Skip to main content

Azure Blob Storage

Overview

This document provides a step-by-step guide for submitting data stored in an Azure Storage account to AlphaSOC for analysis. To accomplish this, perform the following steps:

  1. Configure an Azure Storage account with the necessary access policies.
  2. Create a new Event Subscription and set its endpoint to the AlphaSOC API using a valid access token obtained from AlphaSOC.
  3. Register an application and add Federated Credentials to Microsoft Entra ID (Azure Active Directory).
  4. Provide AlphaSOC with the Tenant ID.

AlphaSOC analyzes various log files stored in Azure Storage to detect anomalies and identify security threats.

Prerequisites

  • Azure Storage account
  • Microsoft Entra ID
  • Application Admin role
  • AlphaSOC Token: available in the AlphaSOC console

Data Transfer Configuration Steps

Create an Event Webhook

Open the Storage accounts dashboard:

Storage accounts dashboard

Select the account where the Flow Logs are stored. In the example below, the account name is teststorageasoc. Then, select Events.

Events

Create a new Event Subscription:

New event

When creating a new Event Subscription, please set:

  1. Event Types to Blob Created (only).
  2. Endpoint Type to Webhook.
  3. Endpoint to: https://api.alphasoc.net/azure/importFromBlobStorage?access_token=TOKEN. To get your TOKEN, generate one in the AlphaSOC Console (under the Credentials tab) or contact support@alphasoc.com.

New event details

Create App Registration

The following steps outline how to register an application and add Federated Credentials to Microsoft Entra ID.

note

You must have at least the Application Admin role to perform these actions.

  1. Register an application.
    Sign in to the Microsoft Entra ID admin center, browse to App registrations and select New registration. Enter a Display Name and select access for the accounts in this organizational directory only (Single Tenant): New App Registration

  2. Add credentials to Microsoft Entra ID.
    Select your application in the Microsoft Entra admin center (in App registrations tab) and go to Certificates & secrets > Federated credentials > Add credential. Use the following settings:

    • Federated credential scenario: Other Issuer
    • Issuer: https://accounts.google.com
    • Subject: contact support@alphasoc.com to acquire Subject value
    • Audience: your organization (workspace) ID (available in the AlphaSOC console)
note

The Issuer field cannot end with a "/".

  1. Grant read permissions to required Storage Accounts.
    Grant the newly created application Storage Blob Data Reader permissions to allow it to read from the relevant Storage Accounts.

  2. Provide AlphaSOC with Tenant ID and Application (client) ID.
    If you manage multiple tenants, provide AlphaSOC with the Tenant IDs along with a list of Storage Accounts associated with each tenant.