Sources
Azure
Azure Events
Blob Storage

Azure Blob Storage

The current process for exporting your Azure logs to RunReveal involves 3 steps.

  1. Azure Activity Logs/Entra Logs export to an Azure Storage Account.
  2. A Blob Created event is triggered and adds a message to a Storage Queue located in the same Storage Account.
  3. RunReveal will once a minute, process the events in the Queue and start to read the storage object that was created.

In order to setup this format you will need to create the following pieces in Azure:

  1. Add a new App Registration to your Entra account.
  2. Create a new Client Secret for this new app.
  3. Create a new Storage Account.
  4. Create an Event to notify on Blob Created event types and forward the notification to a Storage Queue.
  5. Provide access to the created app to read blob objects and process storage queue messages.
  6. Setup Entra/Activity Logs to forward events to the created storage account.

For steps 3-5 RunReveal provides an Azure Deploy Template that can be used to simplify setup.

App Registration

The first step is to create a new App Registration. Navigate to the Microsoft Entra ID (opens in a new tab) service and choose Add -> App Registration.

Give the app a name and fill in the remaining settings for your organization. Once done click Register.

You should now be presented with the details of the new app. Copy and save the Application (client) ID and the Directory (tenant) ID as these will be needed when setting up the RunReveal source. If you plan to use the provided deploy template click on the link for the Managed application in local directory, this will open a properties page where you will need to copy the listed Object ID.

App Secret

Once the app has been registered you will need to create a client secret to provide to RunReveal for access. Back on the main app registration page under the Manage category click on 'Certificates & secrets'. From this screen click on the 'Client secrets' option and select New client secret. Give the secret a name and choose an expiration date. Once created copy the secret value and save it for later, this is needed when creating the source in RunReveal.

client secret

Set a reminder for the expiration date of this secret. You will need to generate a new secret and update your RunReveal source before the expiration date to make sure RunReveal continues to have access.

Storage Account Setup

For each logging type (Activity Logs, Entra, etc) a new storage account must be created with the same setup. The easiest way to set up your storage account is to use our deployment template. This will automatically setup the storage account, the object notifications, and provide the correct permissions for the created app.

Deployment Template

Deploy to Azure (opens in a new tab)

Click on the to Azure button to load the template in the Azure portal. From there choose your Subscription and Resource group where this storage account should reside. Give the storage account a name and paste the App's Object ID that was copied earlier. Wait for the deployment to complete, and click on the Outputs menu item. This will list the storageAccountName and storageQueueName that were created by the template. These values will be needed when setting up the RunReveal source. You can now move on to setting up Azure log forwarding.

⚠️

Azure displays multiple App object IDs, if the wrong one is used you may get a deployment error with the template. All of the resources will have been created but the IAM permissions will not have been set. You can manually apply the needed permissions to the storage account if this happens.

Manual Setup

If you already have logs being stored in a storage account or want to change other setup settings follow these steps.

Storage Account

Navigate to the Storage account (opens in a new tab) creation page and create a new storage account to store your log files. The only settings that we recommend is to select the Standard performance option and to select the Hot access tier.

Event Subscription

In your new storage account resource, go to the Events menu and create a new Event Subscription.

Fill in the name fields for the subscription and system topic name and select Event Grid Schema as the event schema. Change the event types to only filter for Blob Created events. Select Storage Queue as your endpoint type and configure a new queue. For easiest setup, we recommend putting the storage queue in the same storage account. Make sure to take note of the name of the storage queue that was created as this will be needed in the RunReveal source.

event sub

IAM

Go to the access control (IAM) screen for your storage account and add a new Role assignment. You will need to add two separate roles the first being Storage Blob Data Reader and Storage Queue Data Message Processor. For both of these the member should be the App that was registered earlier.

Once access has been granted you are ready for the next step.

Azure Log Forwarding

With the storage account created you can now setup Entra and Activity Logs to export to it. Pick and choose which type of log you want imported to RunReveal. Microsoft Entra logs allow you to track changes to your domain settings and certain signin events from users. While Azure Activity Logs allow you to track changes to your Azure environment as a whole.

Azure Activity Logs

On the Activity Log resource page, click on the "Export Activity Logs" button.

On the diagnostic settings page, add a new diagnostic setting. Give the diagnostic setting a name, choose the categories you wish to include in your events, and select "Archive to a storage account" selecting the storage account that was created.

Microsoft Entra Logs

From your Entra admin portal navigate to the Users->Sign-in logs screen and click on "Export Data Settings"

On the diagnostic settings page, add a new diagnostic setting. Give the diagnostic setting a name, choose the categories you wish to include in your events, and select "Archive to a storage account" selecting the storage account that was created.

RunReveal Source

Go to RunReveal and add a new source, selecting either Entra Logs (opens in a new tab) or Azure Activity Logs (opens in a new tab).

Both have the same setup, give the source a name and select Azure Blob Storage as the import type.

azure blob

You will need the values that were saved from the setup steps.

  • The app Tenant ID and Client ID from the app registration screen.
  • The Client Secret Value that was created when generating a new secret for the app.
  • The Storage Account Name where the logs are exporting to.
  • The Storage Queue Name that holds the blob created notifications.

Once these are supplied and saved, RunReveal will begin to process messages in the queue and then ingest logs stored in the bucket.

Azure EventsWebhook