Add Azure Commercial Subscription on Prisma Cloud

Access Prisma Cloud and select

Settings

Cloud Accounts

Add New

.

Select

Azure

as the

Cloud to Secure

.

Provide the basic details of the Azure account. On the

Get Started

page:

Enter a descriptive

Cloud Account Name

. Replace the auto-populated Cloud Account Name with one that will uniquely identify your Azure subscription on Prisma Cloud.

Onboard

an Azure

Subscription

or

Tenant

.

Select

Commercial

for the

Azure Cloud Type

.



On the

Security Capabilities and Permissions

page, you have the option to enable permissions for the following additional capabilities. Based on your selection, Prisma Cloud dynamically generates a Terraform template that includes the associated permissions for the Prisma Cloud role. Prisma Cloud Role provides permissions for security capabilities required. By default, the role provides permissions for cloud discovery for resources and workloads, misconfiguration detection, and threat detection.

Agentless Workload Scanning and Serverless Function Scanning are enabled by default. Workload Discovery is also automatically enabled to help you identify all the cloud-native services used on your cloud account. By default, the Prisma Cloud role is granted the appropriate permissions to monitor your cloud account.



Enable and add permissions for
Agentless Workload Scanning
to scan hosts and containers for vulnerabilities and compliance risks without having to install a Defender. Scans start automatically once an account is onboarded. You can also update the scanning configuration for Agentless scans.
Enable and add permissions for
Serverless Function Scanning
to scan cloud provider functions like AWS Lambda, Azure and Google functions for vulnerabilities and compliance. Scans are automatically initiated once an account is onboarded. You can also update the scanning configuration for Serverless scans.
Add permissions needed for
Agent-Based Workload Protection
. The permissions allow for automated deployment of Defenders to provide protection to secure cloud VMs, containers and Kubernetes orchestrators. Registry scanning, Kubernetes audits and other features required by defenders are also enabled.
Enable Data Security to scan your resources to prevent data leaks. This is not enabled by default. After you onboard your account, further configuration is required to enable data scans.
Enable
Remediation
to address policy violations reported for remediable Configuration policies on Prisma Cloud. This is not enabled by default. When enabled, the Prisma Cloud role gets read-write access permissions to your Azure cloud account to successfully execute remediation commands.
Once your Azure account is onboarded on Prisma Cloud, the account is automatically available in Compute and enabled for Workload Discovery and Serverless function scans. You can also review the permissions required for individual security capabilities.

Enter your Directory (Tenant) ID and Subscription ID.

Prisma Cloud requires your Azure

Subscription ID

so that it can identify your Azure cloud account and retrieve the storage account and key vault information. Your

Directory (Tenant) ID

identifying your tenant is also required.

Get the directory tenant id

—In your Azure portal, click

Properties

and copy the

Tenant ID

.

Get the subscription id

—In your Azure portal, select

All resources

(Your Azure subscription)

, and then copy

Subscription ID

.



Download the Terraform script to a system that has terraform installed and authenticated to Azure via the Azure CLI.

Prisma Cloud recommends that you create a directory to store the Terraform template you download. This allows you to manage the templates when you add a different Azure subscription to Prisma Cloud. Give the directory a name that uniquely identifies the subscription for which you’re using it (for example, onboard-<subscription-name>).

Run the command
terraform init
.
Next, run the command
terraform apply
and click
Confirm
.
Populate the accounts fields
Application Client Secret
,
Application (Client) ID
, and the
Enterprise Application Object ID
with details from the Terraform template output.

Select
Ingest & Monitor Network Security Group flow logs
to enable network incident investigations and click
Next
.
Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. You must first configure Network Security Groups on Azure and assign a storage account to enable Flow log ingestion on Prisma Cloud. Make sure that Azure Flow logs are stored within a storage account in the same region as the NSG. If you want to enable flow log ingestion, you must complete the tasks outlined in Step 9 in Register an App on Azure Active Directory. If you enable this option without setting it up on the Azure portal, Prisma Cloud will not be able to retrieve any Flow logs.

Select the

Account Groups

you want to add and click

Next

.



You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.

Click

Save

.

If Prisma Cloud is able to successfully connect to your Azure subscription and retrieve information, the status is displayed with a green check mark. If Prisma Cloud is unable to retrieve the logs, the error message indicates what failed. See Troubleshoot Azure Account Onboarding for help.

Verify that you can view the information on your Azure resources on Prisma Cloud.

Depending on the number of resources in the accounts onboarded the data that was collected about your Azure resources can take up until a hour to display. After Prisma Cloud ingests data, the information is available for compliance checks, configuration review, audit history, and network visualization.

It takes about four to six hours before you can view flow logs in Prisma Cloud. Prisma Cloud ingests flow logs from the previous seven days from when you onboard the account.

Log in to Prisma Cloud.

Select

Investigate

and enter the following RQL query.

This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment. Replace

‘<cloud account name>’

with the name of your actual cloud account.

network from vpc.flow_record where cloud.account = '<cloud account name>' AND source.publicnetwork IN ( 'Internet IPs', 'Suspicious IPs' ) AND bytes > 0