cisco Secure Cloud Analytics Microsoft Azure Integration

Public Cloud Monitoring Configuration for Microsoft Azure
Cisco Secure Cloud Analytics public cloud monitoring is a visibility, threat identification, and compliance service for Microsoft Azure. Secure Cloud Analytics consumes network traffic data, including Network Security Group (NSG) or Virtual network (VNet) flow logs, from your Azure public cloud network. It then performs dynamic entity modeling by running analytics on that data to detect threats and indicators of compromise. Secure Cloud Analytics consumes flow logs directly from your Azure storage account, and uses an application to gain additional context.

Azure User Roles
We recommend configuring the integration as a user with the Global Administrator Microsoft Entra ID role and Owner role for all monitored subscriptions. If that is not possible, contact your Microsoft Entra ID administrator to ensure that:

1. The user is able to create app registrations. This is allowed by default for member users, although some Microsoft Entra IDs may disable this. If this is guest user or app registration has been disabled, the Application Developer role must be assigned to the user.
2. For each monitored subscription, the user has access to the following Azure resources: authorization, network, storage accounts, and monitoring. These require the User Access Administrator and Contributor roles be assigned to the user.

See Azure Permissions Required for Secure Cloud Analytics Integration for more information.

Azure Configuration
To configure Azure to generate and store flow log data:

• Have at least one resource group to monitor. See Create an Azure Resource Group for more information.
• Obtain your Microsoft Entra ID URL. See Obtain the Microsoft Entra ID URL fyrir frekari upplýsingar.
• Create an Microsoft Entra ID application, add the proper API permissions, then grant access to the application. See Create a Microsoft Entra ID Application, Add API Permissions to an Application, and Grant Access to an Application for more information.
• Create a storage account for the flow log data, then grant access. See Create an Azure Storage Account to Store Flow Log Data and Grant Azure Storage Account Access for more information.
• Enable Network Watcher, register Insights provider, and enable flow logs. See Enable Azure Network Watcher, Register Insights Provider, and Enable
• Azure Flow Logs for more information.

Create an Azure Resource Group
First, make sure you have one or more resource groups that you want to monitor. You can use existing resource groups, or create a new resource group and populate it with resources, such as virtual machines.

1. Log in to your Azure portal.
2. Select More Services > General > Resource Groups.
3. Smelltu á Búa til.
4. Choose your Subscription from the drop-down list.
5. Enter a Resource group name.
6. Choose a Region from the drop-down list.
7. Smelltu á Review + búa til.
8. Smelltu á Búa til.

Obtain the Microsoft Entra ID URL
To provide Secure Cloud Analytics access to Azure metadata services, obtain your Microsoft Entra ID URL. Record this information; you will upload this information to the Secure Cloud Analytics web portal at the end of this process to complete your integration with Azure.

1. In your Azure portal, select More Services > All > Microsoft Entra ID.
2. Á yfirview page, copy your Primary domain, example.onmicrosoft.com and paste it into a plaintext editor. This is the Microsoft Entra ID URLused in the Configure in Secure Cloud Analytics section.

Create a Microsoft Entra ID Application
After you obtain the Microsoft Entra ID URL and subscription ID, create an application to allow Secure Cloud Analytics to read metadata from your resource groups. Copy the application key after you finish creating the application.

Create only one application per Microsoft Entra ID instance. You can monitor multiple subscriptions in an Microsoft Entra ID instance by assigning roles to the application. See Grant Access to an Application for more information.

1. In your Azure portal, select Microsoft Entra ID > App Registrations.
2. Click New registration.
3. In the Name field, enter xdra-reader. Leave the others as default.
4. Copy the Application (client) ID and paste it into a plain text editor. This is the Application IDused in the Configure in Secure Cloud Analytics section.
5. Select Certificates and Secrets > New Client Secret.
6. In the Description field, enter Cisco XDR Reader.
7. In the Expires drop-down list, choose an appropriate expiration date or accept the default value.
8. Smelltu á Bæta við.
9. Copy the value and paste it into a plaintext editor. This is the Application Key used in the Configure in Secure Cloud Analytics section.

Þú getur ekki view the key after you navigate away from this page.

Add API Permissions to an Application
After you create the xdra-readerapplication in Microsoft Entra ID, add the API permissions to it, which allows Secure Cloud Analytics to support Entra ID detections.

1. In your Azure portal, select Microsoft Entra ID > Manage > App registrations.
2. Leitaðu að xdra-readerin All applications, and then select the xdra-reader application.
3. Select Manage > API permissions > Add a permission > Microsoft Graph > Application permissions.
4. Under Select permissions, check the AuditLog.Read.Allpermission check box.
5. Click Add permissions.
6. In the Configured permissions table on the API permissions pane, click Grant admin consent to approve the permission for the xdra-readerapplication.

Create only one application per Entra ID instance. Multiple subscriptions in the same instance can be monitored by a single application via role assignments, as described later.

Grant Access to an Application
After you register the xdra-readerapp in Microsoft Entra ID, assign the Monitoring Reader role to it, which allows it to read metadata from your resource groups. Perform the following procedure for each subscription you want to monitor.

1. In your Azure portal, select More Services > General > Subscriptions and select your subscription.
2. Select Access Control (IAM).
3. Select Add > Add role assignment.
4. in the Role drop-down list, choose Monitoring Reader,
5. Smelltu á Next.
6. Under Members > Assign access to, select User, group, or service principal, then click Select members.
7. In the Search field, enter xdra-reader, then click Next.
8. Click Next, then click Review + assign.
9. Repeat these steps for each current subscription you want to monitor.

Create an Azure Storage Account to Store Flow Log Data
After you assign the Monitoring Reader role to the xdra-readerapplication, create a storage account to store the flow log data. Create a binary large object (blob) storage account in the same location as your resource groups.

You can reuse an existing Storage Account if it can store blobs and is in the same location as your resource groups.
After you create the blob storage account, ensure that the firewall rules allow access to the storage account from the internet, so that Secure Cloud Analytics can properly integrate with your Azure deployment.

Create a Blob Storage Account

1. In your Azure portal, select More Services > Storage > Storage Accounts.
2. Smelltu á Bæta við.
3. Select your Subscription.
4. Select the Resource group you want to monitor.
5. Enter a Storage account name.
6. Choose the same Region for the storage account as the resource group you specified.
7.  In the Preferred storage type drop-down menu, choose Azure Blob Storage or Azure Data Lake Storage Gen 2.
8. Select Standardor Premiumfor Performance, depending on how often you plan to have blobs accessed within the storage account.
9. Choose a Redundancy option from the drop-down menu, based on your organization’s requirements.
10. Smelltu á Review + búa til.
11. Smelltu á Búa til.

Enable Internet Access to the Blob Storage Account

1. From the blob storage account, select the Networking tab.
2. In the Public network access section, select Enable.
3. In the Public network access scope section, select Enable from all networks.
4. Smelltu á Vista.

Grant Azure Storage Account Access
After you create a storage account, add permissions to enable Secure Cloud Analytics to retrieve the flow log data from the storage account.

1. In your Azure portal, select More Services > Storage > Storage Accounts.
2. Select the storage account configured to store flow log data.
3. Select Access Control (IAM).
4. Click Add > Add role assignment.
5. Select the Storage Blob Data Readerrole, then click Next.
   If you use custom roles, make sure the role has the following required permissions:
   • Microsoft.Storage:
   • Aðgerðir
   • Other: Generate User Delegation Key
   • Read: Get Blob Container
   • Read: List of Blob Containers
   • Data Actions –
   • Read: Read Blob
6. In the Assign access to field, select User, group, or service principal.
7. In the Members field, click Select members.
8. In the Select members drawer, select the application created in the Create a Microsoft Entra ID Application section, xdra-reader, then click Select.
9. Smelltu á Next.
10. Review the settings, then click Next.
11. Smelltu á Review + assign.
12. Repeat these steps for each storage account containing flow logs.

If restricting access to this storage account based on IP, make sure that communication with the relevant IPs is allowed. Go to your Secure Cloud Analytics web portal, select Settings > Integrations > Azure > About to see the list of public IPs used by Secure Cloud Analytics.

Enable Azure Network Watcher
After you grant storage access, enable Network Watcher in the region containing your resource groups, if you have not already enabled it. Azure requires Network Watcher to enable flow logs for your network security groups.

1. In your Azure portal, select More Services > Networking > Network Watcher.
2. Á yfirview page, click Create.
3. Choose your Subscription from the drop-down list.
4. Choose your Region from the drop-down list.
5. Smelltu á Bæta við.

Register Insights Provider
Before activating flow logs, enable the microsoft. insightsprovider.

1. In your Azure portal, select More Services > General > Subscriptions and select your subscription.
2. Under the Settings section, click Resource Providers.
3. Highlight the microsoft. insightsprovider, then click Register.
4. Repeat the steps for each subscription you want to monitor.

Enable Azure Flow Logs
After you enable Network Watcher, enable flow logs for one or more resources you want to have monitored.

We support Network Security Group (NSG) and Virtual network (VNet) flow logging.

1. In your Azure portal, select More Services > Networking > Network Watcher.
2. Select Logs > Flow Logs.
3. Smelltu á Búa til.
4. Select your Subscription.
5. Select Flow Log type (Network Security Group / Virtual Network).
6. Click Select target resources and confirm the selections.
7. Select the blob storage account to store the logs.
8. In the Retention (days) field, enter a retention time for the logs.
9. Smelltu á Review + búa til.
10. Secure Cloud Analytics does not require enabling Traffic Analytics, but you can enable it if your organization wants the functionality.
11. Repeat the steps for each resource you want to monitor.

Secure Cloud Analytics Configuration with

Azure
Enter the following information in the Secure Cloud Analytics web portal to complete your integration with Azure:

• Microsoft Entra ID URL
• Auðkenni umsóknar
• Umsóknarlykill

Configure Secure Cloud Analytics to Ingest Flow Log Data from Azure

1. Log in to your Secure Cloud Analytics web portal as an administrator.
2. Select Settings > Integrations > Azure > Credentials.
3. Click Add New Credentials.
4. Enter your Microsoft Entra ID URL.
5. Enter the Application ID.
6. Enter the Application Key.
7. Choose the Azure Cloud environment from the drop-down list.
8. Smelltu á Búa til.
9. Select Settings > Integrations > Azure > Storage Access and ensure that your storage accounts are listed in the Azure RBAC table.
   
10. To verify Secure Cloud Analytics is receiving data from your storage accounts, select Settings > Sensors and scroll to the Azure Sensors section to view your Azure (RBAC) storage accounts.

It can take up to 10 minutes for Azure RBAC storage accounts to display in the Secure Cloud Analytics portal. Any existing Azure sensors using the Shared Access Signature (SAS) method will go offline, and then you can click Delete to remove the SAS sensors.

Azure Permissions Required for Secure Cloud Analytics Integration
The following table details the role memberships required to configure Azure for integration with Secure Cloud Analytics:

Aðgerð	Permission required for member user (native tenant member)	Permission required for guest user (collaboration guest)
Búðu til Azure Resource Hópur	add member user to Storage Account Contributor role	add guest user to Storage Account Contributor role
Fáðu Microsoft Entra ID URL	default permission of member user	default permission of guest user to obtain Microsoft Entra ID URL, add guest user to Cognitive Services User role to obtain Subscription ID
Búðu til a Microsoft Entra ID Application	default permission of member user to create the Microsoft Entra ID application registration, default permission of member user to generate a client secret if the user created the application registration	add guest user to Application Developer role
Grant Access til an Umsókn	default permission of member user, if user created the application registration	add guest user to Application Developer role
Búðu til Azure geymsla Account to Store Flow Log Gögn	add member user to Storage Account Contributor role	add guest user to Storage Account Contributor role
Grant Azure Geymsla Reikningur Aðgangur	dd member user to Storage Account Contributor role	add guest user to Storage Account Contributor role
Enable Azure Net Áhorfandi	add member user to Network Contributor role	add guest user to Network Contributor role

Enable Azure Flow Logs

add member user to Network Contributor role

add guest user to Network Contributor role

For more information on roles and permissions, search for the following terms on Microsoft’s Azure documentation:

• Guest and member user permissions
• Application Developer role
• Cognitive Services User role
• Monitoring Contributor role
• Network Contributor role
• Storage Account Contributor role

Viðbótarauðlindir
For more information about Secure Cloud Analytics, refer to the following:

• https://www.cisco.com/c/en/us/products/security/stealthwatch-cloud/index.html for a general overview
• https://www.cisco.com/c/en/us/support/security/stealthwatch-cloud/tsd-products-support-series-home.html for documentation resources
• https://www.cisco.com/c/en/us/support/security/stealthwatch-cloud/products-installation-guides-list.html for installation and configuration guides, including the Secure Cloud Analytics Initial Deployment Guide

Hafðu samband við þjónustudeild

Ef þú þarft tæknilega aðstoð, vinsamlegast gerðu eitt af eftirfarandi:

• Hafðu samband við staðbundinn Cisco samstarfsaðila
• Hafðu samband við þjónustudeild Cisco
  • Til að opna mál með því að web: http://www.cisco.com/c/en/us/support/index.html
  • Til að opna mál með tölvupósti: tac@cisco.com
  • Fyrir símaþjónustu: 1-800-553-2447 (Bandaríkin)
  • Fyrir stuðningsnúmer um allan heim: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Breytingaferill

Skjalaútgáfa	Útgáfudagur	Lýsing
1_0	6. desember 2018	Upphafleg útgáfa.
1_1	20. mars 2019	Updated to remove mentions of beta.
1_2	1. nóvember 2019	Updated with activity log storage information and additional role information.
1_3	10. janúar 2019	Updated with removal of flow log retention configuration.
1_4	26. ágúst 2020	Update with information about internet access for blob storage account.
1_5	16. október 2020	Updates based on UI update.
1_6	2. febrúar 2021	Updates for how to create the storage account.
2_0	3. nóvember 2021	Updated product branding.
3_0	1. júní 2022	Restructured and updated configuration instructions.
4_0	1. ágúst 2022	Bætt við Hafðu samband við þjónustudeild section. Added note for public IPs.Updated document title.
4_1	11. janúar 2023	Fjarlægði Azure Activity Log Storage kafla.
4_2	21. apríl 2023	Corrected cross-reference links.

5_0	26. febrúar 2025	Bætt við Add API Permissions to an Application section.Updated configuration instructions to match Azure UI updates.
5_1	21. mars 2025	Uppfærði Enable Azure Flow Logs section to include VNet flow logging support.
6_0	6. nóvember 2025	Updated configuration instructions throughout the guide to support Azure RBAC. Removed the Activate Using a Bash Script kafla.

Upplýsingar um höfundarrétt

Cisco og Cisco lógóið eru vörumerki eða skráð vörumerki Cisco og/eða hlutdeildarfélaga þess í Bandaríkjunum og öðrum löndum. Til view lista yfir Cisco vörumerki, farðu í þetta URL: https://www.cisco.com/go/trademarks Vörumerki þriðja aðila sem nefnd eru eru eign viðkomandi eigenda. Notkun orðsins samstarfsaðili felur ekki í sér samstarfstengsl milli Cisco og nokkurs annars fyrirtækis. (1721R)

© 2025 Cisco Systems, Inc. og/eða hlutdeildarfélög þess. Allur réttur áskilinn.

Skjöl / auðlindir

cisco Secure Cloud Analytics Microsoft Azure Integration [pdfNotendahandbók Secure Cloud Analytics Microsoft Azure Integration, Secure Cloud Analytics, Microsoft Azure Integration, Azure Integration

Heimildir

• Notendahandbók