Creating Security Dashboards for Azure Sentinel with Grafana

When building a SOC, dashboards are an important component. Aside from the regular dashboard features in Azure you can us Grafana as tool to build your dashboards. According to the website of Grafna, Grafana is the open source analytics and monitoring solution for every database. Grafana doesn’t provide an out-of-the-box Azure Sentinel connector; but as all Sentinel data is stored in Log Analytics, we could use the Azure Monitor data resource in Grafana to query Sentinel data. Grafana has a couple of features that I personally love:

• You can create dashboards for users without having them access the data (they only have access to the visuals)
• You can hook up multiple Azure tenants to Grafana. This is ideal for a MSSP scenario or companies who own multiple tenants.

In this blogpost I will you explain how can create your own security dashboards in Grafana. The first part of this blogpost is about the fulfilment of the requirements (installing Grafana and preparing Azure). The second part of this blogpost is about configuring Grafana and creating dashboards.

Installing Grafana

Lets start by installing Grafana. There are multiple ways to install Grafana. In this blogpost I go for the easy installation of Grafana on a Ubuntu machine. You can install Grafana by executing the following commands:

After installing you can go to http://YourIpHere:3000 and login with the default credentials of Grafana (admin:admin). After your first login, you can directly change these non-secure credentials into more secure credentials.

Pro Tip: This blogpost is about connecting Grafana to Azure. This blogpost is not intended as install guide for Grafana. Even though the setup is working perfectly, it does not provide HTTPS/SSL, Single Sign-on etc. Have a look at the Grafana documentation for a more secure way of setting up the service.

Preparing your Azure Environment

Grafana does not have access to your Azure tenant by default. In order to let Grafana have access to your data, an App Registration needs to be done.

• In the Azure Portal go to the Azure Active Directory resource, and click on App Registrations.
• Click on the + button and give the service principal a name like “Grafana Access”. Make sure the option “Accounts in this organizational directory only (YourTenantName only — Single tenant)” is selected, and click on Register
• Click on Grafana Access — Certificates & secrets and click on Add New Secret. Give the secret a name like “Grafana Secret” and click on Add. After the secret has been created make note of the secret. You later need to use it to connect Grafana to Azure.

Pro Tip: As part of the predefined settings, the secret is only valid for 1 year. You could extend this period to two years, or even let the secret never expire. I would advise to leave this option to one year and have a solid administration in place that will remember you a couple of weeks before the secret is going to expire.

• Click on Overview in the left menu and make note of the Application (client) ID and Directory (tenant) Id. We need these IDs later to connect Grafana to Azure.

We just created a service principal. This will be the account Grafana is going to use to access Microsoft Azure. Just like with normal accounts, you need to give them permissions on certain resources.

• In the Azure Portal, go to Subscriptions and open the subscription in which your Log Analytics workspace(s) are hosted.
• Go to Access control (IAM), click on + Add and select Add role assignment to assign an Azure role to a user account or service principal.
• For Role, select Reader, For Assign access to Select “Azure AD user, group, or service principal”, for Select type the name of your service principal (In the previous steps I used “Grafana Access” as name) and click on the service principal to add it. If everything went well, the service principal is listed under “Selected Members”
• Click Save

Pro Tip: In this blogpost I will give the service principal reader access on subscription level. Doing so will make sure that the App Service Principal is able to read all log analytics workspaces in my Azure Subscription. This an easy, but less secure option. If want to go for a more secure solution, you could also give reader access on just the required Log Analytics workspaces.

Configuring Grafana

Now that the requirements are fulfilled, it’s time to configure Grafana.

• Login to the Grafana portal and go to Configuration → DataSources. At this page your are able to configure all kinds of data sources for Grafana.
• Click on Add data source and select Azure Monitor.
• For Azure Monitor Details use the following configuration:
  — Azure Cloud: Azure
  — Directory (tenant) ID: The Directory (tenant) ID you noted while creating the Service Principal
  — Application (client) ID: The Application (client) ID you noted while creating the Service Principal
  — Client Secret: The secret you noted while creating the Service Principal
• After filling in the configuration details, click on Load Subscriptions
• Choose the subscription in which your Log Analytics/Sentinel workspace is located. This is the same subscription as where you configured the reader role for the service principal.
• For Default Workspace select the workspace that you will use to create dashboards for.
• Click on Save & Test. If everything went well, you should see the following message: “1. Successfully queried the Azure Monitor service. 2. Successfully queried the Azure Log Analytics service.”

Settings in Grafana for Azure Monitor (Log Analytics)

Congratulations! Grafana is now configured to connect with your Azure Sentinel/Log Analytics workspace.

Pro Tip: If you are having multiple Azure Subscriptions or tenants, you could repeat the configuration of the service principal a configuration of Grafana in this blogpost. Grafana is perfectly able to work with multiple data sources; even if they are from the same type!

Creating dashboards

Depending on your needs you can create dashboards in Grafana. In this post I will create a dashboards that shows the login attempts in the Azure Active Directory over time, and some information about Incidents in Azure Sentinel.

• In the Grafana portal go to the Create menu, and click dashboard. This is the page when you can create a new dashboard.
• Click Add Query and use the following configuration:
  — Service: Azure Log Analytics
  — Subscription: The subscription you would like to use
  — Workspace: The Log Analytics workspace that you would like to use.
  — Format As: Time Series
  — Query you can use the following query:

• Click on the left side of the screen on the Visualisation Icon. Here you can configure the settings of the visual that you would like to use. In this case there is no need to change the settings.
• Click on the left side of the screen on the General Icon. Here you can configure the general settings for the panel/visual on your dashboard. Use the following settings:
  — Title: Sign-in attempts over time
  — Description: Displays the sign-in attempts over time
• Click on the back button in Grafana. This button is located in the left top corner of your screen (and no; it’s not the browser back button).
• Click on the save button on the right top corner of the screen. Give your dashboard a proper name, and click save.

The first part of the dashboard is done. If everything went well you should now have a dashboard with a single visual on it.

Azure Sentinel Alerts in Grafana

Adding Sentinel related data into a dashboard isn’t that hard. Azure Sentinel stores it’s data in Log Analytics and we can query this data. When you are in your dashboard, you can click the “Add Panel” button on the top of the screen. From here you can repeat the same process as described earlier, but use a different query:

Your dashboard can end up like this:

Pro Tip: Grafana has build-in functionality to automatically refresh dashboards. Setting this up will make sure you are always watching the actual data.

Pro Tip: If you have multiple dashboards, Grafana also has playlist functionality which automatically switches between dashboards.

As Grafana is able to export dashboards and panels, I have created a GIT repository where I have stored an export of the dashboard that is created in this blogpost. Please note that I have removed the workspace ids from the export. You should enter you own over there.

Summary

In this post I explained how you can use Grafana to create your security dashboards. Grafana is a tool which enables you to quickly generate dashboards based on Azure Log Analaytics (and thus Azure Sentinel) and many other data sources.

Using Grafana with Azure Sentinel has a ton of possibilities but make sure your dashboards stay useful and only show data that is required for your operations.

Enjoy creating your dashboards!
— Jeroen Niesen