Onboard Azure Accounts for Agentless Scanning
Agentless scanning lets you inspect the risks and vulnerabilities of a cloud workload without having to install an agent or affecting the execution of the workload. Prisma Cloud gives you the flexibility to choose between agentless and agent-based security using Defenders. Currently, Prisma Cloud supports agentless scanning on Azure hosts, containers, and clusters for vulnerabilities and compliance. To learn more about how agentless scanning works, refer to our article on Agentless scanning architecture.
This guide enables Agentless scanning for Prisma Cloud Enterprise Edition (PCEE or SaaS) in Azure.
The procedure shows you how to complete the following tasks.
Get the Needed Azure Account Details
- Log in to Azure with the Azure CLI.
- Query Azure for your tenant and subscription IDs. .az account list"cloudName": "AzureCloud", "homeTenantId": <This value is not needed>, "id": <This is the subscription ID>, "isDefault": true, "managedByTenants": [], "name": "Azure", "state": "Enabled", "tenantId": <This is the tenant ID>, "user": { "name": "jdoe@example.onmicrosoft.com", "type": "user" }
- Log in to the Prisma Cloud administrative console.
- SelectSettings > Cloud Accounts.
- ClickAdd Cloud Account.
- Select theAzuretile.
- Provide the following information in theGet Startedpage.
- Account Name: A unique identity for your Azure tenant in Prisma Cloud.
- Onboard: SelectAzure Subscription.
- Azure Cloud Type: Choose eitherCommercialorGovernment.
- ClickNext.
- Select theSecurity Capabilitiesyou need. TheAgentless ScanningandServerless Function Scanningare enabled by default.
- ClickNext.
- ClickNext.
- Complete the following steps to provide the information needed in theAccount Detailspage.
- ClickDownload Terraform Scriptand save the script to a system with terraform installed that is authenticated to Azure via the Azure CLI.
- In that system, initialize the script with the following command.terraform initApply the script with the following command and confirm when prompted.terraform applyCapture the following values from the output.Use those values to fill out the information inAccount Detailspage.
- Check the Ingest and Monitor Network Security Group Flow Logs option to investigate network incidents.
- Select the account group in Prisma Cloud to associate with your Azure tenant in theAssign Account Groupspage.
- ClickSave.
- Log in to the Prisma Cloud administrative console.
- SelectCompute > Manage > Cloud Accounts.
- Click the edit button of your cloud account.
- Go to theAgentless Scanningsection.
- Expand theAdvanced settingsand provide the following information.
- EnablePermissions checkto verify that the custom role permissions are correct before running a scan.
- Enter aProxyvalue if traffic leaving your Azure tenant uses a proxy.
- UnderScan scopeyou can chooseAll regionsto scan for VMs in all Azure regions. If you chooseCustom regions, enter the Azure region in which you want Prisma Cloud to scan for VMs.
- Enter tags underExclude VMs by tagsto further limit the scope of the scan.
- Choose whether or not toScan non running hosts
- Choose whether or not to enableAuto-scale scanning. If you disable auto-scale, specify number of scanners Prisma Cloud should employ.
- Enter theSecurity group IDandSubnet IDthat are created to allow the Prisma Cloud console to communicate back with Azure. If left blank, the default name of the created resource group is PCCAgentlessScanResourceGroup and the default name of the created security group is PCCAgentlessScanSecurityGroup.
- ClickNext.
- In theDiscovery featurespage, leave theCloud discoverysettings unchanged.
- ClickSave.
- Go toCompute > Manage > Cloud accounts.
- Click the scan icon on the top right corner of the accounts table.
- ClickStart Agentless scan.
- Click the scan icon in the top right corner of the console to view the scan status.
- View the results.
- Go toCompute > Monitor > Vulnerabilities > HostsorCompute > Monitor > Vulnerabilities > Images.
- Click on theFilter hoststext bar.
- Select theScanned byfilter.
Onboard Azure Cloud Account
Configure Agentless Scanning
Start an Agentless Scan
Agentless scans start immediately after onboarding the cloud account.
By default, agentless scans are performed every 24 hours, but you can change the interval on the
Manage > System > Scan
page under Scheduling > Agentless
.
To manually start a scan, complete the following steps.