Configure Cloud Storage on Microsoft Azure for Prisma Access (Cloud Managed)

Configure cloud storage on Microsoft Azure to save evidence for investigative analysis with Enterprise data loss prevention (DLP) for Prisma Access (Cloud Managed).
Microsoft Azure users can configure a storage account to automatically upload all files that match an Enterprise data loss prevention (DLP) data profile for Enterprise DLP deployed on Prisma Access (Cloud Managed).
To store your files scanned by the DLP cloud service, you must create a storage account and Identity and Access Management (IAM) role that allows the DLP cloud service access to automatically store files. Files uploaded to your storage account are automatically named using a unique Report ID for each file. The Report ID is used to search and download specific files for more in depth investigation.
In case of connection issues to your storage account due to configuration error or change in settings, an email is automatically generated and sent to the admin that originally connected the Prisma Access (Cloud Managed) to the storage bucket and to the user who last modified the storage account connection settings on Prisma Access (Cloud Managed). This email is sent out every 48 hours until the connection is restored.
Files that are scanned by the DLP cloud service while Prisma Access (Cloud Managed) is disconnected from your storage account cannot be stored and are lost. This means that all impacted files are not available for download. However, all snippet data is preserved and can still be viewed on Prisma Access (Cloud Managed).
File storage automatically resumes after the connection status is restored.
  1. Log into the Microsoft Azure portal as an administrator.
    Administrator level privileges are required to successfully add the Enterprise DLP evidence storage application using Cloud Shell and to configure access to the storage account to enable file uploads by the DLP cloud service to save files for evidence analysis.
  2. (
    Optional
    ) From the portal menu, select
    Storage groups
    and
    Create
    a new storage group.
    You can also search for
    storage groups
    .
    The storage group is required to associate the storage account you create next for storing matched files.
    Skip this step if you have an existing resource group that you want to associate with the storage account.
  3. From the portal menu, select
    Storage accounts
    and
    Create
    a new storage account.
    You can also search for
    storage accounts
    .
  4. Obtain the App ID, Tenant ID, and blob service endpoint URL.
    This information is required to add the Palo Alto Networks Enterprise DLP application to your Microsoft Azure tenant and to configure connectivity to the DLP cloud service.
    • Palo Alto Networks Enterprise DLP App ID
      - 65def4b7-bae6-4bff-ab73-63fe8c9a3c8d
      The Palo Alto Networks Enterprise DLP app ID can be found in the DLP app on the hub (
      Settings
      Sensitive Data
      Configure Bucket
      Azure
      ).
    1. Obtain your Tenant ID.
      1. From the portal menu, select
        Azure Active Directory
        .
        You can also search for
        azure active directory
        .
      2. In the Basic Information section, copy the
        Tenant ID
        .
    2. Obtain the blob service endpoint URL.
      1. From the portal menu, select
        Storage accounts
        and select the storage account you will use to save files for evidence analysis.
      2. Select
        Settings
        Endpoints
        and copy the
        Block service
        endpoint URL.
  5. Add the Palo Alto Networks Enterprise DLP application.
    1. Open
      Cloud Shell
      .
      Click the Cloud Shell icon located in the top-right corner of the Microsoft Azure portal.
    2. Add the Palo Alto Networks Enterprise DLP application.
      Connect-AzureAD -TenantID <Your_Tenant_ID>
      New-AzureADServicePrincipal -AppId 65def4b7-bae6-4bff-ab73-63fe8c9a3c8d
      It may take a few minutes for Microsoft Azure to add a new application to your Azure tenant.
    3. Close the Cloud Shell.
    4. Search for and select
      Enterprise applications
      .
    5. For the Application type, select
      All applications
      .
    6. Search for the
      Palo Alto Networks Enterprise DLP
      application name to verify you successfully added the application.
  6. Configure permissions for the Palo Alto Networks Enterprise DLP application.
    1. Select the
      Palo Alto Networks Enterprise DLP
      application name.
    2. Select
      Security
      Permissions
      and
      Grant Admin consent
      .
    3. Select the administrator email in the Microsoft login prompt that is displayed.
    4. Accept
      the permissions request to allow the Palo Alto Networks Enterprise DLP application to view your Azure storage accounts .
      It may take a few minutes for the permissions to be successfully granted to the Palo Alto Networks Enterprise DLP application.
      You still need to grant the Palo Alto Networks Enterprise DLP application permission to write to a specific storage account.
    5. Verify that the
      Azure Storage
      and
      Microsoft Graph
      API names are displayed in the Admin consent section.
    6. From the portal menu, select
      Storage accounts
      and select the storage account you want to use to save files for evidence analysis.
    7. Select
      Access Control (IAM)
      Add
      Add Role Assignment
      Storage Blob Data Owner
      and click
      Next
      .
    8. Select to assign access to
      User, group, or service principle
      and
      select members
      .
    9. Search and select the
      Palo Alto Networks Enterprise DLP
      application and
      Select
      the application.
    10. Review + assign
      to allow the Palo Alto Networks Enterprise DLP application to write to the storage account.
      It can take up to 10 minutes for the write permissions to be successfully granted to the Palo Alto Networks Enterprise DLP application.
  7. Configure the storage bucket for evidence file storage.
    1. Access to evidence storage settings and files on Prisma Access (Cloud Managed) is allowed only for an account administrator or app administrator role with Enterprise DLP read and write privileges. This is to ensure that only the appropriate users have access to report data and evidence.
    2. Select
      Manage
      Configuration
      Security Services
      Data Loss Prevention
      Settings
      Sensitive Data
      and select
      Azure
      as the Public Cloud Storage Bucket.
    3. Select
      Input Bucket Details
      .
    4. Enter Microsoft Azure Tenant ID.
    5. Enter the Storage Endpoint.
      This is the blob service endpoint URL that you gathered for the storage account.
    6. Connect
      the storage account and the DLP cloud service.
    7. View the
      Connection Status
      to verify that the DLP cloud service successfully connected to the storage account.
      Select
      Save
      if Prisma Access (Cloud Managed) can successfully connect your bucket. A
      connectiontest
      file is uploaded to your storage account by the DLP cloud service to verify connectivity.
      If Prisma Access (Cloud Managed) cannot successfully connect your bucket, select
      Previous
      and edit the bucket connection settings.
    8. In the Store Sensitive Files settings, enable storage of sensitive files for Prisma Access (Cloud Managed).

Recommended For You