Scribd
Upload
14 views5 pages

Data Connector built for Azure Network Security Groups

The document outlines the setup process for a Data Connector built for Microsoft Azure Network Security Groups, allowing for the ingestion of diagnostic logs for analysis and threat detection. It details the requirements, configuration steps, and verification processes necessary to successfully integrate Azure logs into the Falcon Next-Gen SIEM. Key steps include registering a Microsoft application, creating Event Hubs, and configuring the Data Connector within the Falcon console.

Uploaded by

Tupak Malku
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views5 pages

Data Connector built for Azure Network Security Groups

The document outlines the setup process for a Data Connector built for Microsoft Azure Network Security Groups, allowing for the ingestion of diagnostic logs for analysis and threat detection. It details the requirements, configuration steps, and verification processes necessary to successfully integrate Azure logs into the Falcon Next-Gen SIEM. Key steps include registering a Microsoft application, creating Event Hubs, and configuring the Data Connector within the Falcon console.

Uploaded by

Tupak Malku
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

24/1/25, 2:19 p.m.

Data Connector built for Azure Network Security Groups | Next-Gen SIEM Third-Party Integrations | Third-Party Integration an…

Data Connector built for Azure Network Security


Groups
Last updated: Oct. 30, 2024

Overview
Easily ingest Microsoft Azure Network Security Groups diagnostic logs for further analysis, threat detection and investigation. These logs provide detailed insights
into network traffic, including source/destination IPs, ports, and actions taken.

Requirements
Subscription: Falcon Next-Gen SIEM or Falcon Next-Gen SIEM 10GB.

Default roles :

Falcon Administrator

Connector Manager

CrowdStrike clouds: Available in US-1, US-2, EU-1, and US-GOV-1.

Additional requirements :

Your environment must include a functioning deployment of Microsoft Azure Network Security Groups

You must have an active subscription to Microsoft Event Hubs

Global Administrator or Security Administrator access to the Microsoft 365 Azure and Defender portals

Administrator access to the Falcon console for the respective CID

Access to the Data Connector built for Microsoft Azure Network Security Groups app in the CrowdStrike Store

Note: If the app is not available, contact your sales engineer to have it enabled or provisioned.

Configuring data ingestion for Microsoft Azure Network Security


Groups through Event Hubs
Set up data ingestion for Microsoft Azure Network Security Groups through Event Hubs and the data connector in the Falcon console. For more info, see the
Microsoft Azure Event Hubs [https://learn.microsoft.com/en-us/azure/event-hubs/] documentation.

Important:Some of these steps are performed in third-party products. CrowdStrike does not validate any third-party configurations in customer
environments. Perform the following steps with care, and validate your settings and values before finalizing configurations in the Falcon console.

Configuration Summary
Step 1: Register Microsoft application and generate secret [/documentation/page/k1116054/data-connector-built-for-azure-network-security-groups#m55db750]

Step 2: Create Event Hubs [/documentation/page/k1116054/data-connector-built-for-azure-network-security-groups#h6aa7e09]

Step 3: Save the namespace Essentials ID value [/documentation/page/k1116054/data-connector-built-for-azure-network-security-groups#kfd6744b]

Step 4: Configure Event Hubs and Network Security Groups [/documentation/page/k1116054/data-connector-built-for-azure-network-security-groups#f0fdf1d7]

Step 5: Verify successful Event Hubs configuration [/documentation/page/k1116054/data-connector-built-for-azure-network-security-groups#a04cf669]

https://falcon.us-2.crowdstrike.com/documentation/page/k1116054/data-connector-built-for-azure-network-security-groups 1/5
24/1/25, 2:19 p.m. Data Connector built for Azure Network Security Groups | Next-Gen SIEM Third-Party Integrations | Third-Party Integration an…

Step 6: Configure and activate the Data Connector built for Microsoft Azure Network Security Groups [/documentation/page/k1116054/data-connector-built-for-
azure-network-security-groups#ufd0c2b0]

Step 7: Verify successful data ingestion [/documentation/page/k1116054/data-connector-built-for-azure-network-security-groups#m9ce9631]

Step 1: Register Microsoft application and generate secret


Register your Microsoft application in the administration interface for your Microsoft 365 instance and generate a client secret.

1. In the Microsoft Azure portal, go to Microsoft Entra ID > App registrations.

2. Click New Registration.

3. In Register an application, enter this info:

Name: Enter an application name, for example, CrowdStrike NG-SIEM - MS Azure NSG Event Hub Stream. Save this Application Name to
enter in a later step.

Supported account types: Select Accounts in this organizational directory only (Crowdstrike only - Single tenant).

4. Click Register.

5. In Overview, save the Application (client) ID value and the Directory (tenant) ID values.

Note: This info is used later to configure the Data Connector built for Microsoft Azure Network Security Groups.

6. In Client credentials, click Add a certificate or secret.

7. Click Client secrets.

8. Click New client secret.

9. Enter a description and the expiration interval.


Note: The expiration interval is based on your environment and determines how often the client secret needs to be regenerated.

10. Click Add.

Important:Save the client secret in the Value field somewhere safe as it is sensitive info displayed only once and required later to configure
the Data Connector built for Microsoft Azure Network Security Groups.

Step 2: Create Event Hubs


Create Event Hubs in the administration interface of your Microsoft 365 instance.

1. Click Event Hubs in the Services section of the Microsoft Azure services portal page.
The Event Hubs page opens.

2. Click Create.

3. In Create Namespace (Event Hubs), enter the following info:

a. In the Basics tab:

Subscription : Select your Azure subscription.

Resource Group : Click Create new, enter a Name for this resource group, and then click OK.

Namespace name : Enter a unique name.

Note: Save this Event Hubs Namespace name to enter in a later step.

Location : Select the nearest location to you.

Pricing Tier : Select a plan.

Note: The Microsoft Basic pricing tier does not allow Microsoft Azure Network Security Groups events.

Throughput Units : Select the number of units. For more info, see
Microsoft's documentation on throughput units [https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#throughput-units].

https://falcon.us-2.crowdstrike.com/documentation/page/k1116054/data-connector-built-for-azure-network-security-groups 2/5
24/1/25, 2:19 p.m. Data Connector built for Azure Network Security Groups | Next-Gen SIEM Third-Party Integrations | Third-Party Integration an…

Optional. Enable Auto-inflate: If you want to automatically scale up the number of throughput units to meet your usage needs, select this
checkbox.

b. In the Advanced tab:

Minimum TLS version : Select Version 1.2.

Local Authentication : Select Enabled.

c. In the Networking tab:

Connectivity method: Select Public access.

d. In the Tags tab, add tags as needed.

e. In the Review + create tab:

Review the namespace details

Confirm the Validation succeeded message

Click Create.

4. In Next steps, click Go to resource.

5. Click + Event Hub.

6. In the Event Hub page, in the Basics tab, enter the following info:

a. Name: Enter a name. Save this Event Hub Name to enter in a later step.

b. Partition count: Select the number of partitions. For more info, see
Microsoft's documentation on partitions [https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#partitions].

c. Cleanup policy: Select Delete.

d. Retention time (hrs): Enter the number of hours. For more info, see
Microsoft's documentaiton on the maximum retention period for events [https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-
is-the-maximum-retention-period-for-events-]

7. Click Review + create.

8. After the Validation succeeded message appears, click Create.

9. In Event hubs, click the Event hub that you created earlier.

10. Click Access control (IAM).

11. Click Add role assignment.

a. Search for Azure Event Hubs Data Receiver.

b. Select Azure Event Hubs Data Receiver.

c. Click Next.

d. Click + Select Members.

e. Search for the Application Name value that you saved earlier in Step 1.

f. Select the Application Name.

g. Click Select.

h. Click Review + assign.

i. Click Review + assign.

12. In the Role assignments tab, confirm that the new role assignment is listed.

Step 3: Save the namespace Essentials ID value


Save the Essentials Id value for your new namespace in the administration interface for your Microsoft 365 instance.

https://falcon.us-2.crowdstrike.com/documentation/page/k1116054/data-connector-built-for-azure-network-security-groups 3/5
24/1/25, 2:19 p.m. Data Connector built for Azure Network Security Groups | Next-Gen SIEM Third-Party Integrations | Third-Party Integration an…

1. Log in to the Microsoft Azure portal as a Global Administrator or Security Administrator, and then click Event Hubs.

2. Click your new Event Hubs namespace that you created in Step 2.

3. Click Properties.

4. Save the Essentials Id value to enter in a later step.

Step 4: Configure Event Hubs and Network Security Groups


Configure Event Hubs and Azure Network Security Groups in the administration interface for your instance of Microsoft Azure:

1. Click Network Security Groups in the Services section of the Microsoft Azure services portal page.
The Network security groups page opens and shows a list of available network security groups.

2. Click the Network security group for which you want to ingest logs into Falcon.

3. Click Diagnostic settings in the Monitoring section of the left navigation pane.

4. Click + Add diagnostic setting.

5. Enter a name in the Diagnostic setting name field.

6. Check allLogs in the Logs section under Category groups.

7. Check Stream to an event hub in the Destination Details section.

8. Select the following information:

Subscription

Event hub namespace that you saved earlier.

Event hub name that you saved earlier.

Event hub policy name as RootManageSharedAccessKey

9. Click Save.

Step 5: Verify successful Event Hubs configuration


Verify that Microsoft Azure Network Security Groups is streaming data to the configured Event Hubs successfully:

1. Log in to the Microsoft Azure portal as a Global Administrator or Security Administrator, and then click Event Hubs.

2. Click your new Event Hubs namespace that you created in Step 2.

3. On the created Event Hubs Namespace page, verify successful Event Hub configuration with incoming data statistics in the Messages chart.

Step 6: Configure and activate the Data Connector built for


Microsoft Azure Network Security Groups
Follow these steps to configure the Microsoft Azure Network Security Groups Data Connector application:

1. In the Falcon console, go to Next-Gen SIEM > Log management > Data onboarding [/data-connectors]

Note: You can also go to Data connectors > Data connectors > Data sources [/data-connectors]

2. Click Data Connector built for Microsoft Azure Network Security Groups.

3. Click Manage configurations.

4. Click Add configuration.

5. Enter the following values:

Name: Enter a name for your configuration.

https://falcon.us-2.crowdstrike.com/documentation/page/k1116054/data-connector-built-for-azure-network-security-groups 4/5
24/1/25, 2:19 p.m. Data Connector built for Azure Network Security Groups | Next-Gen SIEM Third-Party Integrations | Third-Party Integration an…

EventHub Name: Enter the Event Hub Name value that you saved earlier.

EventHub Namespace: Enter the Event Hubs Namespace name that you created earlier.

Client ID: Enter the Application (Client) ID value that you saved earlier.

Tenant ID: Enter the Directory (Tenant) ID value that you saved earlier.

Client Secret: Enter the client secret Value that you saved earlier.

6. Click Save configuration.

7. In the Data connector configuration field, select the EventHub configuration you just created.

8. In the Connector name field, enter a name for your connector.


Optional. Enter a Description for the connector.

9. Review and agree to the terms and conditions.

10. Click Save.

Step 7: Verify successful data ingestion


Important: Before verifying successful data ingestion, wait at least 15 minutes after setup to allow initial event data to be generated. Search results
aren’t generated until an applicable event occurs. If an event timestamp is greater than the retention period, the data is not visible in search. If you do
not see the raw data after 15 minutes, the product may need more time.

Verify that data is being ingested and appears in Next-Gen SIEM search results:

1. Navigate to Data connectors > Data connectors > My connectors [/data-connectors/connectors].

2. After a few minutes, confirm that data ingestion for the connector is successful by verifying a timestamp exists in the Last ingested (UTC) column.

3. Go to Next-Gen SIEM > Log management > Advanced event search [/investigate/search].

4. Run a search for the data you ingested with this query, and confirm that at least one match is generated:

#repo = "microsoft_azure_network_security_group"

Cribl[/documentation/page/b121307d/cribl]
Data Connector built for Azure NSG Flow Logs [/documentation/page/v76acf23/data-connector-built-for-azure-nsg-flow-logs]

https://falcon.us-2.crowdstrike.com/documentation/page/k1116054/data-connector-built-for-azure-network-security-groups 5/5

You might also like