Which resources can be used as a source for a Network security group inbound security rule

Last updated on August 15, 2022

Overview

A connector is used to establish communication between the SNYPR application and a datasource. Following a successful deployment, the connector makes data from a datasource available to query and view in the SNYPR application.

You can use Microsoft Corporation Azure Network Security Group to filter network traffic to and from Azure resources in Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, different types of Azure resources. For each rule, you can specify destination, source, port, and protocol.

The following properties are specific to the Microsoft Corporation Azure Network Security Groups connector:

• Collection method: eventhub

• Format: JSON

• Functionality: Traffic Manager

• Parser: SCNX_MICROS_AZURENETWORKSECURITYGROUPS_TM_EVE_JSO_COMM

• Vendor version: -

References

• Azure Network Security Groups Overview. https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview.

• Network Watcher - Create NSG Flow Logs Using an Azure Resource Manager Template. https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-azure-resource-manager.

Configure the connection on device

Complete the following steps to configure the Microsoft Corporation Azure Network Security Groups connection:

• Event Hub details

• Storage account details

Event Hub details

1. Navigate to the Event Hub namespace where the data is forwarded.

2. Capture the Event Hub namespace.

3. Click on the Event Hub namespace and capture the Resource group name.

   Note: The Resource group name is used in later steps.

4. Navigate to Entities > Event Hubs in the left pane, and then click the Event Hub where your data resides.

5. Capture the Event Hub name.

6. Click the Event Hub name, and then click Consumer groups from the left panel.

   Note: Use $Default if Securonix is the only consumer.

7. Click Shared access policies from the left pane, and then select RootManageSharedAccessPolicy.

8. Capture the Connection string-primary key.

Storage account details

1. Select All services from the left panel.

2. Type Storage accounts in the search dialogue, and then select Storage accounts to create a new storage account.

3. Select the Resource group name associated with the Event Hub namespace.

   Note: This Resource group name was captured in previous steps.

4. Complete the following information in the Create classic storage account window:

   1. Select the Resource group name associated with the Event Hub namespace.

      Note: The Resource group name was created in previous steps.

   2. Type a name for the storage account.

   3. Select your desired location.

   4. Click Review + create.

5. Click the newly created storage account name, and then select Access keys from the left pane.

6. Capture the Primary Connection String key.

7. Export Azure Network Security Groups Diagnostic Logs to Event Hub

8. Select the Azure Network Security Group that needs to be monitored.

9. Select Diagnostic settings from the left pane.

10. Click Add Diagnostic setting.

11. Select Audit Logs and set the destination to Eventhub.

12. Select the Event Hub created in the previous step.

13. Complete the following steps in the Diagnostic setting window:

    1. Navigate to Logs > Category Groups, and then select allLogs.

    2. Set the Destination details to Stream to an event hub.

    3. Select the event hub created in the previous step.

    4. Click Save in the upper left corner.

Sample user interface (UI) input:

consumergroupname=$Default namespacename= scnxeventhub eventhubname= scnxhub saskeyname=RootManageSharedAccessKey saskey=Endpoint=sb://scnxeventhub.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=ZRBDaJY4mEwLQ0dmkyCU8qwpDijs+i+EpwuwQUxVY= storageconnectionstring=DefaultEndpointsProtocol=https;AccountName=scnxstorageaccountname;AccountKey=dVUXmmU8IcWOVXEMwwHWWkGQs4PHjN543q6nz+no8HttkDBXNbmHOTf/+p8aSoRkLfLCXcgMnwdfkheI6nw==;EndpointSuffix=core.windows.net

Configure the connection in SNYPR

Complete the following steps to configure Microsoft Corporation Azure Network Security Groups in the SNYPR application:

1. Resource group information

2. Parser management

3. Identity attribution

4. Detect policy violations

5. Summary

Step 1. Resource group information

Complete the following steps if you're using SNYPR 6.4:

1. Navigate to Menu > Add Data > Activity in the SNYPR application.

2. Click Add Data > Add Data for Supported Device Type to setup the ingestion process.

3. Click Vendor in the Resource Type Information section and select the following information:

   • Vendors: Microsoft Corporation
   • Device Types: Azure Network Security Groups
   • Collection Method: JSON[eventhub]

4. Select an ingester from the list.

5. Complete the following information in the Device Information section:

   • Datasource Name: Azure Network Security Groups
   • Specify timezone for activity logs: Select a time zone from the list.

6. Complete the following information in the Connection Details section:

   1. Consumer Group Name

   2. Event Hubs Namespace

   3. Event Hubs Name

   4. Sas Key Name

   5. Sas Key

   6. Storage Account Connection String

   7. Storage Container Name

   8. Host Name Prefix

7. Click Get Preview in the upper right corner of the page to preview the ingested data from the datasource.

8. Click Save & Next.

Step 2. Parser management

Click Save & Next.

Note: For more information on Parser Management, refer to the SNYPR 6.4 Data Integration Guide.

Step 3. Identity attribution

1. Click Add Condition > Add New Correlation Rule to add a correlation rule.

2. Provide a descriptive name for the correlation rule in the Correlation Rule section.

   Note: For more information on Identity Attribution, refer to the SNYPR 6.4 Data Integration Guide.

3. Specify the User Attribute, Operation, Parameter, Condition, and Separator parameters in the Correlate events to user using rule section.

4. Click Save in the lower-right corner of the page to save the Correlate events to user using rule table.

5. Click Save & Next in the upper-right corner of the page.

Step 4. Detect policy violations

Click Save & Next.

Step 5. Summary

1. Select Do you want to schedule this job for future? in the Job Scheduling Information section and select any of the following based on the collection method:

   • Run every 1 minutes for datasources with the collection method as syslog.

   • Run every 10 minutes for non-syslog based datasources.

2. Click Save & Run.

Verifying the job

Following a successful import, the security log data for the datasource is accessible in the Available Datasources section of Spotter. To access the imported security log data, complete the following steps:

1. Navigate to Menu > Security Center > Spotter.

2. Enter the datasource name provided while creating the connection, and then click the magnifying glass icon in the search bar.

Note: Refer to the Spotter Query Reference Guide for information on how to write queries in Spotter.

Which resources can be used as a resource for a network security group inbound security rule?

Which Azure resources can use application security group?

Which two Azure resources Can a network security group be associated with SC 900?

Which resource can use ASG1?