Skip to main content

VNet Flow Logs

Overview

This documentation outlines the configuration process for Azure VNet Flow Logs to transfer data to AlphaSOC for analysis. Through this integration, the network telemetry collected by Azure VNet Flow Logs can be used for security monitoring and threat detection.

To enable log data tranfsers:

  1. Create a subscription and register a provider.
  2. Create a flow log.
  3. Create an event subscription.
  4. Create an app registration.

Creating Event Subscription

Create a new Event Subscription:

New event

When creating a new Event Subscription, please set:

  1. Event Types to Blob Created (only)
  2. Endpoint Type to Webhook
  3. Set the endpoint to: https://api.alphasoc.net/azure/importFromBlobStorage?access_token=TOKEN. To get your TOKEN, generate one in the AlphaSOC Console (under the Credentials tab) or contact support@alphasoc.com.

New event details

Creating App Registration

The following steps outline how to register an application and add Federated Credentials to Microsoft Entra ID.

Note: You must have at least the Application Admin role to perform these actions.

  1. Register an application
    Sign in to the Microsoft Entra ID admin center, browse to App registrations and select New registration. Enter a Display Name and select access for the accounts in this organizational directory only (Single Tenant): New App Registration

  2. Add credentials to Microsoft Entra ID
    Select your application in the Microsoft Entra admin center (in App registrations tab) and go to Certificates & secrets > Federated credentials > Add credential. Use the following settings:

    • Federated credential scenario: Other Issuer.
    • Issuer: https://accounts.google.com.
    • Subject: 102911262315801235571.
    • Audience: your organization (workspace) ID (available in the AlphaSOC console).

Note: The Issuer field cannot end with a "/".

  1. Grant read permissions to required Storage Accounts
    Grant the newly created application Storage Blob Data Reader permissions to allow it to read from the relevant Storage Accounts.

  2. Provide AlphaSOC with Tenant ID and Application (client) ID
    If you manage multiple tenants, provide AlphaSOC with the Tenant IDs along with a list of Storage Accounts associated with each tenant.