はじめに
Sentinel の CommonSecurityLog は主にプロキシやファイアウォールから CEF 形式の syslog を転送して格納するテーブルです。Web トラフィックログのため、容量が大きくなりがちでコストが気になり、取り込みを断念しているケースもあるかと思います。しかしながら、現時点では CommonSecurityLog は残念ながら コスト削減ができる Basic ログに対応していません。
そのため裏ワザ的な方法にはなりますが、カスタムテーブルを作成して Basic ログに変更し、そちらに CommonSecurityLog テーブルと同様に CEF ログを格納します。
設定
以下を参考に、REST API から CommonSecurityLog テーブルと同じカラム構成のカスタムテーブルを作成します。
# parameter
$tenantId = "your tenant id"
$subscriptionId = "your subscription id"
$resourcegroup = "your resource group name"
$workspace = "your workspace name"
$tableName = "your custom table name incl. _CL"
$tableParams = @'
{
"properties": {
"schema": {
"name": "MyTable_CL",
"columns": [
{"name": "TimeGenerated", "type": "datetime"},
{"name": "DeviceVendor", "type": "string"},
{"name": "DeviceProduct", "type": "string"},
{"name": "DeviceVersion", "type": "string"},
{"name": "DeviceEventClassID", "type": "string"},
{"name": "Activity", "type": "string"},
{"name": "LogSeverity", "type": "string"},
{"name": "OriginalLogSeverity", "type": "string"},
{"name": "AdditionalExtensions", "type": "string"},
{"name": "DeviceAction", "type": "string"},
{"name": "ApplicationProtocol", "type": "string"},
{"name": "EventCount", "type": "int"},
{"name": "DestinationDnsDomain", "type": "string"},
{"name": "DestinationServiceName", "type": "string"},
{"name": "DestinationTranslatedAddress", "type": "string"},
{"name": "DestinationTranslatedPort", "type": "int"},
{"name": "CommunicationDirection", "type": "string"},
{"name": "DeviceDnsDomain", "type": "string"},
{"name": "DeviceExternalID", "type": "string"},
{"name": "DeviceFacility", "type": "string"},
{"name": "DeviceInboundInterface", "type": "string"},
{"name": "DeviceNtDomain", "type": "string"},
{"name": "DeviceOutboundInterface", "type": "string"},
{"name": "DevicePayloadId", "type": "string"},
{"name": "ProcessName", "type": "string"},
{"name": "DeviceTranslatedAddress", "type": "string"},
{"name": "DestinationHostName", "type": "string"},
{"name": "DestinationMACAddress", "type": "string"},
{"name": "DestinationNTDomain", "type": "string"},
{"name": "DestinationProcessId", "type": "int"},
{"name": "DestinationUserPrivileges", "type": "string"},
{"name": "DestinationProcessName", "type": "string"},
{"name": "DestinationPort", "type": "int"},
{"name": "DestinationIP", "type": "string"},
{"name": "DeviceTimeZone", "type": "string"},
{"name": "DestinationUserID", "type": "string"},
{"name": "DestinationUserName", "type": "string"},
{"name": "DeviceAddress", "type": "string"},
{"name": "DeviceName", "type": "string"},
{"name": "DeviceMacAddress", "type": "string"},
{"name": "ProcessID", "type": "int"},
{"name": "EndTime", "type": "datetime"},
{"name": "ExternalID", "type": "int"},
{"name": "ExtID", "type": "string"},
{"name": "FileCreateTime", "type": "string"},
{"name": "FileHash", "type": "string"},
{"name": "FileID", "type": "string"},
{"name": "FileModificationTime", "type": "string"},
{"name": "FilePath", "type": "string"},
{"name": "FilePermission", "type": "string"},
{"name": "FileType", "type": "string"},
{"name": "FileName", "type": "string"},
{"name": "FileSize", "type": "int"},
{"name": "ReceivedBytes", "type": "long"},
{"name": "Message", "type": "string"},
{"name": "OldFileCreateTime", "type": "string"},
{"name": "OldFileHash", "type": "string"},
{"name": "OldFileID", "type": "string"},
{"name": "OldFileModificationTime", "type": "string"},
{"name": "OldFileName", "type": "string"},
{"name": "OldFilePath", "type": "string"},
{"name": "OldFilePermission", "type": "string"},
{"name": "OldFileSize", "type": "int"},
{"name": "OldFileType", "type": "string"},
{"name": "SentBytes", "type": "long"},
{"name": "EventOutcome", "type": "string"},
{"name": "Protocol", "type": "string"},
{"name": "Reason", "type": "string"},
{"name": "RequestURL", "type": "string"},
{"name": "RequestClientApplication", "type": "string"},
{"name": "RequestContext", "type": "string"},
{"name": "RequestCookies", "type": "string"},
{"name": "RequestMethod", "type": "string"},
{"name": "ReceiptTime", "type": "string"},
{"name": "SourceHostName", "type": "string"},
{"name": "SourceMACAddress", "type": "string"},
{"name": "SourceNTDomain", "type": "string"},
{"name": "SourceDnsDomain", "type": "string"},
{"name": "SourceServiceName", "type": "string"},
{"name": "SourceTranslatedAddress", "type": "string"},
{"name": "SourceTranslatedPort", "type": "int"},
{"name": "SourceProcessId", "type": "int"},
{"name": "SourceUserPrivileges", "type": "string"},
{"name": "SourceProcessName", "type": "string"},
{"name": "SourcePort", "type": "int"},
{"name": "SourceIP", "type": "string"},
{"name": "StartTime", "type": "datetime"},
{"name": "SourceUserID", "type": "string"},
{"name": "SourceUserName", "type": "string"},
{"name": "EventType", "type": "int"},
{"name": "DeviceEventCategory", "type": "string"},
{"name": "DeviceCustomIPv6Address1", "type": "string"},
{"name": "DeviceCustomIPv6Address1Label", "type": "string"},
{"name": "DeviceCustomIPv6Address2", "type": "string"},
{"name": "DeviceCustomIPv6Address2Label", "type": "string"},
{"name": "DeviceCustomIPv6Address3", "type": "string"},
{"name": "DeviceCustomIPv6Address3Label", "type": "string"},
{"name": "DeviceCustomIPv6Address4", "type": "string"},
{"name": "DeviceCustomIPv6Address4Label", "type": "string"},
{"name": "DeviceCustomFloatingPoint1", "type": "real"},
{"name": "DeviceCustomFloatingPoint1Label", "type": "string"},
{"name": "DeviceCustomFloatingPoint2", "type": "real"},
{"name": "DeviceCustomFloatingPoint2Label", "type": "string"},
{"name": "DeviceCustomFloatingPoint3", "type": "real"},
{"name": "DeviceCustomFloatingPoint3Label", "type": "string"},
{"name": "DeviceCustomFloatingPoint4", "type": "real"},
{"name": "DeviceCustomFloatingPoint4Label", "type": "string"},
{"name": "DeviceCustomNumber1", "type": "int"},
{"name": "FieldDeviceCustomNumber1", "type": "long"},
{"name": "DeviceCustomNumber1Label", "type": "string"},
{"name": "DeviceCustomNumber2", "type": "int"},
{"name": "FieldDeviceCustomNumber2", "type": "long"},
{"name": "DeviceCustomNumber2Label", "type": "string"},
{"name": "DeviceCustomNumber3", "type": "int"},
{"name": "FieldDeviceCustomNumber3", "type": "long"},
{"name": "DeviceCustomNumber3Label", "type": "string"},
{"name": "DeviceCustomString1", "type": "string"},
{"name": "DeviceCustomString1Label", "type": "string"},
{"name": "DeviceCustomString2", "type": "string"},
{"name": "DeviceCustomString2Label", "type": "string"},
{"name": "DeviceCustomString3", "type": "string"},
{"name": "DeviceCustomString3Label", "type": "string"},
{"name": "DeviceCustomString4", "type": "string"},
{"name": "DeviceCustomString4Label", "type": "string"},
{"name": "DeviceCustomString5", "type": "string"},
{"name": "DeviceCustomString5Label", "type": "string"},
{"name": "DeviceCustomString6", "type": "string"},
{"name": "DeviceCustomString6Label", "type": "string"},
{"name": "DeviceCustomDate1", "type": "string"},
{"name": "DeviceCustomDate1Label", "type": "string"},
{"name": "DeviceCustomDate2", "type": "string"},
{"name": "DeviceCustomDate2Label", "type": "string"},
{"name": "FlexDate1", "type": "string"},
{"name": "FlexDate1Label", "type": "string"},
{"name": "FlexNumber1", "type": "int"},
{"name": "FlexNumber1Label", "type": "string"},
{"name": "FlexNumber2", "type": "int"},
{"name": "FlexNumber2Label", "type": "string"},
{"name": "FlexString1", "type": "string"},
{"name": "FlexString1Label", "type": "string"},
{"name": "FlexString2", "type": "string"},
{"name": "FlexString2Label", "type": "string"},
{"name": "RemoteIP", "type": "string"},
{"name": "RemotePort", "type": "string"},
{"name": "MaliciousIP", "type": "string"},
{"name": "ThreatSeverity", "type": "int"},
{"name": "IndicatorThreatType", "type": "string"},
{"name": "ThreatDescription", "type": "string"},
{"name": "ThreatConfidence", "type": "string"},
{"name": "ReportReferenceLink", "type": "string"},
{"name": "MaliciousIPLongitude", "type": "real"},
{"name": "MaliciousIPLatitude", "type": "real"},
{"name": "MaliciousIPCountry", "type": "string"},
{"name": "Computer", "type": "string"},
{"name": "SourceSystem", "type": "string"},
{"name": "SimplifiedDeviceAction", "type": "string"}
]
}
}
}
'@
# replace $tableName in $tableParams
$tableParams = $tableParams -replace "MyTable_CL", $tableName
# Login
Connect-AzAccount -Tenant $tenantId -Subscription $subscriptionId
# REST API Path
$restApiPath = "/subscriptions/$subscriptionId/resourcegroups/$resourcegroup/providers/microsoft.operationalinsights/workspaces/$workspace/tables/$tableName" + "?api-version=2021-12-01-preview"
# Create custom table
Invoke-AzRestMethod -Path $restApiPath -Method PUT -payload $tableParams
作成したカスタムテーブルは Log Analytics ワークスペースの [テーブル] > 該当テーブルのメニュー > [テーブルの管理] からテーブルプランを [基本] にします。
次に Sentinel の [Common Event Format (CEF) via AMA] で通常通り、データ収集ルールを作成して、CommonEventLog テーブルにログが保存されることを確認します。(詳細は割愛)
作成したデータ収集ルールを編集して、作成したカスタムテーブルにログが保存されるようにしていきます。対象のデータ収集ルールを開き、[テンプレートのエクスポート] から [デプロイ] をクリックします。
[テンプレートの編集] をクリックします。
dataFlows の箇所で ,"outputStream": "Custom-<テーブル名>" を追加します。(カンマを忘れないようにしてください) あとはそのまま保存してデプロイします。
動作確認
上記の設定が完了すると、CommonSecurityLog テーブルではなく、作成したカスタムテーブルにログが保存されるようになります。カラム構成を同じにしているので、以下のように CommonSecurityLog と同様の検索が可能です。
注意事項
カスタムテーブルに保存する形になるため、既存で CommonSecurityLog テーブルを使用した分析ルール、ブック、ハンティング クエリなど使用している場合はご注意ください。特に組み込みのコンテンツに関しては自身で修正が必要になります。
また、Basic ログは検索自体にもコストがかかるため、分析ルールなどで定期的に検索する場合は注意が必要です。
Discussion