Cloud Security Posture Management on Microsoft Azure with Wazuh

Cloud Security Posture Management (CSPM) is essential to ensuring the security and compliance of cloud environments. In cloud computing, the potential for security misconfigurations is significantly high due to mismanagement of permissions, gaps in network configurations, and various other vulnerabilities.

Cloud Security Posture Management addresses these challenges by continuously monitoring and assessing cloud workloads to identify vulnerabilities and potential security risks. It also provides remediation steps to rectify the potential security risks identified in the cloud environment.

Wazuh is a free, open source, enterprise-grade security monitoring platform that provides comprehensive protection for cloud, on-premises, containerized, and virtualized environments. Microsoft Azure is a comprehensive cloud computing platform that offers a wide range of services to help businesses build, deploy, and manage their applications and infrastructure.

This blog post demonstrates how to use Wazuh to monitor Microsoft Azure security posture.

Infrastructure

The following components are the requirements for this demonstration.

• A pre-built, ready-to-use Wazuh OVA 4.5.3. Follow the Virtual Machine (OVA) – Installation guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard).
• A Microsoft Azure account with an active subscription and global administrative privileges.

Integrating Wazuh with Microsoft Azure

Wazuh integrates with Azure using the Log Analytics Workspace. The Azure Log Analytics workspace is a unique environment for storing log data from Azure Monitor and other Azure services, such as the Microsoft Defender for Cloud. Wazuh provides a native integration module for Azure that retrieves logs from the Log Analytics Workspace.

Below is a summary of the actions performed on Azure to integrate with Wazuh.

• Creating a service principal application: This involves registering an application with a Microsoft Entra ID, which automatically creates a service principal for the application registration. The service principal is the application’s identity in the Microsoft Entra tenant and its access to resources is restricted by the roles assigned to it.
• Creating a Log Analytics workspace: The workspace is where logs and data are stored, and it has a unique workspace ID and resource ID. The Wazuh Azure module is then configured to query the workspace for new data. 
• Enabling Microsoft Defender for Cloud: We configure the Microsoft Defender for Cloud to scan all resources inside an Azure Subscription. Microsoft Defender for Cloud is configured to send security log data and recommendations to the created Log Analytics workspace.

Microsoft Azure

Creating a service principal application

We create a Microsoft Entra ID application that Wazuh uses to authenticate to the Log Analytics Workspace. Microsoft Entra ID is the identity directory service from Microsoft.

1. In the Search bar of the Azure portal, type Microsoft Entra ID, then select the same service name. Select App registrations from the Default Directory on the sidebar menu.

2. Select + New registration from the command bar to create a new service principal application.

3. On the opened form, enter a unique name for the application and click Register. Note the Application (client) ID on the application overview page.

4. On the opened application overview page: 

5. On the application overview page, select API permissions. Select + Add a permission. 

6. On the Request API permissions page:

• Click on the APIs my organization uses tab.
• Search for Log Analytics and select Log Analytics API from the list. 
• Click on Application permissions.
• Select the Read Log Analytics data permission.
• Click Add permissions.
• On the API permissions page, Click on Grant admin consent for Default Directory.
• Click Yes.

Create a Log Analytics workspace

We create a Log Analytics Workspace that enables Wazuh to retrieve log data from Azure. 

1. In the search bar of the Azure portal, type Log Analytics workspaces, then select the same service name. Select + Create from the command bar to create a new workspace.

2. On the opened dialog box, select Create new to create a Resource group for the Log Analytics. Enter a unique name for the Resource group and click OK.

3. In the Instance details section, enter a unique name for the Log Analytics workspace.

4. Select the Review + Create tab. Once the workspace validation has passed, select Create. Wait for the new workspace to be provisioned, this may take a few minutes.

5. In the search bar of the Azure portal, type Log Analytics workspaces, select the new workspace. Copy the Workspace ID from the Essentials section. The Workspace ID will be used as part of the configuration in Wazuh.

6. Click on the Access control (IAM) on the sidebar menu of the Log Analytics workspace page. 

• Click on + Add on the command bar and select Add role assignment.
• On the Add role assignment page, search for Log Analytics Reader. Select it and click Next.

• On the Members page, click on + Select members. 
• Search for your service principal application name on the Select members box and click Select.
• Click Next then Review + assign.

7. In the Search bar of the Azure portal, type Microsoft Entra ID, then select the same service name.

8. Copy the Azure tenant Primary domain name from the Basic Information section. This will be used as part of the configuration in Wazuh.

Enable Microsoft Defender for Cloud

We enable and configure Microsoft Defender for Cloud to report all security misconfigurations using its CSPM module.

1. In the search bar of the Azure portal, type Microsoft Defender, then select Microsoft Defender for Cloud.

2. Select Getting started on the sidebar menu. On the Getting started page, under the Upgrade tab, select your subscription, and then click the Upgrade button at the bottom of the page.

3. In the left menu for Microsoft Defender for Cloud;

• Navigate to the Management section, select Environment settings. 
• Expand Azure > Tenant Root Group to reveal your Azure subscription.
• Select your Azure subscription.

On the Settings page, verify the Status of the entries is On, else, click Enable all plans and Save.

4. Click Continuous export on the sidebar menu and click on the Log Analytics workspace tab to configure Defender to continuously send logs to the Log Analytics workspace. Select the Security alerts and Regulatory compliance checkboxes.

5. Scroll down to the Export sections and select the resource group created for the Log Analytics workspace. Select your tenant Azure subscription and the target workspace. Click Save.

6. In the left menu for Microsoft Defender for Cloud

• Navigate to the Management section, select Environment settings. 
• Expand Azure > Tenant Root Group > your Azure subscription
• Select your Log Analytics  workspace created above.
• Verify the Status of the entries is On, else, click Enable all plans and Save.

Wazuh server

Configure the Wazuh server to receive logs from Microsoft Azure by performing the following steps.

Note: Run the following commands as the root user.

1. Create a credentials directory in the /var/ossec/wodles/ directory:

# mkdir /var/ossec/wodles/credentials

2. Create a /var/ossec/wodles/credentials/log_analytics_credentials file:

# touch /var/ossec/wodles/credentials/log_analytics_credentials

3. Update the /var/ossec/wodles/credentials/log_analytics_credentials file as shown below:

application_id = <SERVICE_PRINCIPAL_APPLICATION_ID>
application_key = <CLIENT_SECRET_VALUE>

Replace:

• <SERVICE_PRINCIPAL_APPLICATION_ID> with the service principal application ID.

• <CLIENT_SECRET_VALUE> with the client secret value.

4. Append the following content to the /var/ossec/etc/ossec.conf configuration file. The configuration specifies how Wazuh connects to Azure:

<ossec_config>
  <wodle name="azure-logs">
    <disabled>no</disabled>
    <run_on_start>yes</run_on_start>
    <interval>5m</interval>

    <log_analytics>
        <auth_path>/var/ossec/wodles/credentials/log_analytics_credentials</auth_path>
        <tenantdomain><PRIMARY_DOMAIN></tenantdomain>

        <request>
            <tag>azurefindings</tag>
            <query>SecurityRecommendation</query>
            <workspace><LOG_ANALYTICS_WORKSPACE_ID></workspace>
            <time_offset>1d</time_offset>
        </request>

        <request>
            <tag>azurefindings</tag>
            <query>SecurityAlert</query>
            <workspace><LOG_ANALYTICS_WORKSPACE_ID></workspace>
            <time_offset>1d</time_offset>
        </request>

    </log_analytics>
  </wodle>
</ossec_config>

Note:The interval value represents the time between each Azure-Logs module execution. You should set it to a time that is tolerable for your infrastructure.

Replace:

• <PRIMARY_DOMAIN> with the domain name of the Azure tenant copied above.
• <LOG_ANALYTICS_WORKSPACE_ID> with the ID of the Log Analytics workspace created above.

5. Create a rule file azure_posture.xml in the /var/ossec/etc/rules/ directory and add the following custom rules to detect Azure posture findings:

<group name="azure,">

  <rule id="100200" level="10">
    <if_sid>87801</if_sid>
    <field name="Type">SecurityRecommendation</field>
    <description>Azure Security Posture: $(RecommendationName).</description>
  </rule>
  
  <rule id="100201" level="10">
    <if_sid>87801</if_sid>
    <field name="Type">SecurityAlert</field>
    <field name="ResourceId">Microsoft.Compute</field>
    <description>Azure Security Posture: $(DisplayName).</description>
    <mitre>
      <id>T1651</id>
    </mitre>
  </rule>

  <rule id="100202" level="10">
    <if_sid>87801</if_sid>
    <field name="Type">SecurityAlert</field>
    <field name="ResourceId">microsoft.keyvault</field>
    <description>Azure Security Posture: $(DisplayName).</description>
    <mitre>
      <id>T1098.004</id>
    </mitre>
  </rule>

  <rule id="100203" level="10">
    <if_sid>87801</if_sid>
    <field name="Type">SecurityAlert</field>
    <field name="ResourceId">Microsoft.Web</field>
    <description>Azure Security Posture: $(DisplayName).</description>
    <mitre>
      <id>T1648</id>
    </mitre>
  </rule>
  
  <rule id="100204" level="10">
    <if_sid>87801</if_sid>
    <field name="Type">SecurityAlert</field>
    <field name="ResourceId">Microsoft.ApiManagement</field>
    <description>Azure Security Posture: $(DisplayName).</description>
    <mitre>
      <id>T1059.009</id>
    </mitre>
  </rule> 
  
  <rule id="100205" level="10">
    <if_sid>87801</if_sid>
    <field name="Type">SecurityAlert</field>
    <field name="ResourceId">Microsoft.ContainerService|cluster</field>
    <description>Azure Security Posture: $(DisplayName).</description>
    <mitre>
      <id>T1609</id>
    </mitre>
  </rule> 

</group>

Where:

• Rule ID 100200 is triggered when Wazuh detects a new security posture recommendation in Azure.
• Rule ID 100201 is triggered when Wazuh detects an attack against Azure Virtual Machine.
• Rule ID 100202 is triggered when Wazuh detects an attack in Azure Key Vault.
• Rule ID 100203 is triggered when Wazuh detects an attack in Azure App Service.
• Rule ID 100204 is triggered when Wazuh detects an attack in Azure API Management.
• Rule ID 100205 is triggered when Wazuh detects an attack in Azure Container and clusters.

6. Restart the Wazuh manager to apply the configuration:

# systemctl restart wazuh-manager

Cloud Security Posture Management simulation

We simulate sample security alerts in Microsoft Defender for Cloud. These alerts mimic real life attacks in a cloud environment.

To create sample alerts, follow the steps below:

1. In the Search bar of the Azure portal, type Microsoft Defender, then select Microsoft Defender for Cloud.

2. Click on Security alerts on the sidebar menu. On the Security alerts windows, select Sample alerts on the command bar. Select your Azure Subscription and the desired Azure service in the Defender for Cloud plans dropdown and click Create sample alerts.

Note: For this blogpost, we restrict our alert simulation to App Services, Key Vaults, Virtual Machines, Containers, and API.

3. Refresh the security alerts page to visualize the newly generated alerts.

Posture management results on the Wazuh dashboard

Visualize the results by navigating to the Modules > Security events tab. Filter for the azure rule group.

Conclusion

The integration of Wazuh with Microsoft Azure offers a centralized solution for managing cloud security posture. In this blog post, we show how to integrate Azure with Wazuh using the out of the box Wazuh Azure module. The integration helps organizations with the tools and insights needed to protect their assets, comply with regulations, and maintain a strong security posture in a dynamic cloud landscape.

Wazuh is an open source security platform for threat detection, compliance, and incident handling. You can integrate Wazuh with third-party solutions and technologies. Wazuh also has an ever-growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.

References

1. Using Wazuh to monitor Microsoft Azure
2. Continuously export Microsoft Defender for Cloud data