Instructions for ingesting Azure NSG Flows

A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network Watcher's NSG flow log capability.

The instructions given below are for:

  1. Enabling Network Watcher.
  2. Registering the Microsoft.Insights provider
  3. Enabling a traffic flow log for an NSG, using Network Watcher's NSG flow log capability
  4. Path to find Storage account name and Storage account key
  5. Seceon GUI configuration

1. Enabling Network Watcher

If you already have a network watcher enabled in the East US region, skip to Register Insights provider.

  1. In the portal, select All services. In the Filter box, enter Network Watcher. When Network Watcher appears in the results, select it.

  2. Select Regions, to expand it, and then select ... to the right of East US, as shown in the following picture:

Please note:

'US East' region is used as an example. Please use the region specific to the customer environment instead.

Enable Network Watcher

  1. Select Enable Network Watcher.

2. Registering Insights provider

NSG flow logging requires the Microsoft.Insights provider. To register the provider, complete the following steps:

  1. In the top, left corner of portal, select All services. In the Filter box, type Subscriptions. When Subscriptions appear in the search results, select it.

  2. From the list of subscriptions, select the subscription you want to enable the provider for.

  3. Select Resource providers, under SETTINGS.

  4. Confirm that the STATUS for the microsoft.insights provider is Registered, as shown in the picture that follows. If the status is Unregistered, then select Register, to the right of the provider.

    Register provider

3. Enabling a traffic flow log for an NSG, using Network Watcher's NSG flow log capability

  1. NSG flow log data is written to an Azure Storage account. To create an Azure Storage account, select + Create a resource at the top, left corner of the portal.

  2. Select Storage, then select Storage account - blob, file, table, queue.

  3. Enter, or select the following information, accept the remaining defaults, and then select Create.

    Name(Azure storage account name- Please make a note of it , it will be required while configuring the CCE )3-24 characters in length, can only contain lowercase letters and numbers, and must be unique across all Azure Storage accounts.
    LocationSelect East US
    Resource groupSelect Use existing, and then select myResourceGroup

    The storage account may take around minute to create. Don't continue with remaining steps until the storage account is created. If you use an existing storage account instead of creating one, ensure you select a storage account that has All networks (default) selected for Firewalls and virtual networks, under the SETTINGS for the storage account.


    While Microsoft.Insight and Microsoft.Network providers are currently supported as trusted Microsoft Services for Azure Storage, NSG Flow logs is still not fully onboarded. To enable NSG Flow logging, All Networks must still be selected until this feature is fully onboarded. 

  4. In the top, left corner of portal, select All services. In the Filter box, type Network Watcher. When Network Watcher appears in the search results, select it.

  5. Under LOGS, select NSG flow logs, as shown in the following picture:


  6. From the list of NSGs, select the NSG named myVm-nsg.

  7. Under Flow logs settings, select On.

  8. Select the flow logging version. Version 2 contains flow-session statistics (Bytes and Packets)

    Select flow Logs version

  9. Select the storage account that you created in step 3.

  10. Set Retention (days) to 5, and then select Save.

4. Path to find Storage account name and Storage account key

1)Search storage account and click on it

2)Click on the right Storage account which you have used for the flow configuration

3)Now search Access keys in search box and then click on it, after that we will get the 'Storage Account Name ' and 'Key' on the screen as shown in below snapshot.

4)Copy the Storage account name and storage key in notepad because we will need this information when we will provision on seceon SIEM.

5- Seceon GUI Configuration

Login on the GUI--->Provisioning----->Cloud Devices------→Azure Configuration-------->Azure NSG

Enter the required inputs and save.

Please note

We can provision multiple storage on GUI for the monitoring: SYNTEX-  name_1,name_2,name3, are example names used for storage accounts and key_1, key_2, key3.