Configure Azure Flow Logs

CDR allows you to configure collection of flow logs in your TotalCloud account for Azure. Configuring flow logs allows for deeper analysis into your cloud network to identify indicators of compromise like suspicious processes, registry changes, and file modifications.

Prerequisites  

  • Set up a TotalCloud Azure Connector for the resources you want to view Flow Logs on the TotalCloud Inventory. Click here to learn how to set up a TotalCloud Azure connector. 
  • Create an Azure storage account by following the steps here. 
  • Enable NSG Flow Logs for all your network security groups as described here.

Generate a Subscription Token

A subscription token is required to authenticate yourself when running the CFT stack for Flow Logs configuration. Follow the steps below to generate the required Subscription Token.

Run the Following Command to Generate AuthToken 

curl --location --request POST 'https://< API Gateway URL >/auth' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username=<QualysUsername>' --data-urlencode 'password=<QualysPassword>' --data-urlencode 'token=true'

Run the Following Command to Generate SubscriptionToken 

curl --location --request POST 'https://< API Gateway URL>/qas/subscription-token' --header 'Content-Type: application/json' --header 'Authorization: Bearer <Auth Token>' --data-raw '{ "expiry": 500000}'

Store the generated SubscriptionToken for later.

Configure Flow Logs

Navigate to Configure > Threat Scanners > Azure Configure Flow Logs to get started.

Configure flow logs by providing the storage account details.

Provide the following input values.

  1. Deployment Name - Provide a unique name for the Flow Logs deployment. For identification, start the deployment name with the prefix `azure—'.
  2. Subscription ID - Provide the Subscription to share the machine image with CDR.
  3. Provide the Flow Log storage information such as,
    1. Storage Account
    2. Region/Zone
    3. Storage Account connection string
  4. You can click Add more buckets to configure more storage buckets.
  5. Click Save to create your Flow Log configuration.

Download the Scripts

Once you have configured your Flow Log from the Threat Scanners tab, you must download and deploy the Terraform script to collect the logs for your inventory.

Navigate to Configure > Threat Scanners > Azure View Details to see the Flow Logs configuration details.

Click Download Scripts to get the qualys_azure_cdr_terraform.zip.

Next, deploy the Terraform Template to Configure the Flow Logs on your Azure cloud.

Deploy the Terraform Template

You can deploy the Qualys for Azure Terraform module in your Azure environment. The module deploys:  

  • An Azure AD Application with the role of Security Reader. The application provides Qualys access to scan for cloud resource and service misconfigurations, sub-optimal security policies, etc.
  • An Azure Function that ingests NSG Flow Logs and sends them to the Qualys SaaS portal for analytics.

You must have Azure administrator or equivalent credentials for the subscriptions you wish to protect to complete the steps below.  

Prerequisites to Deploy Terraform Template

Azure Cloud Shell already has the tool prerequisites installed and maybe the preferred environment to deploy the Terraform module below. You can skip to this step if you use Azure Cloud Shell.  
Install the following prerequisites for your platform (Windows, Mac, Linux).  

Terraform  

Create and manage the Qualys-for-Azure infrastructure. Download here.

Azure CLI  

Deploy the infrastructure to your Azure subscription.  Download here.

Azure Function

Deploy the log processor Azure Function.  Download here.

Python

Install Python to your system. Download here.  

NSG Flow Logs Delivered to Storage Account Blob  

Qualys ingests NSG Flow Logs from an Azure storage account blob container in the same region as where the Terraform module is deployed below (see the location variable in terraform.tfvars). There are a couple of different ways to enable Flow Logs, both of which require creating an Azure storage account.

The most convenient way to deploy the Terraform module is via Azure Cloud Shell using a bash terminal. 

  1. Enable NSG Flow Logs for all your network security groups.
  2. Enable flow logs for each network security group as described here.

Deploy Terraform Module  

Qualys ingests NSG Flow Logs from an Azure storage account blob container in the same region as where the Terraform module is deployed below (see the location variable in terraform.tfvars). There are a couple of different ways to enable Flow Logs, both of which require creating an Azure storage account.

The most convenient way to deploy the Terraform module is via Azure Cloud Shell using a bash terminal. 

  1. Launch Azure CloudShell.
  2. Log into your Azure account after running AZ login from the terminal.
  3. Download the Terraform module qualys_azure.zip from TotalCloud by navigating to Configure > Threat Scanners Azure > View Details > Download scripts.
  4. Unzip the file and add the subscriptionToken generated earlier in the file :  qualys_azure/terraform.tfvars.json

    For example,

    {

        "subscription_token": "",

        "apigw_url": "https://gateway.qualys.dev",

        "region_set":

        {

            "location1":

            {

                "location": "eastus",

                "flow_logs_storage_connection_string": "DefaultEndpointsProtocol=https;AccountName=tcqa212viaqualys;AccountKey=FB7bLpJtuUkwNhbkWQCsgsdVRWJY6ZY3OuyDhrYmC4eQ8YzmbaeWW8HmRnST0QtRHiQrsxACyXIq+ASt738T2g==;EndpointSuffix=core.windows.net"

            }

        }

    }

  5. Unzip qualys_azure.zip.

  6. Open terraform.tfvars.json. This file has all the fields preopopulated except for subscriptionToken. Add the subscriptionToken generated in step 1 and save.
  7. Run the following commands to deploy the module in each Azure subscription as needed. 

    terraform init  
    terraform apply -auto-approve  
     

    Terraform apply prompts you to provide the subscription ID. Provide the value as required.

  8. If terraform apply runs successfully, and the created application registers with Qualys, you should see the following output


    To destroy the module and delete the Qualys security application and log processor, run:  

    terraform destroy  

Once deployed, Qualys CDR will start the security audit of your Azure subscriptions and surface NSG Flow Logs records, insights, and security findings in the Qualys CDR portal. Information will show in the portal in a few or several minutes, depending on the size of your Azure environment. 

Verify and View Data in the Qualys CDR Portal

Once deployed, Qualys CDR will start the security audit of your Azure subscriptions and surface NSG Flow Logs records, insights, and security findings in the Qualys CDR portal. Information will show in the portal in a few or several minutes, depending on the size of your Azure environment.