Skip to main content

Azure Blob Storage

Overview

This document provides a step-by-step guide for submitting data stored in an Azure Storage account to AlphaSOC for analysis. To accomplish this, perform the following steps:

  1. Configure an Azure Storage account with the necessary access policies.
  2. Create a new Event Subscription and set its endpoint to the AlphaSOC API using a valid access token obtained from AlphaSOC.
  3. Register an application and add Federated Credentials to Microsoft Entra ID (Azure Active Directory).
  4. Register the integration in the AlphaSOC console with your Tenant ID, Client ID, and storage account.

AlphaSOC analyzes various log files stored in Azure Storage to detect anomalies and identify security threats.

Prerequisites

  • Azure Storage account
  • Microsoft Entra ID
  • Application Admin role
  • AlphaSOC Token: available in the AlphaSOC console

Data Transfer Configuration Steps

Create an Event Webhook

Open the Storage accounts dashboard:

Storage accounts dashboard

Select the account where the Flow Logs are stored. In the example below, the account name is teststorageasoc. Then, select Events.

Events

Create a new Event Subscription:

New event

When creating a new Event Subscription, please set:

  1. Event Types to Blob Created (only).
  2. Endpoint Type to Webhook.
  3. Endpoint to: https://api.alphasoc.net/azure/importFromBlobStorage?access_token=TOKEN. To get your TOKEN, generate one in the AlphaSOC Console (under the Credentials tab) or contact support@alphasoc.com.

New event details

Create App Registration

The following steps outline how to register an application and add Federated Credentials to Microsoft Entra ID.

note

You must have at least the Application Admin role to perform these actions.

  1. Register an application.
    Sign in to the Microsoft Entra ID admin center, browse to App registrations and select New registration. Enter a Display Name and select access for the accounts in this organizational directory only (Single Tenant): New App Registration

  2. Add credentials to Microsoft Entra ID.
    Select your application in the Microsoft Entra admin center (in App registrations tab) and go to Certificates & secrets > Federated credentials > Add credential. Use the following settings:

    • Federated credential scenario: Other Issuer
    • Issuer: https://accounts.google.com
    • Subject: 102911262315801235571
    • Audience: your organization (workspace) ID (available in the AlphaSOC console)
note

The Issuer field cannot end with a "/".

  1. Grant read permissions to required Storage Accounts.
    Grant the newly created application Storage Blob Data Reader permissions to allow it to read from the relevant Storage Accounts.

Register in the AlphaSOC Console

With the app registration and federated credentials in place, register the integration in the AlphaSOC console under Credentials → Azure → Blob Storage.

  1. Open the Azure tab and, under Blob Storage, select New Blob Storage.
  2. Enter the Tenant ID and Client ID — both shown on your app registration's Overview page in Microsoft Entra ID (the Client ID is the Application (client) ID).
  3. In Storage account, enter the name of the account to read from (for example teststorageasoc), or enter * to read from every storage account the application can access.
  4. Select Add Blob Storage.

Add one entry per storage account, or a single * entry to cover all of them. AlphaSOC begins reading logs as new blobs are created.

Need help? Contact support@alphasoc.com.