Azure Flow Logs

Virtual net flow logs control inbound and outbound traffic to and from Azure resources by defining security rules based on IP address, port, and protocol. Virtual net flow logs capture information about network traffic, including source and destination IP addresses, ports, protocols, and whether traffic was allowed or denied. These logs are useful for monitoring network traffic, troubleshooting connectivity issues, and enhancing network security by detecting suspicious or unauthorized traffic patterns.

Ingest Method

Setup the ingestion of this source using the following guide.

Azure Blob Storage

Virtual Net Flow Log Forwarding

With the storage account created you can now setup Virtual net flow logs to export to it.

Follow along with Microsoft’s documentation on the exact steps required to create a new flow log. https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-manage?tabs=portal#create-a-flow-log

RunReveal Source

Go to RunReveal and add a new source selecting Azure Flow Logs.

Give the source a name and fill in the remaining fields with the saved values from setup.

You will need the values that were saved from the setup steps.

• The app Tenant ID and Client ID from the app registration screen.
• The Client Secret Value that was created when generating a new secret for the app.
• The Storage Account Name where the logs are exporting to.
• The Storage Queue Name that holds the blob created notifications.

Once these are supplied and saved, RunReveal will begin to process messages in the queue and then ingest logs stored in the bucket.