Ingest Network Flow Logs from Microsoft Azure Network Watcher

Ingest network security group (NSG) flow logs from Microsoft Azure Network Watcher for use in Cortex XDR network stories.
Ingesting Logs from Azure Event Hub requires a Cortex XDR Pro per TB license.
To receive network security group (NSG) flow logs from Azure Network Watcher, you must configure data collection from Microsoft Azure Network Watcher using an Azure Function provided by Cortex XDR. This Azure Function requires a token that is generated when you configure your Azure Network Watcher Collector in the Collection Integration settings in Cortex XDR. After you set up data collection, Cortex XDR begins receiving new logs and data from the source.
When Cortex XDR begins receiving logs, the app creates a new dataset (
MSFT_Azure_raw
) that you can use to initiate XQL Search queries. For example queries, refer to the in-app XQL Library. You can also configure Cortex XDR to ingest network flow logs as XDR network connection stories, which you can query with XQL Search using the
xdr_dataset
dataset with the preset called
network_story
. Cortex XDR can also raise Cortex XDR alerts (Analytics, Correlation Rule, IOC and BIOC only) when relevant from Azure Network Watcher logs. Analytics alerts are only raised on normalized logs.
Be sure you do the following tasks before you begin configuring data collection from Azure Network Watcher.
Configure the Azure Network Watcher collection in Cortex XDR.
  1. Configure the Azure Network Watcher collection in Cortex XDR.
    1. Select
      Settings ( )
      Configurations
      Data Collection
      Collection Integrations
      .
    2. In the
      Azure Network Watcher
      configuration, click the
      here
      link to begin a new configuration.
    3. Set these parameters.
      • Name
        —Specify a descriptive name for your log collection configuration.
      • Normalize and enrich flow logs
        —(
        Optional
        ) You can
        Normalize and enrich flow logs
        by selecting the checkbox. If selected, Cortex XDR ingests network flow logs as Cortex XDR network connection stories, which you can query with XQL Search using the
        xdr_dataset
        dataset with the preset called
        network_story
        .
    4. Save & Generate Token
      . The token is displayed in a blue box, which is blurred out in the image below.
      Click the copy icon next to the key and record it somewhere safe. You will need to provide this key when you configure the Azure Function and set the XDR Token value. If you forget to record the key and close the window, you will need to generate a new key and repeat this process. When you are finished, click
      Done
      to close the window.
    5. In the
      Integrations
      page for the Azure Network Watch Collector that you created, select
      Copy api url
      and record it somewhere safe. you will need to provide this URL when you configure the Azure Function and set the XDR Host value.
  2. Configure the Azure Function provided by Cortex XDR.
    1. Open the Azure Function provided by Cortex XDR.
    2. Click
      Deploy to Azure
      .
    3. Set these parameters, where some fields are mandatory to set and others are already populated for you.
      • Subscription
        —Specify the Azure subscription that you want to use for the App Configuration. If your account has only one subscription, it is automatically selected.
      • Resource group
        —Specify or create a resource group for your App Configuration store resource.
      • Region
        —Specify the Azure region that you want to use.
      • App Name
        —Specify the name of the function app. In the Azure Portal, this will be the name that appears in the list of resources.
      • App Service Plan
        —Select the applicable service plan. If you select
        Service Plan
        (default), an App Service plan is created and you are billed accordingly. If you select
        Consumption
        , you are billed based on the Consumption Plan.
      • App Service Plan Tier
        —When setting a
        Service Plan
        , you must select the applicable App Service Plan Tier from the list of options (
        Free
        (default),
        Shared
        ,
        Basic
        ,
        Standard
        ,
        Premium
        , and
        PremiumV2
        ). Otherwise, leave the default option configured.
      • App Service Plan Name
        —When setting a
        Service Plan
        , you must set the App Service Plan Name, which must match the Service Plan Tier.
      • App Service Plan Capacity
        —When setting a
        Service Plan
        , specify how many instances do you want to set for the upper limit or leave the default as 2. For example, when configuring an Standard Tier Service Plan, S2, set a value from 1 to 10.
      • Github Repo URL
        —Specify the URL of the repo that contains the function app source. Leave the default as
        https://github.com/PaloAltoNetworks/AzureNetworkWatcherNSGFlowLogsConnector.git
        or specify your fork's address here.
      • Github Repo Branch
        —Specify the name of the branch containing the code you want to deploy. Leave the default as
        master
        or specify the applicable branch.
      • Nsg Source Data Connection
        —Specify your storage account connection string for your Azure Network Watcher.
        1. From the Microsoft Azure Console, open the
          Storage accounts
          page, and select the storage account that contains the connection string for the Azure Network Watcher you have configured for data collection by Cortex XDR.
        2. Select
          Security + networking
          Access keys
          , and click
          Show keys
          .
        3. Copy the applicable
          Connection string
          and paste it in the
          Nsg Source Data Connection
          field.
      • Output Binding
        —Select where you want to send you logs to either
        xdr
        (default) or
        eventhub
        .
      • XDR Host
        —Specify the API URL that you recorded when you configured the Azure Network Watcher collection in Cortex XDR.
      • XDR Token
        —Specify the token you received when
    4. Click
      Review + Create
      to confirm your settings for the Azure Function.
    5. Click
      Create
      . It can take a few minutes for the deployment to complete.
    Once events start to come in, a green check mark appears underneath the
    Azure Network Watcher
    configuration that you created in Cortex XDR with the amount of data received.

Recommended For You