Accenture MDR Quick Start Guide for Microsoft® Azure Network Security Groups (NSG)

Owned by KM (Unlicensed)
May 02, 2021
4 min read

This quick start guide will help Accenture MDR customers configure Microsoft®  Azure Network Security Groups (NSG) to allow log collection from the Log Collection Platform (LCP).

 

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found at

Accenture Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

LCP

Azure Blob storage

443(https)

Default port

Configuring Microsoft Azure NSG

Microsoft NSG flow logging requires the Microsoft.Insights provider. 

Note:

  1. Make sure all your Virtual Machines that needs to be monitored are belongs to Network MDR Groups (NSG's) for which flow logging is enabled

  2. MDR registration is based on subscription ID & Storage account combination, in case of multiple subscriptions, repeat all the steps below for each subscription.

 

Register Insight provider

To register the provider, complete the following steps:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. In the top, left corner of portal, select All Services.

  3. Enter the Subscriptions in the Search bar.

  4. When Subscriptions appear in the search results, select the subscription which you want to enable the provider.

  5. Select the Resource providers, under the SETTINGS tab.

  6. Please make sure the STATUS for the microsoft.insights provider is Registered, as shown in the picture that follows. If the status is Unregistered, then click the Register, to the right of the provider.

Enable NSG Flow

  1. NSG flow log data is written to an Azure Storage account. It is recommended to create a separate Azure Storage account for flow logs as this will keep the logging intact even if any resource group is deleted,

  2. Select + Create a resource at the top, left corner on the portal.

  3. Select the Storage, then select Storage account blob, file, table and queue.

  4. Fill the following information and accept the remaining default values, and then select Create.

Setting

Value

Name

Default Value

 

Note:

The Name should contain lower case and numbers.

Only 3 to 224 characters in length are allowed.

The Name should be unique across all Azure Storage accounts.

Location

Select the Region where your resource are located in.

Resource Group

Select the existing or create a new Group

 

Note: We have recommended keep the one that you do not intend to delete)

Note: 

  • The storage account may take around a minute to create. Don't continue with the remaining steps until the storage account is created. 

  • If you use an existing storage account instead of creating one, ensure you select a storage account that has All networks (default) selected for Firewalls and virtual networks, under the SETTINGS for the storage account.

5. Once the storage is created, Go to All Services > Storage accounts.

6. Select the storage account which is used above.

7. Select the Access Keys under Settings tab and copy the key which you want to configure in the sensor.

8. In the top, left corner of the portal, select All services.

9. In the Search box, type Network Watcher. When Network Watcher appears in the search results, select it.

10. Select NSG flow logs under LOGS, followed by the selection of Subscription from the drop-down menu that needs to be monitored, as shown in the following picture:

11. From the list of NSGs, select the NSG you want to enable for flow logging. 

12. Under Flow logs settings, enable the status On.

13. Select the storage account that you created in step 3.

14. Set Retention (days) to 3, and then select Save.

Note: Repeat the steps 11 -14, incase for the multiple NSG's setup, but make sure to select only one storage account for all of them. 

15. Once all the above configuration is done then, wait for some time, and then Go to All Services > Storage accounts.

16. Select the storage account used above and under Blob Service select Blobs. 

17. If everything is correctly configured and flow logs are coming you should see a container named insights-logs-networksecuritygroupflowevent inside the blob.

18. Click on insights-logs-networksecuritygroupflowevent, traverse the folders resourceId= followed by SUBSCRIPTIONS.

19. Inside the SUBSCRIPTION you can see the subscription ID's which are sending flow logs to this storage.

20. Copy the subscription ID that you want to monitor, in case of multiple subscriptions provide all of them separately to MDR.

Creating New Request for Monitoring

Once the device is configured as outlined in the steps above and all network pre-requisites have been made, you are now ready to onboard it for MDR monitoring. To complete this process, submit a New Request via the MDR Portal at https://mss.accenture.com/. This new request should contain the following information:

  1. Reporting LCP Hostname/IPAddress:

  2. Storage Account Name:

  3. Account Key: 

  4. Blob Container: Default value is insights-logs-networksecuritygroupflowevent

  5. Subscription ID: 

Note: If you have any questions about this process, please contact the Accenture MDR onboarding team.

LCP Configuration Parameters

Table 1-3: The Microsoft Azure NSG Flow event collector(API-3855) properties to be configured by MDR are shown in the table.

Property

Default Value

 

Description

Storage Account Name

Custom Value

 

Azure Unique Storage Name mentioned in the in the Pre-Installation Questionnaire (PIQ).

Example : idPwhQe5qS8Yf+9X3T2h2Wy3feUzkT/zaZvQCi4G0uaTrrkDETBJvRQUcNmOCQOt20xx4Db3Dw==

Account Key

Custom Value

 

Access Key to access storage account mentioned in the in the Pre-Installation Questionnaire (PIQ).

Blob Container

insights-logs-networksecuritygroupflowevent

 

Container name (fixed for flow logs)

Subscription

Custom Value

 

Subscription ID to be monitored

Example : 5AFB7312-B10D-418C-9112-52222A01C96141C9

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.