Retrieving Log Data from Azure

Overview

You must use these steps to configure your Azure environment so that TOS Aurora can collect traffic log information for both Azure Firewalls and Azure Virtual Networks.

In addition to this configuration on Azure, you need to select the Usage Analysis check box when adding the device:

Note: For Azure devices added to TOS Aurora prior to version R24-1, you must edit those device configurations and select this check box manually. From version R24-1 and later, this check box is selected by default when adding Azure devices.

Configure Azure

Use this procedure in your Azure account to define settings and permissions for TOS Aurora to retrieve data.

  1. Verify NSG Flow logs configuration: Flow logs must be enabled on the relevant Network Security Groups (NSGs).

    In the Network Security Group (NSG) page:

    1. Select the NSG.

    2. Select Monitoring > NSG flow logs.

    3. Verify that the Resource group, Storage Account, and Subscription values are configured.

    TOS Aurora supports flow logs version 1 and version 2.

  2. Grant TOS Aurora access to a storage account to pull usage logs: Flow logs must be saved to a storage account.

    In the Storage Accounts page:

    1. Select the storage account.

    2. Click Access Control (IAM).

    3. Under the Role assignments tab, verify that TOS Aurora has permissions for the following:

      • Storage Blob Data Contributor

      • Storage Queue Data Contributor

    4. Select Data Storage > Containers.

    5. Verify that the insights-logs-networksecuritygroupflowevent event directory exists.

  3. Firewall: Configure the firewall:

    Note: TOS Aurora supports network rules and application rules only.
    1. In the Firewall page for your account, select Monitoring > Diagnostic settings.

    2. Click Add diagnostic setting.

    3. In the Diagnostic setting page:

      1. In the Logs > Categories section, select Azure Firewall Network Rule and Azure Firewall Application Rule.

      2. In the Destination details section:

        • Select Send to Log Analytics workspace.

        • Select the Subscription and the Log Analytics workspace from the corresponding lists.

        • For the Access Control (IAM), ensure that the tufin app has permission to access the Log Analytics workspace

        • For the Destination table, select Azure diagnostics.

After configuring Azure to allow TOS Aurora to pull traffic information, you can use TQL queries in the Rule Viewer (timeLastHit) to see the Last Hit date. (Note that it takes one day for TOS Aurora to collect Azure information.)

You can schedule and run reports to identify Azure unused rules using the Rule Analytics report / Security Best Practices reports in SecureTrack Reporting Essentials.

Note: After this configuration, it takes one day for TOS Aurora to collect Azure information.