Azure NSG Flow Logs


Assuming that Azure NSG flow logs are already enabled and stored in an Azure Storage account, you'll need to create an event webhook informing AlphaSOC about new data and generate a SAS token so that AlphaSOC can access the storage and NSG flow logs.

Create Event webhook

Open the Storage accounts dashboard:

Storage accounts dashboard

Select the account where the Flow Logs are kept. In the example below, the account name is teststorageasoc. Then, select Events.

Events

Create a new Event Subscription:

New event

When creating a new Event Subscription, please set:

  1. Event Types to Blob Created (only)
  2. Endpoint Type to Webhook
  3. Set the endpoint to: https://api.alphasoc.net/azure/importFromBlobStorage?access_token=TOKEN To get your TOKEN, please generate one in AlphaSOC Console or contact support@alphasoc.com

New event details

Generate a SAS Token

  1. Open the Storage accounts dashboard
  2. Select Shared Access Signature and use the following settings:
    1. Allowed Services: Blob
    2. Allowed Resource Types: Object
    3. Allowed Permissions: Read, List
  3. Set the expiration date to a reasonable value
  4. Click Generate SAS and connection string
  5. Provide the generated SAS token and Storage Account name to AlphaSOC

SAS Token settings