Onboard Azure Accounts for Agentless Scanning

Agentless scanning lets you inspect the risks and vulnerabilities of a cloud workload without having to install an agent or affecting the execution of the workload. Prisma Cloud gives you the flexibility to choose between agentless and agent-based security using Defenders. Currently, Prisma Cloud supports agentless scanning on Azure hosts, containers, and clusters for vulnerabilities and compliance. To learn more about how agentless scanning works, refer to our article on Agentless scanning architecture.
This guide enables Agentless scanning for Prisma Cloud Enterprise Edition (PCEE or SaaS) in Azure. The procedure shows you how to complete the following tasks.

Get the Needed Azure Account Details

  1. Log in to Azure with the Azure CLI.
  2. Query Azure for your tenant and subscription IDs. .
    az account list
  3. Copy the output which is similar to the following example. In the output, identify the tenantId tenant ID and the id of the subscription.
    "cloudName": "AzureCloud", "homeTenantId": <This value is not needed>, "id": <This is the subscription ID>, "isDefault": true, "managedByTenants": [], "name": "Azure", "state": "Enabled", "tenantId": <This is the tenant ID>, "user": { "name": "jdoe@example.onmicrosoft.com", "type": "user" }

Onboard Azure Cloud Account

  1. Log in to the Prisma Cloud administrative console.
  2. Select
    Settings > Cloud Accounts
    .
  3. Click
    Add Cloud Account
    .
  4. Select the
    Azure
    tile.
  5. Provide the following information in the
    Get Started
    page.
    1. Account Name
      : A unique identity for your Azure tenant in Prisma Cloud.
    2. Onboard
      : Select
      Azure Subscription
      .
    3. Azure Cloud Type
      : Choose either
      Commercial
      or
      Government
      .
  6. Click
    Next
    .
  7. Select the
    Security Capabilities
    you need. The
    Agentless Scanning
    and
    Serverless Function Scanning
    are enabled by default.
  8. Click
    Next
    .
  9. Provide the following information in the
    Configure Account
    page.
    1. Enter the value of the tenantId field in the Azure output as the
      Directory (Tenant) ID
      .
    2. Enter the value of the id field in the Azure output as the
      Subscription ID
      .
  10. Click
    Next
    .
  11. Complete the following steps to provide the information needed in the
    Account Details
    page.
    1. Click
      Download Terraform Script
      and save the script to a system with terraform installed that is authenticated to Azure via the Azure CLI.
    2. In that system, initialize the script with the following command.
      terraform init
    3. Apply the script with the following command and confirm when prompted.
      terraform apply
    4. Use those values to fill out the information in
      Account Details
      page.
  12. Select the account group in Prisma Cloud to associate with your Azure tenant in the
    Assign Account Groups
    page.
  13. Click
    Save
    .

Configure Agentless Scanning

  1. Log in to the Prisma Cloud administrative console.
  2. Select
    Compute > Manage > Cloud Accounts
    .
  3. Click the edit button of your cloud account.
  4. Go to the
    Agentless Scanning
    section.
  5. Expand the
    Advanced settings
    and provide the following information.
    1. Enable
      Permissions check
      to verify that the custom role permissions are correct before running a scan.
    2. Enter a
      Proxy
      value if traffic leaving your Azure tenant uses a proxy.
    3. Under
      Scan scope
      you can choose
      All regions
      to scan for VMs in all Azure regions. If you choose
      Custom regions
      , enter the Azure region in which you want Prisma Cloud to scan for VMs.
    4. Enter tags under
      Exclude VMs by tags
      to further limit the scope of the scan.
    5. Choose whether or not to
      Scan non running hosts
    6. Choose whether or not to enable
      Auto-scale scanning
      . If you disable auto-scale, specify number of scanners Prisma Cloud should employ.
    7. Enter the
      Security group ID
      and
      Subnet ID
      that are created to allow the Prisma Cloud console to communicate back with Azure. If left blank, the default name of the created resource group is PCCAgentlessScanResourceGroup and the default name of the created security group is PCCAgentlessScanSecurityGroup.
  6. Click
    Next
    .
  7. In the
    Discovery features
    page, leave the
    Cloud discovery
    settings unchanged.
  8. Click
    Save
    .

Start an Agentless Scan

Agentless scans start immediately after onboarding the cloud account. By default, agentless scans are performed every 24 hours, but you can change the interval on the
Manage > System > Scan
page under
Scheduling > Agentless
.
To manually start a scan, complete the following steps.
  1. Go to
    Compute > Manage > Cloud accounts
    .
  2. Click the scan icon on the top right corner of the accounts table.
  3. Click
    Start Agentless scan
    .
  4. Click the scan icon in the top right corner of the console to view the scan status.
  5. View the results.
    1. Go to
      Compute > Monitor > Vulnerabilities > Hosts
      or
      Compute > Monitor > Vulnerabilities > Images
      .
    2. Click on the
      Filter hosts
      text bar.
    3. Select the
      Scanned by
      filter.