Monitoring Microsoft Azure

Overview

TOS monitors Microsoft Azure® Public Cloud and Azure Government for policy revision changes.

To monitor Azure, you must complete three setup tasks in the Azure portal:

To see which TOS features are supported for your device, review the SecureTrack Features by Vendor.

Classic rules are firewall rules that are configured directly on the device and are not part of Azure Firewall policies. These rules are not supported.

Prerequisites

The following values and permissions are required to add a Microsoft Azure device in TOS:

Subscription ID: The ID of your Azure subscription. How to find it
Directory ID (Tenant ID): The ID of your Azure Active Directory tenant. How to find it
Application (Client) ID and App Secret: Both are generated when you register an app in Microsoft Entra ID. Registration and authentication steps

These tasks are required in Azure: Register an app, create a role, and assign the role.

Roles and Permissions

Permissions in Azure are assigned through roles. You can either create a custom role to define the required permissions or use an existing role.

To create a custom role, see the Microsoft documentation: Create or update Azure custom roles.

When assigning the role, set the scope at the level of the subscription or resource group that you want TOS to monitor. Permissions set at a higher level (for example, subscription) are inherited by lower levels (for example, resource groups).

General Azure Monitoring

Use the following permission blocks based on the features you want to enable:

Visibility and Basic Path Analysis

These permissions allow SecureTrack to collect details from key Azure components, including virtual networks (VNETs) and network security groups (NSGs), as well as virtual machines, interfaces, and subnets.

Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/virtualNetworks/read
Microsoft.Compute/virtualMachines/read
Microsoft.Network/networkInterfaces/read
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/locations/operationResults/read
Microsoft.network/virtualnetworkgateways/connections/read
Microsoft.Network/routeTables/read
Microsoft.Network/vpnGateways/read
Microsoft.Network/virtualNetworks/subnets/read 
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read

Advanced Path Analysis

These permissions allow SecureTrack to retrieve network topology data used to build the network map and perform path analysis.

VPN and Virtual Gateways

Microsoft.Network/virtualNetworkGateways/read
Microsoft.Network/virtualnetworkgateways/getlearnedroutes/action
Microsoft.Network/localnetworkgateways/read
Microsoft.Network/connections/read 
Microsoft.Network/vpnsites/read
Microsoft.network/vpnGateways/vpnConnections/read

Internal Load Balancer

Microsoft.Network/loadBalancers/read
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read

ExpressRoute

Microsoft.Network/expressRouteCircuits/read
Microsoft.Network/expressRouteCircuits/peerings/read
Microsoft.Network/expressRouteCircuits/peerings/write
Microsoft.Network/expressRouteCircuits/peerings/routeTables/read
Microsoft.Network/expressRouteGateways/read
Microsoft.Network/expressRouteGateways/expressRouteConnections/read

Write permissions are required only because of how the Azure API provides routing tables. TOS does not create or change routes.

Virtual WAN

Microsoft.Network/virtualHubs/read
Microsoft.Network/virtualHubs/routingIntent/read
Microsoft.Network/virtualWans/read
Microsoft.Network/virtualHubs/hubRouteTables/read
Microsoft.Network/virtualHubs/effectiveRoutes/action
Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read
Microsoft.Network/virtualHubs/bgpConnections/read

Rule and Object Usage Analysis

These permissions enable SecureTrack to analyze flow log data and identify the last hit date for NSG rules and the objects used in those rules.

Microsoft.Network/networkWatchers/read
Microsoft.Network/networkWatchers/flowLogs/read
Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Azure Firewall Monitoring

These permissions apply specifically to Azure Firewall and its related policy and diagnostic components.

Visibility and Path Analysis

These permissions allow SecureTrack to collect topology and policy details from Azure Firewall Standard and Premium policies.

Microsoft.Network/ipGroups/read
Microsoft.Network/firewallPolicies/read
Microsoft.Network/azurefirewalls/read
Microsoft.Network/firewallPolicies/ruleCollectionGroups/read

Rule Usage Analysis

These permissions enable SecureTrack to analyze flow log data and identify the last hit date for Azure Firewall policy rules.

Microsoft.OperationalInsights/workspaces/read
Microsoft.Network/azureFirewalls/providers/Microsoft.Insights/DiagnosticSettings/Read

Add a Device

Use the wizard to add a Microsoft Azure device so TOS can monitor it.

Select Azure.
Configure the device settings:
- Name for Display: Enter a name to identify the device.
- Domain: Available only if you have configured your system for managing multi-domains and All Domains is currently selected. Select the domain to which to add the device. The Domain can only be entered when adding a device; to change the Domain, you must migrate the device.
- ST server: In a distributed deployment, select which TOS cluster monitors this device.
- Usage Analysis:
  - Collect traffic logs for rule usage analysis: Selected by default, from R24-1. Supported for Azure Firewall and NSG.
  - Collect traffic logs for object usage analysis: Selected by default, from R24-2. Supported for NSG only.
  Usage collection is not supported when Azure subscription is monitored on a remote collector.
  Enabling Usage Analysis requires additional configuration in Azure. See Configuring Azure to Send Log Data to TOS.
- Enable Topology: Collects routing information for building the network Map.
Click Next.
Configure the TOS connection to the Microsoft Azure device according to the parameters required by the device. See Prerequisites for details.

For proxy server connections, select Proxy and enter the https/http proxy server and port. Username and password are optional.
Click Next.
Select Monitoring Settings and Periodic Polling.
- Monitoring Settings
  - To use timing settings from the Timing page, select Default.
  - To use custom monitoring, select Custom and configure the monitoring mode and settings.
- Periodic Polling
  - To use the timing page settings, select Use timing page settings (Monitoring > Timing).
  - To define a custom interval, select Custom settings and configure the Polling frequency. If you select 1 day, you can then set the exact time (hour and minute) for daily polling.
Click Next.
Save the configuration.

The Microsoft Azure device now appears in the Monitored Devices tree.
Choose the next step:
- Import Azure Virtual Networks
- Import Azure Load Balancers
- Import Azure Firewall Policies
- Import Azure Virtual WAN
- Add another Microsoft Azure
Importing Virtual Networks requires that the vnet has at least one VNIC.
Click Done.

Configure a Monitored Device

After you add a device, you can configure or manage it from the Monitored Devices tree. Options vary depending on your environment.

The following example shows configuration options for an Azure device. Options vary depending on the device type.

Edit configuration: Open the wizard to modify device settings. See Add a Device.
Delete this device: Type yes to confirm deletion.
Import Azure Virtual Networks: Select the virtual networks to add.
Import Azure Load Balancers: Select the load balancers to add.
Import Azure Firewall Policies: Select the firewall policies to add.
Import Azure Virtual WAN: Select the virtual WANs and virtual hubs to add.

How Do I Get Here?

SecureTrack > Monitoring > Manage Devices