This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Microsoft Azure NSG & NetWitness Integration

SaketBajoria
Beginner
Beginner
‎2018-02-28 11:26 AM

Microsoft Azure Network Security Group Flow Logs are a feature of Azure Network Watcher that provide information about ingress and egress IP traffic through a configured Network Security Group. The NetWitness plugin built for Azure NSG can authenticate and pull flow logs from Azure storage in real time.

“While Virtual Network (VNET) is the cornerstone of Azure networking model and provides isolation and protection. Network Security Group (NSG) is the main tool you need to use to enforce and control network traffic rules at the networking level. Customers can control access by permitting or denying communication between the workloads within a virtual network, from systems on customer’s networks via cross-premises connectivity, or direct Internet communication. In the diagram below, both VNETs and NSGs reside in a specific layer in the Azure overall security stack, where NSGs, UDR, and network virtual appliances can be used to create security boundaries to protect the application deployments in the protected network.”

 

What is a Network Security Group (NSG)?

https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg

 

 

1.bmp

How does it work?

These flow logs are written in JSON format and show outbound and inbound flows on a per rule basis.

It provides the following information: 

  • MAC Address of the NIC, flow applies to
  • 5-tuple information about the flow (Source IP, Destination IP, Source Port, Destination Port, Protocol),
  • And if the traffic was allowed or denied.

 

Flow logs are stored only within a storage account and follow the logging path as shown below:

https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resourceId%3D/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.network/networksecuritygroups/{nsgName}/{year}/{month}/{day}/{hour}/m=00/{macAddress}/PT1H.json

 

pastedImage_11.png

Logs have a retention policy that can be set from 1 day to 365 days. If a retention policy is not set, the logs are maintained foreverRSA Netwitness uses Shared Access Signature (SAS Token) to authenticate and pull flow logs from Azure storage in real time.

Use Cases:

With the visibility into Network Flow traffic in the Azure framework, multiple use-cases can be built. For example: 

 

  1. See the overall stats of Allowed vs Denied Traffic in your network, and based on what’s normal, setup alerts if its above or below a certain threshold.
  2. Summary of Protocol usage in the environment, set alerts for abnormal protocol usage. 
  3. Top Destination Address Reached out to from your environment.
  4. Set Alerts against blacklisted IP Addresses
  5. Setup rules based on IP range to determine Inbound vs Outbound vs Lateral traffic and then build a dashboard to see the pattern.

 

Downloads and Documentation:

Configuration Guide: Microsoft Azure NSG Event Source Configuration Guide 

 

Collector Package on RSA Live: "MS Azure NSG Flow Logs"

 

Parser on RSA Live: CEF (device.type="msazurensg")

 

© 2022 RSA Security LLC or its affiliates. All rights reserved.