Skip to main content
Matrix42 Self-Service Help Center

Azure Agent Dependency Collection

How to leverage the Firescope agent to collect traffic data from endpoints located in an Azure cloud.

Goal

Virtual machines inside of an Azure environment pose a challenge in providing traffic or ‘flow’ information. While Azure does provide NSG flows, the traffic provided is ingress and egress of the NSG only and therefore does not provide internal VM relationship information necessary for application mapping.  Even if the internal details were provided, this comes at a price to the end user that can be quite costly. Matrix42’s SDDM does provide a solution to this problem using our agent to query the VM for netstat information that is converted into traffic flow data and provided to the SDDM Edge Device. Once the Edge receives the traffic data, it is sent to the SDDM account just as all other traffic from other sources (netflow, sflow, ipfix, or packet data) for mapping and other traffic forensics.

Setup requirements

  • Download and deploy the SPM/SDDM agent which is available for Windows, Linux, and many other Unix variations   (see agent deployment instructions https://help.matrix42.com/020_ESM/FireScope/SPM/Admin_Guide/Agents )
    • This agent contains the script used to request the traffic information from the OS
    • Upon request by the edge device, per the applied SPM/SDDM blueprint, this traffic information will be sent to the edge device via HTTPS for processing
  •          Ensure the additional port 8048 is open in the OS firewall and Network firewall from the agent to the SPM/SDDM Edge Device
  •          Import the Agent_Traffic_Collection_BP.xml  blueprint into the SPM/SDDM account   (see blueprint import and creation instructions https://help.matrix42.com/020_ESM/FireScope/SDDM/User_Guide/Blueprints )
  •      Perform one of several types of device discovery provided by SPM/SDDM and/or manually create server Cis which already have the agent deployed

Configuration Steps

·         Locate the CI which has met the requirements above.

o   On the left menu, under Configuration, expand Configuration Items, then select list

clipboard_eec2cb75272ac46aa01373a408375bd7a.png

o   Use one of the column filters to find the desired CI

clipboard_eaab2a66a1282971cade2bc728eb8ebff.png

o   Click the name of the CI to open the record for editing

o   Scroll down and expand the Blueprints section

clipboard_ed4d40658cd814925372bda26da711f44.png

o   Left click the pencil/edit icon to open the Blueprint list

o   Use the column filter to locate the imported traffic blueprint

clipboard_e59e90cdf01e44546e8e9167eec73ae8a.png

o   Check the box of the Agent_Traffic_Collection_BP  which will cause that BP item to appear in the Blueprints list

clipboard_e95cec066e9f781c1f663cca4b728d64d.png

o   Close the “Choose Blueprints” window

o   Scroll down to the bottom of the form and select the Save button

o   This will result in a confirmation message and redirect back to the Configuration Items List

clipboard_e41d2b2eac47bbc9b92ceb498605b9fce.png

o   Now view the CI Attributes to ensure the BP has deployed and working properly. Note: The BP deployment process can take a minute or two to deploy and begin sending requests to the agent CI

o   In the left menu, Under Configuration expand Attributes and select List

clipboard_ef6e03a77fc47cc5990006a009abc61b2.png

o   If the desired CI is not already selected in the bread crumb navigation, click to search for the correct CI

clipboard_e40634993130b15982f6a037e1ce0febd.png
clipboard_e080ff33cf4e47bab41fff17988b6078f.png

o   Once the attributes for the proper CI are listed locate the ‘Server Traffic’ attribute and after a minute or two, you’ll see results in the last value

clipboard_e6b5d3b8c2e2582ccd5dc8ba6b9fb0f54.png

o   NOTE: This result is simply confirming that the request was made, and that the agent successfully sent traffic data to the edge device

o   The HTTP/1.1 200 is the success code, any other number but 200 will need to be examined.

o   Also, the timestamp of the event is listed for reference

o   Now check the Network traffic list to see the traffic NOTE: the traffic process in the edge can take 15 minutes or more depending on global settings for traffic collection

o   In the left menu expand Explore, then Network, and select Traffic List

clipboard_e95569012f66e42f4af6d084e132ee165.png

o   The resulting page is where you will eventually find the traffic from all methods of traffic collection being employed including this agent method

clipboard_ef9a33f7a8512195d3868549f4f1c79fc.png
  • Was this article helpful?