Begin Scanning a Microsoft Azure Storage App
Configure your Microsoft Azure Storage app to connect to the Aperture service to enable the monitoring and scanning of your resources.
Before you can begin scanning a Microsoft Azure Storage app, you must complete the following prerequisites:
Ensure that you have the required permissions to create an application in Azure Active Directory (AAD).
Check Azure Active Directory Permissions in the Microsoft documentation.
Create an AAD Application. In a text editor (such as Notepad), and copy the Application ID and name of the application to use later in this procedure.
Create an Azure Active Directory Application in the Microsoft documentation.
Get the Tenant ID, which is the ID of the AAD directory in which you created the application. In a text editor (such as Notepad), copy the Directory ID to use later in this procedure.
The Directory ID value is the tenant ID required to install Azure to the Aperture service.
Get Tenant ID in the Microsoft documentation.
Assign Reader Role to the AAD Application on the subscriptions to scan.
Assign Storage Account Key Operator Service Role to the AAD Application on the subscriptions or storage accounts to scan.
Assign Application to Role in the Microsoft documentation.
Enable roles required by the AAD Application.
From your subscription select Access control (IAM)AddRole. Enable the following roles:
To begin scanning an Microsoft Azure Storage app:
- Prepare your Microsoft Azure Storage account to
connect with the Aperture service.
- Select the application to register with
the Azure AD tenant.
- Log in to Microsoft Azure .
- Select Azure Active DirectoryApp registrations.
- Register the application to provide secure sign-in and authorization for Aperture services. You can add a New application registration or select an app that has already been registered by clicking on the app from the list.
- (Optional) Enter the application Name, Application Type, and Sign-on URL to Create a new application registration.
- Enable the permissions API for Microsoft Graph.
- Click Settings for the registered app.
- Select Required PermissionsAddSelect an APIMicrosoft Graph.
- Add permissions, EnableRead all users’ full profiles in Application Permissions and Delegated Permissions.
- Save your Microsoft Graph API setting.
- Enable the delegated permissions API for Windows Azure
- Click Settings for the registered app.
- Select Required PermissionsAddWindows Azure Active Directory.
- EnableRead directory data in Application Permissions and Read all users’ full profiles in Delegated Permissions.
- Save your Windows Azure Active Directory API setting.
- Grant application and delegated permissions.
A confirmation window will display to Grant Permissions for all accounts in the current directory. Select Yes to grant the permissions for the accounts.
- Click Settings for the registered apps.
- Select Required PermissionsGrant Permissions.
- You will need the Application ID, Directory ID,
and Application Key for your registered application,
as they are required to complete the setup of the Microsoft Azure
Storage app in Aperture.
- Log in to Microsoft Azure , select the registered app to view and copy the Application ID to enter during app installation.
- Select Azure Active DirectoryProperties. Copy the Directory ID to enter during app installation.
- Click SettingsKeys. Provide a description of the key, and a duration for the key. Save the key.The key value is the Application Key to enter during app installation. After saving the key, the value of the key is displayed. Copy this value because you are not able to retrieve the key later.
- The Aperture service can continuously scan for Azure
Storage subscriptions and accounts to identify and report any new
accounts, activities, and events with the iterative scanning service. The
service also scans and identifies users assigned to Subscriptions,
Resources, Groups, Containers and Storage Accounts. To enable iterative
scan in Aperture, you need to configure the diagnostic service settings
in Azure for each storage account.
- Select the storage account to configure the diagnostic service settings and then select MonitoringDiagnostic Settings. If not already, enable the settings by turning the status On.
- Select the type of Metrics and Logging data for each service you wish to monitor, and the retention policy for the data by moving the retention in days slider from 1 to 365. The default for new storage accounts is 7 days.
- Save your monitoring configuration.
- Select the application to register with the Azure AD tenant.
- Add the Microsoft Azure Storage app to Aperture.
On Save, the Aperture service adds the Azure Cloud Storage app to the list of Cloud Apps.
- From the Aperture Dashboard, Add a Cloud App.
- Select Microsoft Azure Storage.
- Configure your Microsoft Azure Storage settings.
- Click Connect to Account.
- Enter the Directory ID, Application ID, andApplication Key you recorded in the previous steps.
- Click Next.
- Select the Azure subscriptions to monitor.
- Enable a Subscription to scan from the discovered list, or you can select Automatically scan all new subscriptions.
- Click Next.
- Review initial scan discoveries and complete the Azure
app installation. View Details on the discovered
containers to review the discoveries and determine if you want to
proceed with scanning:
- To proceed scanning all discovered containers, enable Scan all current and any new containers and then Save your scan setting.
- To proceed scanning individual containers and subscriptions, select the items to scan and then Save your scan setting.
- If you do not want to proceed with scanning the discovered containers, select Cancel to abort the installation.
- (Optional) Give a descriptive name to this app
instance and specify an incident reviewer.
- Select the Azure Cloud Storage link on the Cloud Apps list.
- Enter a descriptive Name to differentiate this instance of Azure Cloud Storage app from other instances you are managing.
- Define global scan settings.
- Add policy rules.When you add a new cloud app, the Aperture service automatically scans the app against the default data patterns and displays the match occurrences. As a best practice, consider the business use of your app to determine whether you want to Add a New Policy Rule for Content to look for risks unique to the new app.
- (Optional) Configure or edit a data pattern.When you add a new cloud app, the Aperture service automatically scans the app against the default data patterns and displays the match occurrences. You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
- Start scanning the new Azure Cloud Storage app for risks.
- Select SettingsCloud Apps & Scan Settings.
- In the Cloud Apps row that corresponds to the new
Azure Cloud Storage app, select ActionsStart Scanning.The status changes to Scanning. The Aperture service starts scanning all assets in the associated Azure Cloud Storage app and begins identifying incidents. Depending on the number of Azure assets, it may take some time for the Aperture service to complete the process of discovering all assets and users. However, as soon as you begin to see this information populating on the Aperture Dashboard, you can begin to Assess Incidents.
- Monitor the results of the scan.As the Aperture service starts scanning files and matching them against enabled policy rules, Monitor Scan Results on the Dashboard to verify that your policy rules are effective.Monitoring the progress of the scan during the discovery phase allows you to Fine-Tune Policy to modify the match criteria and ensure better results.
- (Optional) To view the status of Subscriptions and Containers being scanned, select SettingsCloud App and Scan Settings. Select an Azure app from the list of Cloud Apps and expand the Subscriptions and Containers to view the scan details.
Begin Selective Scanning Using Azure Active Directory Groups
Add your Azure Active Directory to Aperture to enable selective scanning of groups. ...
Set Up Your Azure Account for the RedLock Service
Configure your Azure cloud environment for RedLock to analyze traffic data flow and monitor resources for potential security and compliance issues. ...
Microsoft Azure APIs Ingested by RedLock
List of all APIs that the RedLock service supports to retrieve data about the resources in your Azure cloud environment. ...
New Features Introduced in April 2018
New Features Introduced in April 2018 The following table provides a snapshot of new features introduced for Aperture™ in April 2018. Refer to the Aperture ...
Add Cloud Apps to the Aperture Service
Add Cloud Apps to the Aperture Service To begin securing the Supported SaaS Applications The Aperture service provides a consistent security policy for your SaaS ...
Supported SaaS Applications
The Aperture service provides a consistent security policy for your SaaS applications to detect data exfiltration and malware propagation. ...
Begin Scanning a Box App
Begin Scanning a Box App If you plan to Begin Selective Scanning Using Azure Active Directory Groups Add your Azure Active Directory to Aperture to ...
Azure Cloud Account Onboarding Checklist
Use this checklist to set up the permissions and configuration to successfully onboard the Azure subscription on the RedLock service. ...
Add Azure Cloud Account on RedLock
Connect your Azure cloud environment to RedLock to analyze traffic logs and monitor resources for potential security and compliance issues. ...