Prisma Cloud Azure Cloud Account shows "Could not find built-in flow log container insights-logs-networksecuritygroupflowevent" error

Prisma Cloud Azure Cloud Account shows "Could not find built-in flow log container insights-logs-networksecuritygroupflowevent" error

20996
Created On 05/23/19 22:09 PM - Last Modified 03/05/25 15:39 PM


Symptom


  • After onboarding Azure subscription and enabling NSG Flow Logs, the Cloud Account status shows this warning message "Could not find built-in flow log container insights-logs-networksecuritygroupflowevent"

Environment


  • Prisma Cloud
  • Microsoft Azure
    • Examine the NSG Flow Log's target Storage Account, and confirm that it is missing the insights-logs-networksecuritygroupflowevent blob container.

Cause



There are a couple of causes on this issue:

  1. Azure did not properly create the blob container to store NSG Flow Logs, and so Prisma Cloud is unable to find it (or)
  2. There is a Storage Firewall associated that is not allowing "all traffic" or "NAT IP's for respective app stack on Prisma Cloud"
  3. Storage key access isn't correctly configured, this is a pre-requisite for all Storage Accounts that store NSG Flow Logs and require Flow Logs to be ingested by Prisma Cloud. Prisma Cloud uses Storage Account Keys based access to Storage Account for the purpose of ingesting Flow Logs.

Resolution


 Please follow the associated resolution steps for the causes listed above respectively: 

  1. Point the NSG Flow Logs to a new Storage Account
    • Log into Azure console
    • Create a new Storage Account
    • Modify the NSG Flow Logs to point to the newly created Storage Account
  2. Ensure whitelisting on your Azure storage account. 
    • Log into Azure console
    • Navigate to the Storage Account
    • Go to the storage account you want to secure.
    • Select on the settings menu called Networking.
    • Check that you've selected to allow access from Selected networks.
    • To grant access to an internet IP range, enter the IP address or address range (in CIDR format) under Firewall > Address Range.Select Save to apply your changes.
  3. Ensure "Allow storage account key access" is enabled in Azure Portal under Storage accounts > storage_name > configuration.
    • Allow storage account key access configuration
  4. Make sure the Prisma Cloud role has the relevant subscriptions added to the scope. 
 

Additional Information


References:
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM1OCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language