elastic
diff --git a/‎packages/azure_blob_storage/agent/input/abs.yml.hbs‎
Lines changed: 6 additions & 0 deletions b/‎packages/azure_blob_storage/agent/input/abs.yml.hbs‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎packages/azure_blob_storage/changelog.yml‎
Lines changed: 8 additions & 0 deletions b/‎packages/azure_blob_storage/changelog.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎packages/azure_blob_storage/manifest.yml‎
Lines changed: 31 additions & 2 deletions b/‎packages/azure_blob_storage/manifest.yml‎
Lines changed: 31 additions & 2 deletions
diff --git a/‎packages/azure_network_watcher_nsg/_dev/build/docs/README.md‎
Lines changed: 20 additions & 4 deletions b/‎packages/azure_network_watcher_nsg/_dev/build/docs/README.md‎
Lines changed: 20 additions & 4 deletions
diff --git a/‎packages/azure_network_watcher_nsg/changelog.yml‎
Lines changed: 8 additions & 0 deletions b/‎packages/azure_network_watcher_nsg/changelog.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎packages/azure_network_watcher_nsg/data_stream/log/agent/stream/abs.yml.hbs‎
Lines changed: 6 additions & 0 deletions b/‎packages/azure_network_watcher_nsg/data_stream/log/agent/stream/abs.yml.hbs‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎packages/azure_network_watcher_nsg/data_stream/log/manifest.yml‎
Lines changed: 21 additions & 0 deletions b/‎packages/azure_network_watcher_nsg/data_stream/log/manifest.yml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎packages/azure_network_watcher_nsg/docs/README.md‎
Lines changed: 20 additions & 4 deletions b/‎packages/azure_network_watcher_nsg/docs/README.md‎
Lines changed: 20 additions & 4 deletions
diff --git a/‎packages/azure_network_watcher_nsg/manifest.yml‎
Lines changed: 11 additions & 2 deletions b/‎packages/azure_network_watcher_nsg/manifest.yml‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎packages/azure_network_watcher_vnet/_dev/build/docs/README.md‎
Lines changed: 20 additions & 4 deletions b/‎packages/azure_network_watcher_vnet/_dev/build/docs/README.md‎
Lines changed: 20 additions & 4 deletions
@@ -6,6 +6,12 @@ pipeline: {{pipeline}}
 {{#if account_name}}
 account_name: {{account_name}}
 {{/if}}
+{{#if oauth2}}
+auth.oauth2:
+  client_id: {{client_id}}
+  client_secret: {{client_secret}}
+  tenant_id: {{tenant_id}}
+{{/if}}
 {{#if service_account_key}}
 auth.shared_credentials.account_key: {{service_account_key}}
 {{/if}}
 
@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "2.3.0"
+  changes:
+    - description: Add RBAC based authentication for azure blob storage input.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14396
+    - description: Update the Kibana Version to 8.16.0 to support RABC based authentication for azure blob storage input.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14396
 - version: "2.2.0"
   changes:
     - description: Update Kibana constraint to support 9.0.0.
 
@@ -3,10 +3,10 @@ name: azure_blob_storage
 title: Custom Azure Blob Storage Input
 description: Collect log data from configured Azure Blob Storage Container with Elastic Agent.
 type: input
-version: "2.2.0"
+version: "2.3.0"
 conditions:
   kibana:
-    version: "^8.13.0 || ^9.0.0"
+    version: "^8.16.0 || ^9.0.0"
 categories:
   - azure
   - observability
@@ -20,13 +20,42 @@ policy_templates:
     template_path: abs.yml.hbs
     description: Collect log data from configured Azure Blob Storage Container with Elastic Agent.
     vars:
+      - name: oauth2
+        required: true
+        show_user: true
+        title: Collect logs using OAuth2 authentication
+        description: To collect logs using OAuth2 authentication enable the toggle switch. By default, it will collect logs using service account key or URI.
+        type: bool
+        multi: false
+        default: false
       - name: account_name
         type: text
         title: Account Name
         description: |
           This attribute is required for various internal operations with respect to authentication, creating service clients and blob clients which are used internally for various processing purposes.
         required: true
         show_user: true
+      - name: client_id
+        type: text
+        title: Client ID (OAuth2)
+        description: Client ID of Azure Account. This is required if 'Collect logs using OAuth2 authentication' is enabled.
+        required: false
+        show_user: true
+        secret: true
+      - name: client_secret
+        type: password
+        title: Client Secret (OAuth2)
+        description: Client Secret of Azure Account. This is required if 'Collect logs using OAuth2 authentication' is enabled.
+        required: false
+        show_user: true
+        secret: true
+      - name: tenant_id
+        type: text
+        title: Tenant ID (OAuth2)
+        description: Tenant ID of Azure Account. This is required if 'Collect logs using OAuth2 authentication' is enabled.
+        multi: false
+        required: false
+        show_user: true
       - name: service_account_key
         type: password
         title: Service Account Key
 
@@ -21,8 +21,15 @@ Elastic Agent must be installed. For more details, check the Elastic Agent [inst
 3. Click on **Show** keys to show your **access keys** and **connection strings** and to enable buttons to copy the values.
 4. Under key1, find the Key value. Click on the Copy button to copy the **account key**. Same way you can copy the **storage account name** shown above keys.
 5. Go to **Containers** under **Data storage** in your storage account to copy the **container name**.
+6. Configure the integration using either Service Account Credentials or Microsoft Entra ID RBAC with OAuth2 options. For OAuth2 (Entra ID RBAC), you'll need the Client ID, Client Secret, and Tenant ID. For Service Account Credentials, you'll need either the Service Account Key or the URI to access the data.
 
-**Note**:  Enable virtual network flow logs using the steps provided in [reference](https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-portal).
+- How to setup the `auth.oauth2` credentials can be found in the Azure documentation [here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).
+- For more details about the Azure Blob Storage input settings, check the [Filebeat documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-blob-storage.html).
+
+Note:
+- Enable virtual network flow logs using the steps provided in [reference](https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-portal).
+- The service principal must be granted the appropriate permissions to read blobs. Ensure that the necessary role assignments are in place for the service principal to access the storage resources. For more information, please refer to the [Azure Role-Based Access Control (RBAC) documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage).
+- We recommend assigning either the **Storage Blob Data Reader** or **Storage Blob Data Owner** role. The **Storage Blob Data Reader** role provides read-only access to blob data and is aligned with the principle of least privilege, making it suitable for most use cases. The **Storage Blob Data Owner** role grants full administrative access — including read, write, and delete permissions — and should be used only when such elevated access is explicitly required.
 
 ### Enabling the integration in Elastic:
 
@@ -31,9 +38,18 @@ Elastic Agent must be installed. For more details, check the Elastic Agent [inst
 3. Select the "Azure Network Watcher NSG" integration from the search results.
 4. Select "Add Azure Network Watcher NSG" to add the integration.
 5. While adding the integration, to collect logs via Azure Blob Storage, keep **Collect NSG logs via Azure Blob Storage** toggle on and then configure following parameters:
-   - account name
-   - containers
-   - service account key/service account uri
+   For OAuth2 (Microsoft Entra ID RBAC):
+   - Toggle on **Collect logs using OAuth2 authentication**
+   - Account Name
+   - Client ID
+   - Client Secret
+   - Tenant ID
+   - Container Details.
+
+   For Service Account Credentials:
+   - Service Account Key or the URI
+   - Account Name
+   - Container Details
 6. Save the integration.
 
 ## Logs Reference
 
@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "1.5.0"
+  changes:
+    - description: Add RBAC based authentication for azure blob storage input.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14396
+    - description: Update the Kibana Version to 8.16.0 to support RABC based authentication for azure blob storage input.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14396
 - version: "1.4.0"
   changes:
     - description: Remove redundant installation instructions.
 
@@ -1,6 +1,12 @@
 {{#if account_name}}
 account_name: {{account_name}}
 {{/if}}
+{{#if oauth2}}
+auth.oauth2:
+  client_id: {{client_id}}
+  client_secret: {{client_secret}}
+  tenant_id: {{tenant_id}}
+{{/if}}
 {{#if service_account_key}}
 auth.shared_credentials.account_key: {{service_account_key}}
 {{/if}}
 
@@ -13,6 +13,27 @@ streams:
           This attribute is required for various internal operations with respect to authentication, creating service clients and blob clients which are used internally for various processing purposes.
         required: true
         show_user: true
+      - name: client_id
+        type: text
+        title: Client ID (OAuth2)
+        description: Client ID of Azure Account. This is required if 'Collect logs using OAuth2 authentication' is enabled.
+        required: false
+        show_user: true
+        secret: true
+      - name: client_secret
+        type: password
+        title: Client Secret (OAuth2)
+        description: Client Secret of Azure Account. This is required if 'Collect logs using OAuth2 authentication' is enabled.
+        required: false
+        show_user: true
+        secret: true
+      - name: tenant_id
+        type: text
+        title: Tenant ID (OAuth2)
+        description: Tenant ID of Azure Account. This is required if 'Collect logs using OAuth2 authentication' is enabled.
+        multi: false
+        required: false
+        show_user: true
       - name: service_account_key
         type: password
         title: Service Account Key
 
@@ -21,8 +21,15 @@ Elastic Agent must be installed. For more details, check the Elastic Agent [inst
 3. Click on **Show** keys to show your **access keys** and **connection strings** and to enable buttons to copy the values.
 4. Under key1, find the Key value. Click on the Copy button to copy the **account key**. Same way you can copy the **storage account name** shown above keys.
 5. Go to **Containers** under **Data storage** in your storage account to copy the **container name**.
+6. Configure the integration using either Service Account Credentials or Microsoft Entra ID RBAC with OAuth2 options. For OAuth2 (Entra ID RBAC), you'll need the Client ID, Client Secret, and Tenant ID. For Service Account Credentials, you'll need either the Service Account Key or the URI to access the data.
 
-**Note**:  Enable virtual network flow logs using the steps provided in [reference](https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-portal).
+- How to setup the `auth.oauth2` credentials can be found in the Azure documentation [here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).
+- For more details about the Azure Blob Storage input settings, check the [Filebeat documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-blob-storage.html).
+
+Note:
+- Enable virtual network flow logs using the steps provided in [reference](https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-portal).
+- The service principal must be granted the appropriate permissions to read blobs. Ensure that the necessary role assignments are in place for the service principal to access the storage resources. For more information, please refer to the [Azure Role-Based Access Control (RBAC) documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage).
+- We recommend assigning either the **Storage Blob Data Reader** or **Storage Blob Data Owner** role. The **Storage Blob Data Reader** role provides read-only access to blob data and is aligned with the principle of least privilege, making it suitable for most use cases. The **Storage Blob Data Owner** role grants full administrative access — including read, write, and delete permissions — and should be used only when such elevated access is explicitly required.
 
 ### Enabling the integration in Elastic:
 
@@ -31,9 +38,18 @@ Elastic Agent must be installed. For more details, check the Elastic Agent [inst
 3. Select the "Azure Network Watcher NSG" integration from the search results.
 4. Select "Add Azure Network Watcher NSG" to add the integration.
 5. While adding the integration, to collect logs via Azure Blob Storage, keep **Collect NSG logs via Azure Blob Storage** toggle on and then configure following parameters:
-   - account name
-   - containers
-   - service account key/service account uri
+   For OAuth2 (Microsoft Entra ID RBAC):
+   - Toggle on **Collect logs using OAuth2 authentication**
+   - Account Name
+   - Client ID
+   - Client Secret
+   - Tenant ID
+   - Container Details.
+
+   For Service Account Credentials:
+   - Service Account Key or the URI
+   - Account Name
+   - Container Details
 6. Save the integration.
 
 ## Logs Reference
 
@@ -1,7 +1,7 @@
 format_version: 3.1.2
 name: azure_network_watcher_nsg
 title: Azure Network Watcher NSG
-version: "1.4.0"
+version: "1.5.0"
 description: Collect logs from Azure Network Watcher NSG with Elastic Agent.
 type: integration
 categories:
@@ -10,7 +10,7 @@ categories:
   - security
 conditions:
   kibana:
-    version: "^8.13.0 || ^9.0.0"
+    version: "^8.16.0 || ^9.0.0"
   elastic:
     subscription: basic
 screenshots:
@@ -31,6 +31,15 @@ policy_templates:
       - type: azure-blob-storage
         title: Collect Azure Network Watcher NSG logs via Azure Blob Storage Input
         description: Collecting Azure Network Watcher NSG logs via Azure Blob Storage Input.
+        vars:
+          - name: oauth2
+            required: true
+            show_user: true
+            title: Collect logs using OAuth2 authentication
+            description: To collect logs using OAuth2 authentication enable the toggle switch. By default, it will collect logs using service account key or URI.
+            type: bool
+            multi: false
+            default: false
 owner:
   github: elastic/security-service-integrations
   type: elastic
@@ -21,18 +21,34 @@ Elastic Agent must be installed. For more details, check the Elastic Agent [inst
 3. Click **Show keys** to show your **access keys** and **connection strings** to enable buttons to copy the values.
 4. Under **key1**, find the key value. Click **Copy** to copy the **account key**. In the same way, copy the storage account name shown above the keys.
 5. In your storage account, go to **Data storage** > **Containers** to copy the container name.
+6. Configure the integration using either Service Account Credentials or Microsoft Entra ID RBAC with OAuth2 options. For OAuth2 (Entra ID RBAC), you'll need the Client ID, Client Secret, and Tenant ID. For Service Account Credentials, you'll need either the Service Account Key or the URI to access the data.
 
-**Note**: Follow [these steps](https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-portal) to enable virtual network flow logs.
+- How to setup the `auth.oauth2` credentials can be found in the Azure documentation [here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).
+- For more details about the Azure Blob Storage input settings, check the [Filebeat documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-blob-storage.html).
+
+Note:
+- Follow [these steps](https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-portal) to enable virtual network flow logs.
+- The service principal must be granted the appropriate permissions to read blobs. Ensure that the necessary role assignments are in place for the service principal to access the storage resources. For more information, please refer to the [Azure Role-Based Access Control (RBAC) documentation](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage).
+- We recommend assigning either the **Storage Blob Data Reader** or **Storage Blob Data Owner** role. The **Storage Blob Data Reader** role provides read-only access to blob data and is aligned with the principle of least privilege, making it suitable for most use cases. The **Storage Blob Data Owner** role grants full administrative access — including read, write, and delete permissions — and should be used only when such elevated access is explicitly required.
 
 ### Enable the integration in Elastic
 
 1. In Kibana navigate to **Management** > **Integrations**.
 2. In the search top bar, type **Azure Network Watcher VNet**.
 3. Select the **Azure Network Watcher VNet** integration and add it.
 5. To collect logs via Azure Blob Storage, select **Collect VNet logs via Azure Blob Storage** and configure the following parameters:
-   - account name
-   - containers
-   - service account key/service account uri
+   For OAuth2 (Microsoft Entra ID RBAC):
+   - Toggle on **Collect logs using OAuth2 authentication**
+   - Account Name
+   - Client ID
+   - Client Secret
+   - Tenant ID
+   - Container Details.
+
+   For Service Account Credentials:
+   - Service Account Key or the URI
+   - Account Name
+   - Container Details
 6. Save the integration.
 
 ## Limitations