Azure XSIAM

Hello @bridgetlitt ,

Greetings for the day.

1. Key Differences Between Integration Methods

(Setup Method)

Microsoft Azure Integration (CSP Onboarding):
This method uses an automated onboarding wizard to streamline Azure environment setup within Cortex XSIAM. It typically involves running an ARM template or script (for example, onboard.sh) that automatically creates the required Azure resources, including Diagnostic Settings, Event Hubs, and permissions across subscriptions.

Azure Event Hub Integration:
This is a manual “pull” collector approach. You must first configure the Event Hub and Diagnostic Settings within the Azure Portal, then provide Cortex XSIAM with the required credentials, including:

• Event Hub Connection String
• Storage Account Connection String (used for checkpointing and partition management)
• Consumer Group

Scope and Management

-The Microsoft Azure (CSP) integration is designed for large-scale log collection across entire tenants or multiple subscriptions. If audit logs are enabled during onboarding, the integration manages the underlying Event Hub resources automatically, often eliminating the need for a separate manual Event Hub connector.

-The Azure Event Hub integration is typically used for targeted, high-volume log sources (such as Entra ID Sign-in logs) or logs from specific services (for example, AKS or Intune) where organizations prefer direct ingestion into XSIAM without onboarding the entire Azure environment.

2. Automation Features of the Microsoft Azure Integration

The Microsoft Azure (CSP) integration provides several automation-focused capabilities:

• Automated Log Routing: Automatically configures Azure Diagnostic Settings to stream logs (Activity Logs, Audit Logs, etc.) to the Event Hubs used by XSIAM.
• Asset Discovery: Automatically scans monitored Azure accounts and populates the Asset Inventory, providing centralized visibility into cloud resources.
• Continuous Monitoring: Once onboarding is completed, XSIAM continuously monitors onboarded Azure accounts for data and configuration changes.
• Playbook Orchestration: XSIAM leverages built-in content packs and playbooks to automatically triage, investigate, and respond to threats identified from Azure telemetry.

3. Does It Replace the Need to Deploy Agents?

No. The Microsoft Azure integration does not replace the need to deploy Cortex XDR agents.

Cortex XSIAM uses a layered architecture in which the Cortex XDR agent functions as the primary endpoint sensor for deep visibility and prevention.

The roles are complementary:

• Cloud Log Integrations: Provide management-plane and data-plane telemetry, such as user sign-ins, resource changes, and cloud activity logs.
• Cortex XDR Agents: Provide host-level telemetry, including process execution, file activity, registry changes, and network connections within the operating system.
  
  

Co-existence Model:

For a complete security posture:

• Deploy Cortex XDR agents on Azure virtual machines (IaaS workloads) to enable Endpoint Detection and Response (EDR) capabilities.
• Use Azure integrations to ingest cloud-native telemetry and management logs.

Together, these components provide a more complete security narrative across cloud infrastructure and endpoint activity.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar