Azure Network Watcher
Overview
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. It also allows to log information about IP traffic flowing through a network security group: NSG flow logs.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Host network interface |
every packets passing through the Network Security Group are logged |
Netflow/Enclave netflow |
Azure Network Watcher NSG Flow Logs are Netflow-like |
Network device logs |
packets logged by NSG Flow Logs |
Network protocol analysis |
traffic analysis at levels 2/3/4 |
Configure
Please contact us to discuss about the network security group to monitor in your Azure infrastructure in order to find the appropriate solution to forward your logs to SEKOIA.IO.
This setup guide will show you a method to enable and give us access to NSG flow logs produced by Azure Network Watcher service to SEKOIA.IO.
Enable NSG flow logs
The following instructions are provided for the Azure web portal (https://portal.azure.com).
As a prerequisite you need at least one virtual machine with a network security group, to enable Network Watcher and to register the Microsoft.Insights provider.
Navigate to the Network Watcher service, and select NSG flow logs under LOGS. From the list of NSGs, select your VM(s), and under Flow logs settings, select On to enable the NSG flow logs. Please, select the Version 2 NSG flow log format sample which is integrated to the Operations Center.
These instructions are illustrated and more detailled here.
Share access to logs
This part should be discussed with SEKOIA.IO people to find an appropriate solution to forward your flow logs to SEKOIA.IO.
A possible solution consists to share us: - An access key for the Azure Blob Storage - A storage token associated with the resources to share - The name of the container where the NSG flow logs are stored
From this information, we will be able to retrieve each PT1h.json blob which contains the flow logs.