Goal

Virtual machines inside of an Azure environment pose a challenge in providing traffic or ‘flow’ information. While Azure does provide NSG flows, the traffic provided is ingress and egress of the NSG only and therefore does not provide internal VM relationship information necessary for application mapping.  Even if the internal details were provided, this comes at a price to the end user that can be quite costly. Matrix42’s SDDM does provide a solution to this problem using our agent to query the VM for netstat information that is converted into traffic flow data and provided to the SDDM Edge Device. Once the Edge receives the traffic data, it is sent to the SDDM account just as all other traffic from other sources (netflow, sflow, ipfix, or packet data) for mapping and other traffic forensics.

Setup requirements

• Download and deploy the SPM/SDDM agent which is available for Windows, Linux, and many other Unix variations   (see agent deployment instructions https://help.matrix42.com/020_ESM/FireScope/SPM/Admin_Guide/Agents )
  • This agent contains the script used to request the traffic information from the OS
  • Upon request by the edge device, per the applied SPM/SDDM blueprint, this traffic information will be sent to the edge device via HTTPS for processing
•          Ensure the additional port 8048 is open in the OS firewall and Network firewall from the agent to the SPM/SDDM Edge Device
•          Import the Agent_Traffic_Collection_BP.xml  blueprint into the SPM/SDDM account   (see blueprint import and creation instructions https://help.matrix42.com/020_ESM/FireScope/SDDM/User_Guide/Blueprints )
•      Perform one of several types of device discovery provided by SPM/SDDM and/or manually create server Cis which already have the agent deployed

Configuration Steps

·         Locate the CI which has met the requirements above.

o   On the left menu, under Configuration, expand Configuration Items, then select list

o   Use one of the column filters to find the desired CI

o   Click the name of the CI to open the record for editing

o   Scroll down and expand the Blueprints section

o   Left click the pencil/edit icon to open the Blueprint list

o   Use the column filter to locate the imported traffic blueprint

o   Check the box of the Agent_Traffic_Collection_BP  which will cause that BP item to appear in the Blueprints list

o   Close the “Choose Blueprints” window

o   Scroll down to the bottom of the form and select the Save button

o   This will result in a confirmation message and redirect back to the Configuration Items List

o   Now view the CI Attributes to ensure the BP has deployed and working properly. Note: The BP deployment process can take a minute or two to deploy and begin sending requests to the agent CI

o   In the left menu, Under Configuration expand Attributes and select List

o   If the desired CI is not already selected in the bread crumb navigation, click to search for the correct CI

o   Once the attributes for the proper CI are listed locate the ‘Server Traffic’ attribute and after a minute or two, you’ll see results in the last value

o   NOTE: This result is simply confirming that the request was made, and that the agent successfully sent traffic data to the edge device

o   The HTTP/1.1 200 is the success code, any other number but 200 will need to be examined.

o   Also, the timestamp of the event is listed for reference

o   Now check the Network traffic list to see the traffic NOTE: the traffic process in the edge can take 15 minutes or more depending on global settings for traffic collection

o   In the left menu expand Explore, then Network, and select Traffic List

o   The resulting page is where you will eventually find the traffic from all methods of traffic collection being employed including this agent method