: Onboard Azure Accounts for Agentless Scanning
Focus
Focus

Onboard Azure Accounts for Agentless Scanning

Table of Contents

Onboard Azure Accounts for Agentless Scanning

Agentless scanning lets you inspect the risks and vulnerabilities of a cloud workload without having to install an agent or affecting the execution of the workload. Prisma Cloud gives you the flexibility to choose between agentless and agent-based security using Defenders. Prisma Cloud supports agentless scanning on Azure hosts, containers, and clusters for vulnerabilities and compliance. To learn more about how agentless scanning works, see the How Agentless Scanning Works?
This guide enables Agentless scanning for Prisma Cloud Compute Edition (PCCE or self-hosted) in Azure. The procedure shows you how to complete the following tasks.

Create a Role and a Service Principal in Azure

  1. Log in to Azure with the Azure CLI.
  2. Determine your subscriptionId with the following Azure CLI command.
    az account subscription list
  3. Replace <subscriptionId> in the azureAgentlessPermissions.json file with your Azure subscriptionId. You can find the field under the "AssignableScopes": [ "/subscriptions/<subscriptionId>"] element.
  4. Create the role using the JSON file with the following Azure CLI command.
    az role definition create --role-definition azureAgentlessPermissions.json
  5. Create a Service Principal account with the following Azure CLI command.
    az ad sp create-for-rbac --name PCEE-Agentless --role "Prisma Cloud Compute Agentless Scanner" --scope /subscriptions/<subscriptionId> --sdk-auth
  6. Copy and save the returned JSON object for the Service Principal, for example:
    { "clientId": "<clientId>", "clientSecret": "<clientSecret>", "subscriptionId": "<subscriptionId>", "tenantId": "<tenantId>", "activeDirectoryEndpointUrl": "https://login.microsoftonline.com", "resourceManagerEndpointUrl": "https://management.azure.com/", "activeDirectoryGraphResourceId": "https://graph.windows.net/", "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/", "galleryEndpointUrl": "https://gallery.azure.com/", "managementEndpointUrl": "https://management.core.windows.net/" }

Configure Agentless Scanning

Complete the agentless scanning configuration for your Azure accounts.

Configure Managed Identities for Azure

Onboard your Azure Cloud account using Managed Identity authentication method to access Azure resources that support AD authentication without adding the service keys in Prisma Console.

Create a Managed Identity in Azure

There are two types of managed identities:
System-assigned
and
User-assigned
.
Prerequisites
:
  • Create a VM in Azure.
  • Install Console and Defender on the VM in Azure and both the Console and the Defender must use the same version.
  • Assign Azure roles to a managed identity. The minimum required permission role is "Contributor".
  1. To enable System assigned managed identity:
    1. Sign in to the Azure Portal.
    2. Go to your Virtual Machine and select
      Identity
      .
    3. Under
      System assigned, Status
      select
      On
      .
    4. Select the
      Azure role assignments
      , the minimum required permission
      Role
      is
      Contributor
      .
    5. Click
      Save
      .
  2. To enable User assigned managed identity:
    1. Sign in to the Azure Portal.
    2. Create a user-assigned managed identity in the same Resource group as the VM.
    3. Go to your Virtual Machine and select
      Identity
      .
    4. Add the role you created under
      Add user assigned managed identity
      .
    5. Click
      Add
      .

Configure Azure Managed Identity in Prisma

Prerequisite
:
  • Create a Managed Identity in Azure.
  1. Go to
    Manage > Cloud accounts > Add account
    .
  2. Select cloud provider
    as Azure.
  3. Select your
    Region type
    .
  4. Specify an
    Account Name
    .
  5. Add a
    Description
    , this is optional.
  6. Select the
    Authentication method
    as
    Managed Identity
    .
    1. Select the
      Managed Identity type
      .
      1. System Assigned
        : Enter your
        Subscription ID
      2. User Assigned
        : Enter your
        Subscription ID
        and
        Client ID
        .
  7. Select
    Next
    and complete the setup.

Start an Agentless Scan

Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the
Manage > System > Scan
page under
Scheduling > Agentless
.
To manually start a scan, complete the following steps.
  1. Go to
    Manage > Cloud accounts
    .
  2. Click the scan icon on the top right corner of the accounts table.
  3. Click
    Start Agentless scan
    .
  4. Click the scan icon in the top right corner of the console to view the scan status.
  5. View the results.
    1. Go to
      Monitor > Vulnerabilities > Hosts
      or
      Monitor > Vulnerabilities > Images
      .
    2. Click on the
      Filter hosts
      text bar.
    3. Select the
      Scanned by
      filter.
    4. Select the
      Agentless
      filter.

Recommended For You