Configure Azure Flow Logs
CDR allows you to configure collection of flow logs in your TotalCloud account for Azure. Configuring flow logs allows for deeper analysis into your cloud network to identify indicators of compromise like suspicious processes, registry changes, and file modifications.
Prerequisites
- Set up a TotalCloud Azure Connector for the resources you want to view Flow Logs on the TotalCloud Inventory. Click here to learn how to set up a TotalCloud Azure connector.
- Create an Azure storage account by following the steps here.
- Enable NSG Flow Logs for all your network security groups as described here.
Generate a Subscription Token
A subscription token is required to authenticate yourself when running the CFT stack for Flow Logs configuration. Follow the steps below to generate the required Subscription Token.
Run the Following Command to Generate AuthToken
curl --location --request POST 'https://< API Gateway URL >/auth' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username=<QualysUsername>' --data-urlencode 'password=<QualysPassword>' --data-urlencode 'token=true'
Run the Following Command to Generate SubscriptionToken
curl --location --request POST 'https://< API Gateway URL>/qas/subscription-token' --header 'Content-Type: application/json' --header 'Authorization: Bearer <Auth Token>' --data-raw '{ "expiry": 500000}'
Store the generated SubscriptionToken for later.
Configure Flow Logs
Navigate to Configure > Threat Scanners > Azure > Configure Flow Logs to get started.
Configure flow logs by providing the storage account details.
Provide the following input values.
- Deployment Name - Provide a unique name for the Flow Logs deployment. For identification, start the deployment name with the prefix `azure—'.
- Subscription ID - Provide the Subscription to share the machine image with CDR.
- Provide the Flow Log storage information such as,
- Storage Account
- Region/Zone
- Storage Account connection string
- You can click Add more buckets to configure more storage buckets.
- Click Save to create your Flow Log configuration.
Download the Scripts
Once you have configured your Flow Log from the Threat Scanners tab, you must download and deploy the Terraform script to collect the logs for your inventory.
Navigate to Configure > Threat Scanners > Azure > View Details to see the Flow Logs configuration details.
Click Download Scripts to get the qualys_azure_cdr_terraform.zip.
Next, deploy the Terraform Template to Configure the Flow Logs on your Azure cloud.
Deploy the Terraform Template
You can deploy the Qualys for Azure Terraform module in your Azure environment. The module deploys:
- An Azure AD Application with the role of Security Reader. The application provides Qualys access to scan for cloud resource and service misconfigurations, sub-optimal security policies, etc.
- An Azure Function that ingests NSG Flow Logs and sends them to the Qualys SaaS portal for analytics.
You must have Azure administrator or equivalent credentials for the subscriptions you wish to protect to complete the steps below.
Prerequisites to Deploy Terraform Template
Azure Cloud Shell already has the tool prerequisites installed and maybe the preferred environment to deploy the Terraform module below. You can skip to this step if you use Azure Cloud Shell.
Install the following prerequisites for your platform (Windows, Mac, Linux).
Terraform
Create and manage the Qualys-for-Azure infrastructure. Download here.
Azure CLI
Deploy the infrastructure to your Azure subscription. Download here.
Azure Function
Deploy the log processor Azure Function. Download here.
Python
Install Python to your system. Download here.
NSG Flow Logs Delivered to Storage Account Blob
Qualys ingests NSG Flow Logs from an Azure storage account blob container in the same region as where the Terraform module is deployed below (see the location variable in terraform.tfvars). There are a couple of different ways to enable Flow Logs, both of which require creating an Azure storage account.
The most convenient way to deploy the Terraform module is via Azure Cloud Shell using a bash terminal.
- Enable NSG Flow Logs for all your network security groups.
- Enable flow logs for each network security group as described here.
Deploy Terraform Module
Qualys ingests NSG Flow Logs from an Azure storage account blob container in the same region as where the Terraform module is deployed below (see the location variable in terraform.tfvars). There are a couple of different ways to enable Flow Logs, both of which require creating an Azure storage account.
The most convenient way to deploy the Terraform module is via Azure Cloud Shell using a bash terminal.
- Launch Azure CloudShell.
- Log into your Azure account after running AZ login from the terminal.
- Download the Terraform module qualys_azure.zip from TotalCloud by navigating to Configure > Threat Scanners > Azure > View Details > Download scripts.
- Unzip the file and add the subscriptionToken generated earlier in the file : qualys_azure/terraform.tfvars.json
For example,{
"subscription_token": "",
"apigw_url": "https://gateway.qualys.dev",
"region_set":
{
"location1":
{
"location": "eastus",
"flow_logs_storage_connection_string": "DefaultEndpointsProtocol=https;AccountName=tcqa212viaqualys;AccountKey=FB7bLpJtuUkwNhbkWQCsgsdVRWJY6ZY3OuyDhrYmC4eQ8YzmbaeWW8HmRnST0QtRHiQrsxACyXIq+ASt738T2g==;EndpointSuffix=core.windows.net"
}
}
}
-
Unzip qualys_azure.zip.
- Open terraform.tfvars.json. This file has all the fields preopopulated except for subscriptionToken. Add the subscriptionToken generated in step 1 and save.
-
Run the following commands to deploy the module in each Azure subscription as needed.
terraform init
terraform apply -auto-approve
Terraform apply prompts you to provide the subscription ID. Provide the value as required.
-
If terraform apply runs successfully, and the created application registers with Qualys, you should see the following output
To destroy the module and delete the Qualys security application and log processor, run:terraform destroy
Once deployed, Qualys CDR will start the security audit of your Azure subscriptions and surface NSG Flow Logs records, insights, and security findings in the Qualys CDR portal. Information will show in the portal in a few or several minutes, depending on the size of your Azure environment.
Verify and View Data in the Qualys CDR Portal
Once deployed, Qualys CDR will start the security audit of your Azure subscriptions and surface NSG Flow Logs records, insights, and security findings in the Qualys CDR portal. Information will show in the portal in a few or several minutes, depending on the size of your Azure environment.