Microsoft Azure Storage Account Integration Guide🔗

The following instructions are for configuring an integration of Azure Storage Account to facilitate ingestion into Secureworks® Taegis™ XDR.

Configuration Prerequisites🔗

Note

XDR supports integration of Azure Storage Account from Azure commercial cloud, Azure Government, Department of Defense (DoD) in Azure Government, US Government (GCC), and US Government High (GCC-High).

Note

The following prerequisites are required before beginning the Storage Account integration process:

An active Azure subscription with at least one Storage Account; see Quickstart: Create a Storage Account using Azure portal
A Blob Container in the Storage Account that will be the destination for the data source logs
One or more data sources configured to send log data to the Storage Account Blob Container

Gather Required Information🔗

The following information is required to integrate a Storage Account with XDR:

Storage Account — The Storage Account name to use for integration with XDR.
Blob Container — The Blob Container name that exists in the Storage Account. This is the destination for the data source logs.

Storage Account Blob Container
Azure Function Service Plan Type — Please refer to the vendor's documentation for more information.

Important

The "Isolated" Service Plan Type is not supported.

Azure Function Service Plan Code — Please refer to the vendor's documentation for more information.

Service Plan Type	Valid Service Plan Code(s)
Basic	B1, B2, B3
Dynamic	Y1
Premium	P0V3,P1MV3,P1V2,P1V3,P2MV3,P2V2,P2V3,P3MV3,P3V2,P3V3,P4MV3,P5MV3

Enter the Required Information in XDR🔗

In XDR, follow these steps:

From the Taegis Menu, select Integrations → Cloud APIs.
Select Add an Integration from the top of the page.

Add an Integration
Select the Custom tab and choose Set Up from the Azure Storage Account card.
Fill in the required fields as described in Gather Required Information.
- Taegis Integration Name — Any unique string.
- Storage Account Name — The name of an existing Storage Account to which log data will be sent.
- Function App Name — A descriptive string that denotes what the Azure Function intends to do.
  - Example: NSGFlowLogsForwarder if NSG Flow logs are to be sent to the Storage Account.
- Data Source Key — This is the container folder in which the logs are being created.
  - Example: If the data source is being written in a pattern such as MicrosoftInsights/2024-02-03/02hr/part=01/00004.json, then MicrosoftInsights would be an appropriate value for Data Source Key.
- Azure Function Service Plan Type — (Optional) Basic, Dynamic, Premium. The default is Dynamic.
- Azure Function Service Plan Code — (Optional) See the table in Gather Required Information.
- Azure Function Service Plan Num Workers — (Optional) The default is 1.
Add Azure Storage Account Integration

Select Done. The ARM template (AzureFunction.json) will automatically download. Note the location of the file.
Follow the steps in the vendor's documentation to deploy the ARM template.
- Choose the Build your own template in editor: option.
Load the AzureFunction.json file in the editor.
Select Save.
Select an existing Resource group or create a new one.

Note

XDR supports Storage Accounts under Subscription IDs and/or Resource Groups different from the Subscription ID and Resource Group where the Azure Function is to be deployed.

Storage Account Subscription ID — Modify this only if it differs from the current Subscription ID.
Storage Account Resource Group — Modify this only if it differs from the current Resource Group.

Select Review + Create.
Select Create. The Azure Function deployment will begin.
When the deployment is complete, return to XDR. The Azure Storage Account integration appears in the Cloud API Integrations table.

Known Issues🔗

With the "Basic" Azure Function Service Plan Type and B2 or B3 Azure Function Service Plan code, the maximum number of Azure Function Service Plan Num Workers is 3.