Prisma Cloud Compute Edition Administrator’s Guide
    : Onboard Azure Accounts for Agentless Scanning
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Agentless Scanning
    6. Onboard Accounts for Agentless Scanning
    7. Onboard Azure Accounts for Agentless Scanning
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    Onboard Azure Accounts for Agentless Scanning

    Table of Contents

    Onboard Azure Accounts for Agentless Scanning

    Agentless scanning lets you inspect the risks and vulnerabilities of a cloud workload without having to install an agent or affecting the execution of the workload. Prisma Cloud gives you the flexibility to choose between agentless and agent-based security using Defenders. Prisma Cloud supports agentless scanning on Azure hosts, containers, and clusters for vulnerabilities and compliance. To learn more about how agentless scanning works, see the How Agentless Scanning Works?
    This guide enables Agentless scanning for Prisma Cloud Compute Edition (PCCE or self-hosted) in Azure. The procedure shows you how to complete the following tasks.

    Create a Role and a Service Principal in Azure

    1. Log in to Azure with the Azure CLI.
    3. Determine your subscriptionId with the following Azure CLI command.
      az account subscription list
    4. Replace <subscriptionId> in the azureAgentlessPermissions.json file with your Azure subscriptionId. You can find the field under the "AssignableScopes": [ "/subscriptions/<subscriptionId>"] element.
    5. Create the role using the JSON file with the following Azure CLI command.
      az role definition create --role-definition azureAgentlessPermissions.json
    6. Create a Service Principal account with the following Azure CLI command.
      az ad sp create-for-rbac --name PCEE-Agentless --role "Prisma Cloud Compute Agentless Scanner" --scope /subscriptions/<subscriptionId> --sdk-auth
    7. Copy and save the returned JSON object for the Service Principal, for example:
      {
  "clientId": "<clientId>",
  "clientSecret": "<clientSecret>",
  "subscriptionId": "<subscriptionId>",
  "tenantId": "<tenantId>",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}

    Configure Agentless Scanning

    Complete the agentless scanning configuration for your Azure accounts.

    Configure Managed Identities for Azure

    Onboard your Azure Cloud account using Managed Identity authentication method to access Azure resources that support AD authentication without adding the service keys in Prisma Console.

    Create a Managed Identity in Azure

    There are two types of managed identities:
    System-assigned
     and
    User-assigned
    .
    Prerequisites
    :
    • Create a VM in Azure.
    • Install Console and Defender on the VM in Azure and both the Console and the Defender must use the same version.
    • Assign Azure roles to a managed identity. The minimum required permission role is "Contributor".
    1. To enable System assigned managed identity:
      1. Sign in to the Azure Portal.
      2. Go to your Virtual Machine and select
        Identity
        .
      3. Under
        System assigned, Status
         select
        On
        .
      4. Select the
        Azure role assignments
        , the minimum required permission
        Role
         is
        Contributor
        .
      5. Click
        Save
        .
    2. To enable User assigned managed identity:
      1. Sign in to the Azure Portal.
      2. Create a user-assigned managed identity in the same Resource group as the VM.
      3. Go to your Virtual Machine and select
        Identity
        .
      4. Add the role you created under
        Add user assigned managed identity
        .
      5. Click
        Add
        .

    Configure Azure Managed Identity in Prisma

    Prerequisite
    :
    • Create a Managed Identity in Azure.
    1. Go to
      Manage > Cloud accounts > Add account
      .
    2. Select cloud provider
       as Azure.
    3. Select your
      Region type
      .
    4. Specify an
      Account Name
      .
    5. Add a
      Description
      , this is optional.
    6. Select the
      Authentication method
       as
      Managed Identity
      .
      1. Select the
        Managed Identity type
        .
        1. System Assigned
          : Enter your
          Subscription ID
        2. User Assigned
          : Enter your
          Subscription ID
           and
          Client ID
          .
    7. Select
      Next
       and complete the setup.

    Start an Agentless Scan

    Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the
    Manage > System > Scan
     page under
    Scheduling > Agentless
    .
    To manually start a scan, complete the following steps.
    1. Go to
      Manage > Cloud accounts
      .
    2. Click the scan icon on the top right corner of the accounts table.
    3. Click
      Start Agentless scan
      .
    4. Click the scan icon in the top right corner of the console to view the scan status.
    5. View the results.
      1. Go to
        Monitor > Vulnerabilities > Hosts
         or
        Monitor > Vulnerabilities > Images
        .
      2. Click on the
        Filter hosts
         text bar.
      3. Select the
        Scanned by
         filter.
      4. Select the
        Agentless
         filter.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.