This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Microsoft Azure NSG flow log setup and benefits in Prisma Cloud

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Prisma Cloud Articles
6 min read

Microsoft Azure NSG flow log setup and benefits in Prisma Cloud

RPrasadi
L4 Transporter

‎03-26-2025 05:10 PM - edited ‎03-28-2025 09:22 AM

No ratings

 

By  Andrew Curran, Senior Cloud Security Engineer

 

Introduction


Prisma Cloud ingests NSG flow logs from Microsoft Azure to provide visibility into ingress and egress traffic to and from an user’s Azure environment.  Several policy types in the Cloud Security Posture Management or the Cloud Security module in Prisma Cloud depend on the NSG flow log data.  Once successfully implemented, the user gains significant network optimization insights to help identify traffic patterns and achieve a more centralized view of network traffic.  NSG flow log data also aids in surfacing alerts for network anomalies in your cloud environment.  This article outlines the process for setting up NSG flow log ingestion into Prisma Cloud.


Configure Azure NSG Flow Log Ingestion

 

To configure NSG flow log ingestion in Prisma Cloud, set up Azure Network Watcher to capture the NSG flow logs, store them in an accessible Azure storage account, and ensure that Prisma Cloud has the necessary permissions to access the NSG flow logs.  For the sake of this article, we will outline the process relating to the onboarding of a single Azure subscription into Prisma Cloud.

 

  1. Log into your Azure portal.  Navigate to ‘Network Watcher’ and ensure that there is an existing Network Watcher created in the region (it is a regional service) that the NSG flow log data will be recorded in (and that will be ingested into Prisma Cloud).  In this example, I created my Network Watcher and I have selected the ’East US’ region.

A Network Watcher will need to be created for all regions in which NSG flow log data is to be logged.

 

image3.jpg

Figure 1: Network Watcher_PaloAltoNetworks

 

  1. You will need to ensure that an NSG flow log is created for each of the NSGs that the user wishes to collect network data for.  In Azure, the user will navigate to Home > Network security groups > select security group ‘securitygroupxyz’ (example NSG name) > scroll to Monitoring in the left hand menu/pane and select NSG flow logs > click ‘Create’.

 

image2.jpg

Figure 2: Create Flow Log_PaloAltoNetworks

 

  1. The user will select the appropriate subscription under the ‘Subscription’ drop down:
    1. Next, the user will select the flow log type, which will be ‘Network security group’ and then the user will select the target resource.  At this step, the user will select the Network Security Group as a target resource.  
    2. The storage account that the NSG flow log data will be written to, will be created.  Please note that the created storage accounts MUST be created in the same region as the Network Security Groups.  Azure flow logs must be stored within a storage account in the same region as the NSG. 
    3. The user will now select the ‘Subscription’ and then create a new (and globally uniquely named) storage account.  Prisma Cloud will read/ingest the flow log data from this storage account.  The flow log data will be stored as block blobs. 
    4. The user will set the Retention period for the flow logs.  “We recommend your Network Security Group (NSG) Flow Log Retention Period is set to greater than or equal to 90 days.”  In the example, I have set my flow log retention period to 90 days.  
    5. The user can then click ‘Review and create’.  
    6. Once validation passes, the user can complete the flow log creation by clicking ‘Create’.
  1. Log into Prisma Cloud.  Navigate to:

         Settings > Providers > Edit Cloud Account > Configure Account  

    Select the checkbox to ‘Ingest and Monitor Network Security Group Flow Logs’ and then click on ‘Download Terraform Script’, which will generate a new terraform file containing the permissions needed to grant access permission to Prisma Cloud to ingest network data.

image5.jpg

Figure 3: Ingest NSG Flow Log Setting_PaloAltoNetworks

  1. Navigate to the Azure Cloud shell and upload the Terraform file.  

    Log into the Azure portal and navigate to the Cloud shell (bash).  Once the prompt is open, select ‘Manage files’, select ‘Upload’, and choose the appropriate Terraform file to upload from your machine. Execute the two following commands -

      $ terraform init
  $ terraform apply

    Once complete, enter all the output values into the Prisma Cloud UI wizard to complete the onboarding/updating process.  The three output values that need to be copied and entered into the Prisma Cloud UI are the values for the ‘Application (Client) ID’ (application_client_id), the ‘Application Client Secret’ (application_client_secret), and the ‘Enterprise Application Object ID’ (enterprise_application_object_id).

 

 image4.jpg

Figure 4: Azure Onboarding Terraform Output_PaloAltoNetworks


Click through to the end of the onboarding wizard.  Click ‘Next’ and Prisma Cloud will run the permissions checks.  The permission checks that the flow logs are configured and available.  Once complete, click ‘Save and close’ to exit the cloud account onboarding wizard.

 
image1.jpg

Figure 5: Azure Cloud Account Permissions Check_PaloAltoNetworks

 

  1. Following the successful setup of Azure NSG flow log ingestion, you will see several types of policy alerts based on network data.  Policy/alert types include Network, Network Anomaly, and Attack Path.  Network and Network Anomaly policies can generally be expected to fire alerts based on Prisma Cloud’s observance of known or suspected malicious IPs in the network data.  

All query conditions must be satisfied for network policies before an alert can open.  Network Anomaly type policies are not based on RQL. Still, these policies check for known or suspected malicious IP addresses and check them against a Palo Alto Networks database for matches.


Conclusion

 

This article has walked you through the steps to onboard and enable Azure NSG flow log data into Prisma Cloud.

 

The successful ingestion of Azure NSG flow log data into a Prisma Cloud tenant can help provide significant visibility into network activity in your environment.  Connections from bad actors into (and out of) the environment can be alerted by Network, Network Anomaly, and Attack Path alerts.  It is essential to continually audit the content in your Prisma Cloud tenant to ensure that all policies are turned on and scoped to the environments you wish to enforce policy against.  The threat landscape is constantly evolving, so the security controls to combat these threats must also evolve.


References

 

  1. Prisma Cloud documentation
    Azure Network Watcher Network Security Group (NSG) flow logs retention is less than 90 days
  2. Prisma Cloud documentation
    Troubleshoot Azure Account Onboarding
  3. Microsoft Azure documentation
    NSG flow logs overview 

 

About the Author

 

Andrew Curran is a Senior Cloud Security Engineer on the Prisma Cloud CSPM team, specializing in supporting all non-compute solutions for Prisma Cloud  AWS, Azure, GCP, OCI, and Alibaba.

Rate this article:
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0
0 Likes Likes
  • 142 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎03-28-2025 09:22 AM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks