Currently working on a cloud transformation project where all infrastructure is being placed into Azure.
We currently use a SIEM solution to monitor and assess events across the environment. The adoption of Azure has added an additional level of administrative actions that we would need to keep an eye on.
Our design uses AD groups that are assigned to RBAC roles and so we can monitor changes to these groups in order to understand who has had access granted/revoked by collecting our DC logs. We cannot however see if someone has granted/revoked RBAC roles to Azure subscriptions, resource groups or resources. I have put together some Powershell scripts that would return the required data so it's good to know the data is there and available, however it seems that there is no native way to get this data into a SIEM solution.
Has anyone managed to get this type of data into their SIEM? I envisage it being achieved by having a Powershell script running every minute or so to retrieve the data and either writing it to a file which the SIEM collects or streaming it directly to the SIEM to then be parsed.
Essentially, I aim to get something in place so that I can view this data within our SIEM dashboard as I feel it's a significant risk to have no visibility of such administrative actions.
Thanks in advance for any guidance.
