Configuring Azure to Send Log Data to TOS

Overview

You must use these steps to configure your Azure environment so that TOS Aurora can collect traffic log information for both Azure Firewalls and Azure Virtual Networks.

Prerequisites

Add an Azure device to SecureTrack with at least one of the following enabled:

  • Collect traffic logs for rule usage analysis: Selected by default, from R24-1. Supported for Azure Firewall and NSG.

  • Collect traffic logs for object usage analysis: Selected by default, from R24-2. Supported for NSG only.

Usage collection is not supported when Azure subscription is monitored on a remote collector.

To adjust the configuration of devices already monitored in SecureTrack, see Configure a Monitored Device > Edit configuration.

Configure Azure

Note: After this configuration, it takes one day for TOS Aurora to collect Azure information.

Use this procedure in your Azure account to define settings and permissions for TOS Aurora to retrieve data.

  1. Verify NSG Flow logs configuration: Flow logs must be enabled on the relevant Network Security Groups (NSGs).

    In the Network Security Group (NSG) page:

    1. Select the NSG.

    2. Select Monitoring > NSG flow logs.

    3. Verify that the Resource group, Storage Account, and Subscription values are configured.

    TOS Aurora supports flow logs version 1 and version 2.

  2. Grant TOS Aurora access to a storage account to pull usage logs: Flow logs must be saved to a storage account.

    In the Storage Accounts page:

    1. Select the storage account.

    2. Click Access Control (IAM).

    3. Under the Role assignments tab, verify that TOS Aurora has permissions for the following:

      • Storage Blob Data Contributor

      • Storage Queue Data Contributor

    4. Select Data Storage > Containers.

    5. Verify that the insights-logs-networksecuritygroupflowevent event directory exists.

  3. Firewall: Configure the firewall:

    Note: TOS Aurora supports network rules and application rules only.

    1. In the Firewall page for your account, select Monitoring > Diagnostic settings.

    2. Click Add diagnostic setting.

    3. In the Diagnostic setting page:

      1. In the Logs > Categories section, select Azure Firewall Network Rule and Azure Firewall Application Rule.

      2. In the Destination details section:

        • Select Send to Log Analytics workspace.

        • Select the Subscription and the Log Analytics workspace from the corresponding lists.

        • For the Access Control (IAM), ensure that the tufin app has permission to access the Log Analytics workspace

        • For the Destination table, select Azure diagnostics.

After configuring Azure to allow TOS Aurora to pull traffic information, you can use TQL queries in the Rule Viewer (timeLastHit) to see the Last Hit date.