This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcement Banner

The email address for NetWitness Community notifications is changing

View Details
  • NetWitness Community
  • Blog
  • Microsoft Azure NSG & NetWitness Integration

Microsoft Azure NSG & NetWitness Integration

SaketBajoria
SaketBajoria Beginner
Beginner
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2018-02-28 11:26 AM

Microsoft Azure Network Security Group Flow Logs are a feature of Azure Network Watcher that provide information about ingress and egress IP traffic through a configured Network Security Group. The NetWitness plugin built for Azure NSG can authenticate and pull flow logs from Azure storage in real time.

“While Virtual Network (VNET) is the cornerstone of Azure networking model and provides isolation and protection. Network Security Group (NSG) is the main tool you need to use to enforce and control network traffic rules at the networking level. Customers can control access by permitting or denying communication between the workloads within a virtual network, from systems on customer’s networks via cross-premises connectivity, or direct Internet communication. In the diagram below, both VNETs and NSGs reside in a specific layer in the Azure overall security stack, where NSGs, UDR, and network virtual appliances can be used to create security boundaries to protect the application deployments in the protected network.”

 

What is a Network Security Group (NSG)?

https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg

 

 

1.bmp

How does it work?

These flow logs are written in JSON format and show outbound and inbound flows on a per rule basis.

It provides the following information: 

  • MAC Address of the NIC, flow applies to
  • 5-tuple information about the flow (Source IP, Destination IP, Source Port, Destination Port, Protocol),
  • And if the traffic was allowed or denied.

 

Flow logs are stored only within a storage account and follow the logging path as shown below:

https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resourceId%3D/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.network/networksecuritygroups/{nsgName}/{year}/{month}/{day}/{hour}/m=00/{macAddress}/PT1H.json

 

pastedImage_11.png

Logs have a retention policy that can be set from 1 day to 365 days. If a retention policy is not set, the logs are maintained forever. RSA Netwitness uses Shared Access Signature (SAS Token) to authenticate and pull flow logs from Azure storage in real time.

Use Cases:

With the visibility into Network Flow traffic in the Azure framework, multiple use-cases can be built. For example: 

 

  1. See the overall stats of Allowed vs Denied Traffic in your network, and based on what’s normal, setup alerts if its above or below a certain threshold.
  2. Summary of Protocol usage in the environment, set alerts for abnormal protocol usage. 
  3. Top Destination Address Reached out to from your environment.
  4. Set Alerts against blacklisted IP Addresses
  5. Setup rules based on IP range to determine Inbound vs Outbound vs Lateral traffic and then build a dashboard to see the pattern.

 

Downloads and Documentation:

Configuration Guide: Microsoft Azure NSG Event Source Configuration Guide 

 

Collector Package on RSA Live: "MS Azure NSG Flow Logs"

 

Parser on RSA Live: CEF (device.type="msazurensg")

 

  • azure
  • azure nsg
  • microsoft azure
  • NetWitness
  • nsg
  • NW
  • NWP
  • plugins
  • RSA NetWitness
  • RSA NetWitness Platform
1 Like
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Detecting Impacket with Netwitness Endpoint
  • Exotic Lily: Global Activity Analysis
  • Threat Research Data Hygiene Exercise: Retirement of Threat Research Intelligence Content and Report...
  • Netwitness Orchestrator Dashboarding Overview
  • Highlights from Recent Releases - Here's What's New in NetWitness Platform 11.7 and 11.7.1
  • NetWitness News Bytes: Improved Broker Query Experience
  • NetWitness News Bytes: Meta Only Event Reconstruction
  • NetWitness News - Press Releases
  • Endpoint Bundle Tuning
  • February 2022 Installment of the NetWitness Threat Research Intelligence & Content Update
Labels
  • Announcements 52
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 56
  • Tutorials 21
  • Use Cases 20
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.