Flow Logs from Microsoft Azure Network Watcher Integration Guide

The following instructions are for configuring an integration of Azure Network Security Group (NSG) and Virtual Network (VNet) Flow logs from Azure Network Watcher to facilitate ingestion into Secureworks® Taegis™ XDR from an Azure Storage Account.

Configure Azure Network Watcher

Follow the Microsoft instructions to enable Flow logs from Azure Network Watcher:

• NSG Flow Logs
• VNet Flow Logs

Note

All other logs will normalize to the Generic schema. A custom parser is needed to enable normalization of other data sources beyond the Generic schema. It is not recommended to forward metric data to XDR as it will be treated as all other log data and not metrics.

Enable Integration with XDR

Important

VNet and NSG Flow logs require separate XDR integrations due to different Blob Container names used by Azure for each Flow log type.

1. Once the NSG or VNet Flow logs have been created in the Azure Portal, follow the integration instructions for a Storage Account to complete the integration with XDR and to begin data ingestion.

• The Data Source Key for NSG Flow logs must be insights-logs-networksecuritygroupflowevent.
• The Data Source Key for VNet Flow logs must be insights-logs-flowlogflowevent.

Data Provided from Integration

Normalized data from Azure NSG and VNet Flow logs will be available in the following schema(s).

Azure NSG and VNet Flow Logs

	Normalized Data	Out-of-the-Box Detections	Vendor-Specific Detections
MS Azure Flow Logs		Netflow

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.