About ThreatSync+ Cloud Integration — Azure Flow Logs

Applies To: ThreatSync+ NDR This topic applies to the ThreatSync+ NDR product.

This feature is only available with a ThreatSync+ NDR or Total NDR license. For more information, go to About ThreatSync+ NDR Licenses and About Total NDR Licenses.

ThreatSync+ NDR enables you to monitor logs from third-party cloud environments, such as Azure flow logs.

Azure Virtual Network (VNet) flow logs provide granular visibility into network activity across computing resources in your Azure environment. ThreatSync+ NDR uses VNet flow logs for advanced traffic analysis, to detect anomalies, identify potential security threats, and generate alerts.

Only VNet flow logs are supported. Network Security Group (NSG) flow logs will retire on 30 September 2027, and new NSG flow logs cannot be created effective 30 June 2025. For more information, go to Flow logging for network security groups in the Microsoft Azure documentation.

For more information about ThreatSync+ NDR cloud integration with Azure flow logs, go to these sections:

• Licensing
• Add a ThreatSync+ Cloud Integration
• ThreatSync+ UI
  • Monitor ThreatSync+ NDR
  • Configure ThreatSync+ NDR

Licensing

To use Azure flow log integration with ThreatSync+ NDR, you must purchase and activate a ThreatSync+ NDR or Total NDR license. ThreatSync+ NDR and Total NDR are licensed for each user.

For more information about licensing, go to About ThreatSync+ NDR Licenses and About Total NDR Licenses.

Add a ThreatSync+ Cloud Integration

To add a cloud integration, you use the ThreatSync+ Integrations UI in WatchGuard Cloud. To add a ThreatSync+ cloud integration, select Configure > ThreatSync+ Integrations > Cloud Integration.

For more information, go to Configure a ThreatSync+ NDR Cloud Integration — Azure Flow Logs.

ThreatSync+ UI

To configure and monitor ThreatSync+ NDR, you use the ThreatSync+ UI in WatchGuard Cloud. To connect to WatchGuard Cloud, go to cloud.watchguard.com.

Available pages and features vary and depend on your license type. Throughout this documentation, ThreatSync+ refers generally to all products. If you do not see a page or feature in the ThreatSync+ UI, it is not supported by your product.

Monitor ThreatSync+ NDR

To monitor your ThreatSync+ NDR cloud integration, use these pages:

• Network Summary — Provides an overview of trends in your network and includes links to detailed information about Smart Alerts and policy alerts. For more information, go to About the ThreatSync+ Summary Page.
• Smart Alerts — Shows open Smart Alerts for operators to review and respond to. For more information, go to About Smart Alerts.
• Policy Alerts — Shows alerts for policy violations on your network and includes detailed traffic information about your Azure flow logs. For more information, go to About Policy Alerts.
• ThreatSync+ Audit Logs — Shows details of configuration activity performed for policies, zones, users, IP addresses, and SaaS collector changes. For more information, go to ThreatSync+ Audit Logs.
• All IP Addresses — Shows details about internal and external IP addresses. You can use the information on this page to view the internal IP address of your Azure virtual machine. For more information, go to All IP Addresses.

Configure ThreatSync+ NDR

To configure ThreatSync+ NDR, select Configure > ThreatSync+.

You can use this page to configure alerts for a ThreatSync+ NDR integration with Azure flow logs:

• Alerts — Configure Azure flow logs heartbeat alerts. For more information, go to Configure ThreatSync+ Alerts and Notification Rules.

Related Topics

Configure a ThreatSync+ NDR Cloud Integration — Azure Flow Logs

Configure ThreatSync+