that you created in the previous procedure.
    NOTE

    We recommend the following naming convention:

    • xdr-azure-activity-logs

    • xdr-azure-audit-logs

    • xdr-azure-sign-in-logs

    CreateEventHub.png

  3.  Click Create Event Hub.

  4. Repeat steps 2-3 for the rest of the namespaces.

  5.  Click Review and Create.

    EventHubs4.png

The deployment may take a while

To set up an Event Hub Shared Access Policy

  1. In Event Hubs, on the right, click the link Event Hub Namespace that you created in the previous procedure.
    WARNING
    Do not click Shared Access Policies under Settings.

    EventHubs3.png

  2. Click Shared Access Policies.

    ActivityLogsSettings.png

  3. Click Add.

    AddSAS.png

  4. In Add SAS Policy, in Policy Name, type the name of the namespace.

  5. Select the Manage checkbox.

  6. Repeat steps 1-5 for the rest of the namespaces.


Part 3: Updating Diagnostic Settings

To update diagnostic settings for the sign in log
  1. Navigate to Microsoft Entra ID.

  2. In the Monitoring and Health section, click Sign-in logs.

    Monitoring and Health Sign in Entra.png
  3. Click Export Data Settings.

    ExportDataSettings.png

  4. Click Add diagnostic setting.

    DiagnosticSettings.png

  5. Do the following:

    • In Diagnostic setting name, type the name of your sign in log.

    • Select the following checkboxes:

      • SignInLogs

      • NonInterctiveUserSignInLogs

      • ServicePrincipleSignInLogs

      • ManagedIddentitySignInLogs

      • Stream to an event hub

    • Select the correct Subscription and Event hub namespace (Ex: xdr-azure-sign-in-logs).

      DiagnosticSettings2.png

  6. Click Save.

To update diagnostic settings for for the audit log
  1. Navigate to Microsoft Entra ID.

    Entra ID Navigate.png
  2. In the Monitoring and Health section, click Audit logs.

  3. Click Export Data Settings.

    ExportDataSettings.png

  4. Click Add diagnostic setting.

    DiagnosticSettings.png
  5. Do the following:

    • In Diagnostic setting name, type the name of your audit log namespace.

    • Select the following checkboxes:

      • AuditLogs

      • Stream to an event hub

    • Select the correct Subscription and Event hub namespace (Ex: xdr-azure-audit-logs).

      DiagnosticSettings3.png

  6. Click Save.

  7. Continue to the following procedure.

To update diagnostic settings for for the activity log
  1. After performing the previous procedure, click the Sign-in Logs link in the navigation at the top of the page.

  2. Click Export Data Settings.

    ExportDataSettings.png

  3. Click the Add diagnostic setting link.

    DiagnosticSettings5.png

  4. Do the following:

    • In Diagnostic setting name, type the name of your activity log namespace.

    • Select the following checkboxes:

      • ProvisioningLogs

      • ADFSSignInLogs

      • RiskyUsers

      • UserRiskEvents

      • Stream to an event hub

    • Select the correct Subscription and Event hub namespace (Ex: xdr-azure-activity-logs).

      ActivityLogs (2).png

  5. Click Save.

To set up Microsoft Defender for Cloud (Optional)
  1. Navigate to Microsoft Defender for Cloud.

    DefenderForCloud.png

  2. Under Management, click Environment settings.

    DefenderForCloud2.png

  3. Select your subscription.

  4. If you're setting up for the first time, set Severs and Storage to On, then click Save.

    DefenderForCloud3.png


    WARNING
    Enabling Microsoft Defender for Servers while another EDR is active can lead to performance issues.

  5. Under the Settings section, click Continuous Exports.

  6. Do the following:

  7. Select the Security recommendations checkbox, and select All recommendations.

  8. In Security Alerts, select Low, Medium, High, Informational.

  9. Turn Streaming Updates on.

  10. Turn Snapshots off.

  11. In Export configuration, select your subscription.

    ExportConfiguration.png

  12. In Export Target, do the following:

    • In Subscription, select your subscription

    • In Event Hub namespace, select the name of your activity log.

    • In Event Hub name, select the name of your activity log.

    • In Event hub policy name, select the name of your activity log.

      ExportTarget.png

  13. Click Save.


Part 4: Setting up Barracuda XDR Dashboard

  1. Open two browser windows/tabs:

    • In one window, open Azure.

    • In the other window, open Barracuda XDR Dashboard

  2. In Barracuda XDR Dashboard, click Setup > Integrations.

  3. On the Microsoft Azure card, click Setup.

    AzureSetupCard.png

  4. In the XDR Dashboard window, select the Enabled checkbox.

  5. In the Azure window, in the left navigation menu, click the name of the XDR Azure Activity log.

    NOTE If you followed the naming convention, the name is xdr-azure-activity-logs.

  6. Under Entities, click Event Hubs.

  7. Copy the Event Hub Name from the Azure window and paste it into the XDR Dashboard window, in the Activity Logs area, in the Event Hub Name field.

  8. In the Azure window, in Event Hubs list in the center of the screen, click the name of the activity log.
    NOTE If you followed the naming convention, the name is xdr-azure-activity-logs.

  9. On the activity log page, in Settings in the left navigation menu, click Shared access policies.

    WARNING If you are on the correct page, Shared access policies is in the navigation menu on the extreme left of your screen. If Shared access policies is in a menu closer to the center of your screen, ensure you clicked the name of the activity log in the previous step.

  10. On the Shared access policies page, click the name of the Shared access policy.
    NOTE If you followed the naming convention, the name is xdr-azure-activity-logs.

  11. Copy the Connection string-primary key and paste it into the XDR Dashboard window, in the Connection String field, in the Activity Logs area.
    NOTE The Connection String must be from the event hub within the entity of the namespace. If the Connection String is from the event hub within the entity of the namespace, it ends with "EntityPath=[EventHubName]" where [EventHubName] is the exact name of the event hub.

  12. In the Azure window, click Home. Then click the Storage accounts icon. Then click the xdrazureactivitylogs link. Then copy the name of the log at the top of the page and paste it into the XDR Dashboard window, in the Storage Account field, in the Activity Logs area.

  13. In the Azure window, in the left navigation menu, click Access keys. In the key1 area, in the Key field, click the Show button. Then click the Copy to clipboard icon and paste the key into the XDR Dashboard window, in the Activity Logs Storage Account Key field, in the Activity Logs area.

  14. Repeat steps 5-14 for the following:

    • Audit Logs

    • Sign In Logs

  15. In the Barracuda XDR window, click Save.