Skip to main content

How to Stream FundApps’ Audit Logs to Your SIEM

Updated over 3 weeks ago

Overview

FundApps’ platform allows you to stream audit logs to your Security Incident and Event Management (SIEM) tool.

⚠️ By proceeding, you acknowledge that you are aware that audit logs contain personal data. You are the controller of such personal data, and FundApps is no longer the processor of this personal data once it leaves the FundApps platform and your FundApps client environment. Please refer to the agreement with your SIEM provider in relation to the processing of this personal data within the SIEM provider’s system.

Supported SIEM Tools

Currently, our Audit Log streaming feature only supports Azure Sentinel, Splunk and Datadog.

How to Stream FundApps Audit Logs to Azure Sentinel

Configure your Azure Sentinel instance:

  1. Configure the Log Ingestion API in Azure Monitor (used by Azure Sentinel). Follow Microsoft's Log Ingestion API setup guide to get started.

  2. Steps to Set Up the Required Azure Resources:

    1. Create an Azure AD App Registration and Secret

      This service principal will authenticate your log ingestion requests. Follow these instructions to create the app and generate a pair of client secrets/client IDs.

    2. Create a Custom Log Table

      Define a table schema where FundApps audit logs will be stored. Use this guide to create a custom table.

    3. Configure a Data Collection Endpoint (DCE)

      The DCE acts as the endpoint for receiving incoming log data. Follow the DCE setup guide.

    4. Create a Data Collection Rule (DCR)

      The DCR defines how incoming logs are transformed and routed to the custom table. Follow this DCR setup guide to set this up.

    5. Be sure to define the column mappings that match the FundApps log schema to the custom table schema.

      "columns": [
      	{
      	    "name": "TimeGenerated",
      	    "type": "datetime"
      	},
      	{
      	    "name": "date",
      	    "type": "datetime"
      	},
      	{
      	    "name": "description",
      	    "type": "string"
      	},
      	{
      	    "name": "connection_id",
      	    "type": "string"
      	},
      	{
      	    "name": "client_id",
      	    "type": "string"
      	},
      	{
      	    "name": "client_name",
      	    "type": "string"
      	},
      	{
      	    "name": "ip",
      	    "type": "string"
      	},
      	{
      	    "name": "client_ip",
      	    "type": "string"
      	},
      	{
      	    "name": "user_agent",
      	    "type": "string"
      	},
      	{
      	    "name": "details",
      	    "type": "string"
      	},
      	{
      	    "name": "hostname",
      	    "type": "string"
      	},
      	{
      	    "name": "user_id",
      	    "type": "string"
      	},
      	{
      	    "name": "user_name",
      	    "type": "string"
      	},
      	{
      	    "name": "organization_id",
      	    "type": "string"
      	},
      	{
      	    "name": "organization_name",
      	    "type": "string"
      	},
      	{
      	    "name": "auth0_client",
      	    "type": "string"
      	},
      	{
      	    "name": "log_id",
      	    "type": "string"
      	},
      	{
      	    "name": "tenant_name",
      	    "type": "string"
      	}, 
      	{ 
      	    "name" : "message",
      	    "type": "string"
      	}
      ]

Configure your FundApps Instance:

  1. Click on the Admin and Settings button (⚙️ icon) at the top right of your screen.

    1. Select Azure Sentinel as a provider to be used.

  2. Generate the WebHook URL (i.e. https://{log-ingestion-url}/dataCollectionRules/{dcr-immutable-id}/streams/{streamName}?api-version=2023-01-01), and use it in the Webhook URL field.

    1. {log-ingestion-url} is the Log Ingestions URL.

    2. {dcr-immutable-id} is the Data Collection Immutable ID from the DCR,

    3. {streamName} is the StreamName that you have used in your DCR.

    4. Example: https://dce-fundapps-j6z4.uksouth-1.ingest.monitor.azure.com/dataCollectionRules/dcr-e13c222524e218199b/streams/Custom-Auth0?api-version=2023-01-01

  3. Copy the Client ID and Client Secret from step 1 into the fields for Client ID and Client Secret.

  4. Copy the Tenant ID from your Azure Subscription in the Tenant ID field.

  5. Click the Save button.

    1. Note that any existing credentials that have been saved will be overwritten.

    2. Once confirmed in the dialog, your credentials will be saved, and FundApps will send a test log to your SIEM with the message "Test audit log from FundApps" for you to confirm in your SIEM.

Steps to Stream FundApps Audit Logs to SPLUNK

  1. If you need to whitelist FundApps’ platform’s IP address, please contact our support team.

  2. Generate a Splunk HEC token in your Splunk Instance.

    1. If you use Splunk Cloud Platform or Splunk Enterprise, follow these instructions to generate the token you need to input into FundApps’ platform in the next step.

  3. Make a note of your Splunk HEC URI.

    1. If you use Splunk Cloud Platform or Splunk Enterprise, please follow these instructions to figure out your HEC URI. Logs will be sent as JSON-formatted events.

  4. Log in to your FundApps instance with an Administrator or Tech user role.

  5. Click on the Admin and Settings button (⚙️ icon) at the top right menu of your FundApps environment.

  6. Select Splunk as a provider to be used

  7. Copy the URI from step 2 (e.g. https://hec.splunk.com:8088/collector) in the Webhook URL field.

  8. Copy the token from step 1 in the field called Auth token.

  9. Click the Save button.

    1. Note that any existing credentials will be overwritten.

    2. Once confirmed in the dialog, your credentials will be saved, and FundApps will send a test log to your SIEM with the message content "Test audit log from FundApps" for you to confirm in your SIEM.

How to Stream FundApps Audit Logs to Datadog

  1. Generate a Datadog API key by clicking on your username on the bottom left of your Datadog instance.

    1. Under Organisation settings, click API keys (note: not Application Keys)

    2. Click the new key on the top right and name appropriately, e.g. "FundApps Audit Logs".

    3. If you do not see the option to create API keys, please get in touch with a user or team within your organisation with the correct permissions to generate and share the key securely with you.

  2. FundApps uses the Datadog V2 logs endpoint to stream logs to Datadog.

    1. The URL slightly differs depending on where your Datadog instance is hosted.

    2. Go to https://docs.datadoghq.com/api/latest/logs/?site=us and change the Datadog site on the top right to your instance location.

    3. Copy the URL next to POST.

  3. Log in to your FundApps instance with an Administrator or Tech user role.

  4. Click on the Admin and Settings button (⚙️ icon) at the top right of your screen.

  5. Select Datadog as the provider to be used.

  6. Copy the URI from step 2 (e.g. https://http-intake.logs.datadoghq.com/api/v2/logs) in the Webhook URL field.

  7. Copy the API key from step 1 in the field called Auth token.

  8. Click the Save button.

    1. Be aware that any existing credentials will be overwritten.

    2. Once confirmed in the dialog, your credentials will be saved, and FundApps will send a test log to your SIEM with the message "Test audit log from FundApps" for you to confirm in your SIEM.

🎉 All new Authentication logs will now be streamed to your SIEM tool in real time.

Related Articles
FundApps SSO Connection - Azure AD SAML 2.0
FundApps SSO Connection - Okta
FundApps SSO Connection - SAML 2.0
How to Set Up Single Sign-On (SSO)
Security Best Practices
Did this answer your question?