This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

The Security Command Center curated detections, threat investigation, and Cloud Infrastructure Entitlement Management (CIEM)capabilities for Microsoft Azure require the ingestion of Microsoft Azure logsusing the Security Operations console ingestion pipeline. The Microsoft Azure logtypes required for ingestion differ based on what you are configuring:

• CIEM requires data from the Azure Cloud Services (AZURE_ACTIVITY)log type.
• Curated detections require data from multiple log types.To learn more about the different Microsoft Azure log types, seeSupported devices and required log types.

Curated detections

Curated detections in the Enterprise tier of Security Command Center help identify threats inMicrosoft Azure environments using both event and context data.

These rule sets require the following data to function as designed. You must ingestAzure data from each of these data sources to have maximum rule coverage.

• Azure cloud services
• Microsoft Entra ID,previously Azure Active Directory
• Microsoft Entra ID audit logs,previously Azure AD audit logs
• Microsoft Defender for Cloud
• Microsoft Graph API Activity

For more information, see the following in the Google SecOpsdocumentation:

• Supported devices and required log types for Azure: information about the datarequired by each rule set.

• Ingest Azure and Microsoft Entra ID data andCreate an Azure Event Hub feed: steps to collect Azure and MicrosoftEntra ID log data.

• Curated detections for Azure data: summary of the Azure rule setsin the Cloud Threats Category curated detections.

• Use curated detections to identify threats: how to use curated detections in Google SecOps.

For information about the type of log data that customers with Security Command CenterEnterprise can ingest directly to the Google SecOps tenant, seeGoogle SecOps log data collection.

Configure Microsoft Azure log ingestion for CIEM

To generate CIEM findings for your Microsoft Azure environment,the CIEM capabilities require data from Azure activity logs foreach Azure subscription or management group that needs to be analyzed.

Before you begin

To export activity logs for your Azure subscriptions or management groups,configure a Microsoft Azure storage account.

Configure Microsoft Azure log ingestion for management groups

1. To configure Azure activity logging for management groups, use theManagement group API.

   Note: The Microsoft Azure portal does not support configuring diagnostic settings for management groups.

2. To ingest exported activity logs from the storage account,configure a feed in Security Operations console.

3. Set anIngestion label for the feed by settingLabel toCIEM and theValue toTRUE.

Configure Microsoft Azure log ingestion for subscriptions

1. To configure Azure activity logging for subscriptions, do the following:

   1. In the Azure console, search forMonitor.
   2. In the left navigation pane, click theActivity log link.
   3. ClickExport Activity Logs.
   4. Perform the following actions for each subscription or management groupfor which logs need to be exported:
      1. In thesubscription menu, select the Microsoft Azure subscription fromwhich you want to export activity logs.
      2. ClickAdd diagnostic setting.
      3. Enter a name for the diagnostic setting.
      4. InLog categories, selectAdministrative.
      5. InDestination details, selectArchive to a storage account.
      6. Select the subscription and storage account that you created, and clickSave.

2. To ingest exported activity logs from the storage account,configure a feed in Security Operations console.

3. Set anIngestion label for the feed by settingLabel toCIEM and theValue toTRUE.

What's next

• To enable CIEM, seeEnable the CIEM detection service.
• To learn more about CIEM features, seeOverview of CIEM.