Skip to main content
Version: Next

Deployment & Configuration

Setting up the Microsoft Sentinel integration is a two-part process: preparing your Azure environment to receive reduced and enriched data, and then configuring NetFlow Optimizer (NFO) to deliver it.

1. Azure Environment Prerequisites

NFO utilizes the Azure Logs Ingestion API to push data. Before configuring NFO, the following components must be established within your Azure Portal:

  • Log Analytics Workspace: The repository where your enriched flow data will be stored.
  • Data Collection Endpoint (DCE): The secure entry point for NFO data into Azure.
  • Data Collection Rule (DCR): The logic that directs NFO data to the correct custom tables.
  • Custom Tables: Tables (such as nfo_20062_CL) must be created to hold the enriched fields provided by NFO.
tip

We recommend using our ARM Templates to automatically deploy the DCR and Custom Tables with the optimal schema for NFO data.

2. Authentication & Identity

NFO requires a secure identity to upload logs to your DCR. You can choose one of the following methods:

  • Service Principal: Best for NFO installations running on-premises or in other clouds. You will need your Tenant ID, Client ID, and Client Secret.
  • System-assigned Managed Identity: Best for NFO running on an Azure VM. This method eliminates the need to manage secret keys.

3. Configuring the NFO Output

With your Azure infrastructure ready, establish the connection in the NFO GUI.

  1. In the NFO web interface, navigate to Data Outputs and add a new destination of type Azure Log Analytics.
  2. Input your Workspace ID and Key (or Identity credentials).
  3. Set the Log Type to nfo_${nfc_id} to ensure your different network modules map to their respective tables in Sentinel.
  4. Apply the nfc_id filter (e.g., 20062) to specify which enriched modules to push to Azure.

For a detailed, step-by-step technical walkthrough of these settings, see the Azure Log Analytics Output Guide.

4. Data Ingestion Verification

After saving the configuration, verify that the data is arriving in your Azure environment.

  1. In the Azure Portal, navigate to Microsoft Sentinel > Logs.
  2. In the query editor, enter the name of your custom table (e.g., nfo_20062_CL).
  3. Click Run.
  4. Verify that the results populate with enriched fields such as src_ip, src_host, and nfc_id.