SIEM tool is widely use in most of organization to manage their security and event management. Microsoft has their SIEM solution but for this round we gonna go with ArcSight due to my latest testing and deployment.
without talking further, lets start
1) Pre Deployment
a) Windows Server or Windows 10
i) Set-execution policy to unrestricted or bypass
ii) Running PowerShell atleast version 5
iii) Loaded with Azure RM modules (Install-Module -Name AzureRM -AllowClobber -Scope AllUsers)
b) Azure Active Directory
i) Roles assignment (either one)
(1) Global administrator
(2) Security administrator
(3) Security reader
(4) Reports reader
c) Azure Subscription
i) Either Owner or Contributor
e) Copy app.properties , arcsight-cloud-functions-7.14.0 .zip and arcsight-monitor-functions-7.14.0 .zip to user directory
2) Deployment
a) Edit app.properties file
*for smoother deployment, please make sure the function app name use all small letter
b) Run the script
c) Result
3) Post deployment
a) Configure always on for azure function
b b) Setup the diagnostic log
C)Update the certificate use
*delete the existing one and upload the new remote_management.p12 that can get from syslog NG
d) Restart both azure function and your arcsight syslog NG will start receiving the log from Azure platform and Azure AD.
Happy deployment. Till we meet again.
