Ingest Network Flow Logs from Microsoft Azure Network Watcher - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-27
Category
Administrator Guide
Abstract

Ingest network security group (NSG) flow logs from Microsoft Azure Network Watcher for use in Cortex XDR network stories.

Note

Ingesting Logs from Azure Event Hub requires a Cortex XDR Pro per GB license.

To receive network security group (NSG) flow logs from Azure Network Watcher, you must configure data collection from Microsoft Azure Network Watcher using an Azure Function provided by Cortex XDR. This Azure Function requires a token that is generated when you configure your Azure Network Watcher Collector in the Collection Integration settings in Cortex XDR . After you set up data collection, Cortex XDR begins receiving new logs and data from the source.

When Cortex XDR begins receiving logs, the app creates a new dataset (MSFT_Azure_raw) that you can use to initiate XQL Search queries. For example queries, refer to the in-app XQL Library. For enhanced cloud protection, you can also configure Cortex XDR to ingest network flow logs as Cortex XDR network connection stories, which you can query with XQL Search using the xdr_dataset dataset with the preset called network_story. Cortex XDR can also raise Cortex XDR alerts (Analytics, Correlation Rules, IOC, and BIOC) when relevant from Azure Network Watcher flow logs. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.

Enhanced cloud protection provides:

  • Normalization of cloud logs

  • Cloud logs stitching

  • Enrichment with cloud data

  • Detection based on cloud analytics

  • Cloud-tailored investigations

Be sure you do the following tasks before you begin configuring data collection from Azure Network Watcher.

Configure the Azure Network Watcher collection in Cortex XDR.

  1. Configure the Azure Network Watcher collection in Cortex XDR.

    1. Select SettingsConfigurationsData CollectionCollection Integrations.

    2. In the Azure Network Watcher configuration, click Add Instance to begin a new configuration.

    3. Set these parameters.

      • Name—Specify a descriptive name for your log collection configuration.

      • Normalize and enrich flow logs—(Optional) For enhanced cloud protection, you can Normalize and enrich flow logs by selecting the checkbox. If selected, Cortex XDR ingests network flow logs as Cortex XDR network connection stories, which you can query with XQL Search using the xdr_dataset dataset with the preset called network_story.

    4. Save & Generate Token. The token is displayed in a blue box, which is blurred out in the image below.

      Click the copy icon next to the key and record it somewhere safe. You will need to provide this key when you configure the Azure Function and set the XDR Token value. If you forget to record the key and close the window, you will need to generate a new key and repeat this process. When you are finished, click Done to close the window.

    5. In the Integrations page for the Azure Network Watch Collector that you created, select Copy api url and record it somewhere safe. you will need to provide this URL when you configure the Azure Function and set the XDR Host value.

  2. Configure the Azure Function provided by Cortex XDR.

    1. Open the Azure Function provided by Cortex XDR.

    2. Click Deploy to Azure.

    3. Set these parameters, where some fields are mandatory to set and others are already populated for you.

      • Subscription—Specify the Azure subscription that you want to use for the App Configuration. If your account has only one subscription, it is automatically selected.

      • Resource group—Specify or create a resource group for your App Configuration store resource.

      • Region—Specify the Azure region that you want to use.

      • App Name—Specify the name of the function app. In the Azure Portal, this will be the name that appears in the list of resources.

      • App Service Plan—Select the applicable service plan. If you select Service Plan (default), an App Service plan is created and you are billed accordingly. If you select Consumption, you are billed based on the Consumption Plan.

      • App Service Plan Tier—When setting a Service Plan, you must select the applicable App Service Plan Tier from the list of options (Free (default), Shared, Basic, Standard, Premium, and PremiumV2). Otherwise, leave the default option configured.

      • App Service Plan Name—When setting a Service Plan, you must set the App Service Plan Name, which must match the Service Plan Tier.

      • App Service Plan Capacity—When setting a Service Plan, specify how many instances do you want to set for the upper limit or leave the default as 2. For example, when configuring an Standard Tier Service Plan, S2, set a value from 1 to 10.

      • Github Repo URL—Specify the URL of the repo that contains the function app source. Leave the default as https://github.com/PaloAltoNetworks/AzureNetworkWatcherNSGFlowLogsConnector.git or specify your fork's address here.

      • Github Repo Branch—Specify the name of the branch containing the code you want to deploy. Leave the default as master or specify the applicable branch.

      • Nsg Source Data Connection—Specify your storage account connection string for your Azure Network Watcher.

        1. From the Microsoft Azure Console, open the Storage accounts page, and select the storage account that contains the connection string for the Azure Network Watcher you have configured for data collection by Cortex XDR .

        2. Select Security + networkingAccess keys, and click Show keys.

        3. Copy the applicable Connection string and paste it in the Nsg Source Data Connection field.

      • Output Binding—Select where you want to send you logs to either xdr (default) or eventhub.

      • XDR Host—Specify the API URL that you recorded when you configured the Azure Network Watcher collection in Cortex XDR.

      • XDR Token—Specify the token you received.

    4. Click Review + Create to confirm your settings for the Azure Function.

    5. Click Create. It can take a few minutes for the deployment to complete.

    Once events start to come in, a green check mark appears underneath the Azure Network Watcher configuration that you created in Cortex XDR with the amount of data received.