Configure Azure Event Sources in NetWitness

This topic tells you how to configure the Azure collection protocol. Microsoft Azure is a cloud computing platform and infrastructure for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers.

Configuration in NetWitness

For complete details about configuring Azure as an event source, see the Azure Event Source Configuration Guide, available on NetWitness Link.

To configure an Azure Event Source:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services from the NetWitness menu.
  2. Select a Log Collection service.
  3. Select netwitness_ic-actns.png > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

    12.1_chooseCollectionMethod_1122.png

  1. In the Event Sources tab, select Plugins/Config from the drop-down menu.
  2. In the Event Categories panel toolbar, click netwitness_ic-add.png.

    The Available Event Source Types dialog is displayed.

  3. Select azureaudit) and click OK.

    The newly added event source type is displayed in the Event Categories panel.

  4. Select the new type in the Event Categories panel and click netwitness_ic-add.png in the Sources toolbar.

    The Add Source dialog is displayed.

  5. Define parameter values. For details, see Azure Parameters below.
  6. Click Test Connection.

    The result of the test is displayed in the dialog box. If the test is unsuccessful, edit the device or service information and retry.

    Log Collector takes approximately 60 seconds to return the test results. If it exceeds the time limit, the test times out and the NetWitness displays an error message.

  7. If the test is successful, click OK.

    The new event source is displayed in the Sources panel.

Azure Parameters

This section describes the Azure event source configuration parameters.

Basic Parameters

Note: Required parameters are marked with an asterisk. All other parameters are optional.

Name Description

Name *

Enter an alpha-numeric, descriptive name for the source. This value is only used for displaying the name on this screen.

Enabled

Select the checkbox to enable the event source configuration to start collection. The checkbox is selected by default.

Client ID *

The Client ID is found the Azure Application Configure tab. Scroll down until you see it.

Client Secret *

When you are configuring the event source, the client secret is displayed when you are creating a key, and you select a duration of validation.

Make sure to save this, because you will only be able to see it once, and it cannot be retrieved later.

API Resource Base URL *

Enter https://management.azure.com/. Be sure to include the trailing slash (/).

Federation Metadata Endpoint *

In your Azure application, click the View Endpoints button (near the bottom of the pane).

There are a lot of links that all begin with the same string. Compare the URLs and find the common string that begins most of them. This common string is the endpoint that you need to enter here.

Subscription ID *

You can find this in the Microsoft Azure dashboard: click on Subscriptions at the bottom of the list on the left.

Tenant Domain *

Go to the active directory and click on the directory. In the URL, the tenant domain is the string directly following manage.windowsazure.com/. The tenant domain is the string up to and including the .com.

Resource Group Names *

In Azure, select Resource groups from the left navigation pane, then select your group.

Start Date *

Choose the date from which to start collecting. Default's to the current date.

Test Connection

Checks the configuration parameters specified in this dialog to make sure they are correct.

Advanced Parameters

Click netwitness_advcdexpandbtn.png next to Advanced to view and edit the advanced parameters, if necessary.

Name Description

Polling Interval

Interval (amount of time in seconds) between each poll. The default value is 180.
For example, if you specify 180, the collector schedules a polling of the event source every 180 seconds. If the previous polling cycle is still underway, the collector waits for that cycle to finish. If you have a large number of event sources that you are polling, it may take longer than 180 seconds for the polling to start because the threads are busy.

Max Duration Poll

Maximum duration, in seconds, of a polling cycle. A zero value indicates no limit.

Max Events Poll

The maximum number of events per polling cycle (how many events collected per polling cycle).

Max Idle Time Poll

Maximum duration, in seconds, of a polling cycle. A zero value indicates no limit.

Command Args

Optional arguments to be added to the script invocation.

Debug

Caution: Only enable debugging (set this parameter to On or Verbose) if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables or disables debug logging for the event source. Valid values are:

  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.

This parameter is designed to debug and monitor isolated event source collection issues. If you change this value, the change takes effect immediately (no restart required). The debug logging is verbose, so limit the number of event sources to minimize performance impact.