Azure NSG Flow Logs
Assuming that Azure NSG flow logs are already enabled and stored in an Azure Storage account, you'll need to create an event webhook informing AlphaSOC about new data and generate a SAS token so that AlphaSOC can access the storage and NSG flow logs.
Create Event webhook
Open the Storage accounts dashboard:
Select the account where the Flow Logs are kept. In the example below, the
account name is teststorageasoc
. Then, select Events.
Create a new Event Subscription:
When creating a new Event Subscription, please set:
- Event Types to Blob Created (only)
- Endpoint Type to Webhook
- Set the endpoint to:
https://api.alphasoc.net/azure/importFromBlobStorage?access_token=TOKEN
To get your TOKEN, please generate one in AlphaSOC Console or contact support@alphasoc.com
Generate a SAS Token
- Open the Storage accounts dashboard
- Select Shared Access Signature and use the following settings:
- Allowed Services: Blob
- Allowed Resource Types: Object
- Allowed Permissions: Read, List
- Set the expiration date to a reasonable value
- Click Generate SAS and connection string
- Provide the generated SAS token and Storage Account name to AlphaSOC