Azure Network Watcher
Overview
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. It also allows to log information about IP traffic flowing through a network security group: NSG flow logs.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Host network interface |
every packets passing through the Network Security Group are logged |
Netflow/Enclave netflow |
Azure Network Watcher NSG Flow Logs are Netflow-like |
Network device logs |
packets logged by NSG Flow Logs |
Network protocol analysis |
traffic analysis at levels 2/3/4 |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | event |
| Category | network |
| Type | `` |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\"flow_state\": \"begin\",\"resourceId\":\"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\",\"macAddress\":\"DB831EFEC376\",\"flow.0\":\"1493763938,1.2.3.4,5.6.7.8,35370,23,T,I,A,B,,,,\",\"rule\":\"DefaultRule_AllowVnetOutBound\",\"operationName\":\"NetworkSecurityGroupFlowEvents\",\"time\":\"2020-12-14T22:16:46.3528160Z\",\"version\":\"2\"}",
"event": {
"kind": "event",
"category": [
"network"
],
"code": "NetworkSecurityGroupFlowEvents",
"action": "accept",
"type": [
"allowed"
]
},
"rule": {
"name": "DefaultRule_AllowVnetOutBound"
},
"action": {
"type": "DefaultRule_AllowVnetOutBound",
"target": "network-traffic",
"properties": [
{
"OperationName": "NetworkSecurityGroupFlowEvents",
"FlowState": "begin",
"Version": "2"
}
],
"name": "accept"
},
"host": {
"name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG"
},
"network": {
"transport": "tcp",
"direction": "inbound"
},
"source": {
"ip": "1.2.3.4",
"port": 35370,
"mac": "DB831EFEC376",
"address": "1.2.3.4"
},
"destination": {
"ip": "5.6.7.8",
"port": 23,
"address": "5.6.7.8"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
}
}
{
"message": "{\"flow_state\": \"end\", \"resourceId\":\"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\",\"macAddress\":\"DB831EFEC376\",\"flow.0\":\"1607984156,1.2.3.4,5.6.7.8,36422,8086,T,O,A,E,1,74,1,74\",\"rule\":\"DefaultRule_AllowVnetOutBound\",\"operationName\":\"NetworkSecurityGroupFlowEvents\",\"time\":\"2020-12-14T22:16:46.3528160Z\",\"version\":\"2\"}",
"event": {
"kind": "event",
"category": [
"network"
],
"code": "NetworkSecurityGroupFlowEvents",
"action": "accept",
"type": [
"allowed"
]
},
"rule": {
"name": "DefaultRule_AllowVnetOutBound"
},
"action": {
"type": "DefaultRule_AllowVnetOutBound",
"target": "network-traffic",
"properties": [
{
"OperationName": "NetworkSecurityGroupFlowEvents",
"FlowState": "end",
"Version": "2"
}
],
"name": "accept"
},
"host": {
"name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG"
},
"network": {
"transport": "tcp",
"direction": "outbound"
},
"source": {
"ip": "1.2.3.4",
"port": 36422,
"packets": 1,
"bytes": 74,
"mac": "DB831EFEC376",
"address": "1.2.3.4"
},
"destination": {
"ip": "5.6.7.8",
"port": 8086,
"packets": 1,
"bytes": 74,
"address": "5.6.7.8"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
}
}
{
"message": "{\"flow_state\": \"begin\", \"source_addr\": \"1.3.4.2\", \"macAddress\": \"DB831EFEC376\", \"operationName\": \"NetworkSecurityGroupFlowEvents\", \"resourceId\": \"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\", \"time\": \"2021-03-24T10:55:03.0680749Z\", \"rule\": \"DefaultRule_AllowInternetOutBound\", \"flow.0\": \"1616583277,1.2.3.4,5.6.7.8,55486,443,T,O,A\"}",
"event": {
"kind": "event",
"category": [
"network"
],
"code": "NetworkSecurityGroupFlowEvents",
"action": "accept",
"type": [
"allowed"
]
},
"rule": {
"name": "DefaultRule_AllowInternetOutBound"
},
"action": {
"type": "DefaultRule_AllowInternetOutBound",
"target": "network-traffic",
"properties": [
{
"OperationName": "NetworkSecurityGroupFlowEvents",
"FlowState": "begin"
}
],
"name": "accept"
},
"host": {
"name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG"
},
"network": {
"transport": "tcp",
"direction": "inbound"
},
"source": {
"ip": "1.3.4.2",
"port": 55486,
"mac": "DB831EFEC376",
"address": "1.3.4.2"
},
"destination": {
"ip": "5.6.7.8",
"port": 443,
"address": "5.6.7.8"
},
"related": {
"ip": [
"1.3.4.2",
"5.6.7.8"
]
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
action.properties |
array |
action.properties |
action.target |
keyword |
The target of the action |
destination.bytes |
long |
Bytes sent from the destination to the source. |
destination.ip |
ip |
IP address of the destination. |
destination.packets |
long |
Packets sent from the destination to the source. |
destination.port |
long |
Port of the destination. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.code |
keyword |
Identification code for this event. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
host.name |
keyword |
Name of the host. |
rule.name |
keyword |
Rule name |
source.bytes |
long |
Bytes sent from the source to the destination. |
source.ip |
ip |
IP address of the source. |
source.mac |
keyword |
MAC address of the source. |
source.packets |
long |
Packets sent from the source to the destination. |
source.port |
long |
Port of the source. |
Configure
Please contact your support to discuss about the network security group to monitor in your Azure infrastructure in order to find the appropriate solution to forward your logs to Sekoia.io.
This setup guide will show you a method to enable and give us access to NSG flow logs produced by Azure Network Watcher service to Sekoia.io.
Enable NSG flow logs
The following instructions are provided for the Azure web portal (https://portal.azure.com).
As a prerequisite you need at least one virtual machine with a network security group, to enable Network Watcher and to register the Microsoft.Insights provider.
Navigate to the Network Watcher service, and select NSG flow logs under LOGS. From the list of NSGs, select your VM(s), and under Flow logs settings, select On to enable the NSG flow logs. Please, select the Version 2 NSG flow log format sample which is integrated to the Operations Center.
These instructions are illustrated and more detailled here.
Share access to logs
This part should be discussed with Sekoia.io people to find an appropriate solution to forward your flow logs to Sekoia.io.
A possible solution consists to share us: - An access key for the Azure Blob Storage - A storage token associated with the resources to share - The name of the container where the NSG flow logs are stored
From this information, we will be able to retrieve each PT1h.json blob which contains the flow logs.