Analyze Azure Network Watcher Flow Logs with Sumo Logic

Azure Network Watcher

Azure Network Watcher is a network performance and diagnostic service which enables you to monitor your Azure Network. This service lets you collect “Network Security Group (NSG) Flow Logs”. NSG flows logs have 5-tuple information (source, destination, Traffic Flow, Traffic : Allowed/Denied) about ingress and egress IP traffic that are either blocked or allowed by the NSG, allowing you to troubleshoot traffic and security issues. NSG flow logs can enabled via Portal, PowerShell and CLI, more info here.

Why Integrate and Analyze Azure Network Watcher Flow Logs with Sumo Logic ?

Using Sumo Logic’s machine learning algorithm and search capabilities, you can monitor your Azure Network and alert on key metrics to rapidly identify problems and security issues. Sumo Logic App for Azure Network Watcher leverages NSG flow logs to provide real-time visibility and analysis of your Azure Network. It provides preconfigured Dashboards that allow you to monitor inbound traffic, outlier in traffic flow, and denied flows. Furthermore, this data can be co-related with other Sumo Logic App for Azure Web Apps and Audit for more contextual information. Also, Sumo Logic Threat Intelligence feed can give you extra layer of security on the top of your flow logs. Sumo Logic App for Azure Network Watcher comes with following preconfigured dashboards:

Network Watcher – Overview

This Dashboard provides general information of the NSG flow logs, including Panels that drill-down into queries with NIC, tuple and traffic flow information. The Overview Dashboard gives a good starting point for detecting outlier in denied traffic and geographic hotspots for inbound traffic. Dashboard also allows panels to be filtered by rule name, source/destination IP and port, and other metadata fields.

Network Watcher – Overview

Source Address Location of Inbound Traffic. Displays geolocation of Inbound Traffic
Flow Traffic by Rule Name. Shows the breakdown of all traffic by security rule name set up at NSG level.
Denied Traffic per Minute. Shows trend in denied inbound traffic flow per minute.
Breakdown of Traffic (Allowed or Denied). Displays traffic breakdown by Allowed or Denied flow.
Top 10 Destination Ports. Shows top 10 destination ports in last 24 hours.
Flow Traffic by Protocol. Displays trend of traffic by its protocol ( TCP/UDP).
Denied Traffic per Hour – Outlier. This panel, using Sumo Logic machine learning Outlier operator, shows any unexpected sequence in denied traffic.
Denied Traffic Comparison (Today Vs Yesterday) – Outlier. Compares denied traffic of last 24 hours with previous 24 hours and shows any unexpected difference between two time periods.

Get Started with Sumo Logic App for Azure Network Watcher

For more info on the App – please visit Sumo Logic for Azure Network Watcher. To set up the App, follow Collect Logs for Azure Network Watcher and Install the Azure Network Watcher App section at Azure App page