Add an Azure Subscription on Prisma Cloud

Connect your Azure commercial or Government subscription on Prisma Cloud to analyze traffic logs and monitor resources for potential security and compliance issues.
Connecting Prisma™ Cloud to your Azure cloud account enables you to analyze and monitor traffic logs, and detect potential malicious network activity or compliance issues. To enable API access between Prisma Cloud and your Microsoft Azure Subscription, you need to gather account information about your subscription and Azure Active Directory so that Prisma Cloud can monitor the resources in your cloud account, and add one subscription at a time.
If you are adding an Azure commercial account, this workflow uses Terraform templates to streamline the set up process. The template automates the process of creating and registering Prisma Cloud as an application on your Active Directory and creating the Service Principal and associating the roles required to enable authentication.
If you are adding an Azure Government or Azure China subscription, you must complete some tasks manually on the Azure portal.

Add Azure Commercial Subscription to Prisma Cloud

  1. Access Prisma Cloud and select
    Settings
    Cloud Accounts
    Add New
    .
  2. Select
    Azure
    as the
    Cloud to Protect
    .
  3. Enter a
    Cloud Account Name
    .
    A cloud account name is auto-populated for you. You can replace it with it a cloud account name that uniquely identifies your Azure subscription on Prisma Cloud.
    add-azure-step1.png
  4. Select the
    Mode
    .
    Decide whether to enable permissions to only monitor (read-only access) or to monitor and protect (read-write access) the resources in your cloud account. Your selection determines which Terraform template is used to automate the process of creating the custom role required for Prisma Cloud.
  5. Register Prisma Cloud as an application on your Azure Active Directory.
    Prisma Cloud requires your Azure
    Subscription ID
    so that it can identify your Azure cloud account and retrieve the storage account and key vault information. Prisma Cloud also needs the
    Directory ID
    ,
    Application ID
    ,
    Application Key
    , and
    Service Principal ID
    to establish the connection between Prisma Cloud and Azure Active Directory so that it can access the resources in your subscription.
    1. Fill out the details to set up Prisma Cloud on your Azure subscription and click
      Next
      .
      From the Azure portal, get your Azure Active Directory ID, that is referred to as Tenant ID on Prisma Cloud, and your Azure Subscription ID. You must also choose a Service Principal password. Use a strong password that meets the Azure password complexity guidelines. If you later decide to change this password on the Azure portal, you must manually update the password on Prisma Cloud.
      The Terraform template uses the value you enter as inputs to automate the process of setting up the custom role with the associated permissions for the
      Monitor
      or
      Monitor & Protect
      mode you selected earlier.
      add-azure-comm-step-2.png
    2. Download the Terraform template.
      Prisma Cloud recommends that you create a directory to store the Terraform template you download. This allows you to manage the templates when you add a different Azure subscription to Prisma Cloud. Give the directory a name that uniquely identifies the subscription for which you're using it (for example, onboard-<subscription-name>).
    3. Login to the Azure portal Cloud Shell (Bash).
    4. Upload the template to the Cloud Shell.
      azure-power-shell.png
    5. Run the following Terraform commands.
      1. terraform init
      2. terraform apply
    6. Copy the details after applying the Terraform template.
      Get the Application Key, Application ID and the Service Principal Obect ID from the output file.
      add-azure-comm-step-2-1.png
  6. Select
    Ingest & Monitor Network Security Group flow logs
    and click
    Next
    .
    Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. You must first configure
    Network Security Groups
    on Azure and assign a storage account to enable Flow log ingestion on Prisma Cloud. Make sure that Azure Flow logs are stored within a storage account in the same region as the NSG. If you want to enable flow log ingestion, you must complete the tasks outlined in Steps 6 to Step 10 in Set Up Your Azure Subscription for Prisma Cloud. If you enable this option without setting it up on the Azure portal, Prisma Cloud will not be able to retrieve any Flow logs.
  7. Select the
    Account Groups
    you want to add and click
    Next
    .
    You must assign each cloud account to an account group, and Create an Alert Rule to associate the account group with it to generate alerts when a policy violation occurs.
  8. Verify the
    Status
    and click
    Done
    .
    If Prisma Cloud is able to successfully connect to your Azure subscription and retrieve information, the status is displayed with a green check mark. If Prisma Cloud is unable to retrieve the logs, the error message indicates what failed. See Troubleshoot Azure Account Onboarding for help.
    add-azure-status-green.png
  9. Verify that you can view the information on your Azure resources on Prisma Cloud.
    Wait for approximately 10-24 hours after you onboard the Azure subscription to Prisma Cloud, to review the data that was collected about your Azure resources. After Prisma Cloud ingests data, the information is available for compliance checks, configuration review, audit history, and network visualization.
    It takes about four to six hours before you can view flow logs in Prisma Cloud. Prisma Cloud ingests flow logs from the previous seven days from when you onboard the account.
    1. Log in to Prisma Cloud.
    2. Select
      Investigate
      and enter the following RQL query.
      This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment.
      network where cloud.account = ‘{{cloud account name}}’ AND source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 0

Add Azure Government Subscription to Prisma Cloud

Connect your Azure Government subscription on Prisma Cloud to monitor resources for potential security and compliance issues.
  1. Add your Azure subscription on Prisma Cloud.
    1. Access Prisma Cloud and select
      Settings
      Cloud Accounts
      Add New
      .
    2. Enter a
      Cloud Account Name
      .
    3. Select
      Cloud Type
      Azure and the
      Government
      environment where your resources are deployed, click
      Next
      .
    4. Enter your Azure
      Subscription ID
      ,
      Active Directory ID
      ,
      Application ID
      ,
      Application Key
      and
      Service Principal ID
      .
      add-azure-gov-step-2.png
    5. Select
      Ingest & Monitor Network Security Group flow logs
      and click
      Next
      .
      Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. Make sure that Azure Flow logs are stored within a storage account in the same region as the NSG. See Azure Cloud Account Onboarding Checklist for the set up details to ensure that Prisma Cloud can successfully ingest NSG flow logs.
    6. Select the
      Account Groups
      you want to add and click
      Next
      .
      You must assign each cloud account to an account group, and Create an Alert Rule to associate the account group with it to generate alerts when a policy violation occurs.
    7. Verify the
      Status
      and
      Done
      to save your changes.
      If Prisma Cloud was able to successfully make an API request to retrieve the Azure flow logs, the status is displayed with a green check mark. If Prisma Cloud is unable to retrieve the logs, the error message indicates what failed. See Troubleshoot Azure Account Onboarding for help.
      add-azure-status-red.png
  2. Verify that you can view the information on your Azure resources on Prisma Cloud.
    Wait for approximately 10-24 hours after you onboard the Azure subscription to Prisma Cloud, to review the data that was collected about your Azure resources. After Prisma Cloud ingests data, the information is available for compliance checks, configuration review, audit history, and network visualization.
    It takes about four to six hours before you can view flow logs in Prisma Cloud. Prisma Cloud ingests flow logs from the previous seven days from when you onboard the account.
    1. Log in to Prisma Cloud.
    2. Select
      Investigate
      and enter the following RQL query.
      This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment.
      network where cloud.account = ‘{{cloud account name}}’ AND source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 0

Add an Azure China Subscription on Prisma Cloud

Connect your Azure China subscription on Prisma Cloud to monitor resources for potential security and compliance issues.
With the Prisma Cloud Business Edition license on app.prismacloud.cn, you can monitor your Microsoft Azure China subscriptions. To get started, gather the details listed in Set Up Your Azure Subscription for Prisma Cloud from the Azure China portal and connect your subscription to Prisma Cloud. When you add the subscription, Prisma Cloud monitors the configuration metadata for your IaaS and PaaS services, and identifies potential resource misconfiguration and improper exposure.
Network flow logs is
in beta
, and event logs are not monitored currently.
  1. Add your Azure subscription on Prisma Cloud.
    1. Log in to Prisma Cloud.
    2. Select
      Settings
      Cloud Accounts
      Add New
    3. Select
      Cloud Type
      Azure and click
      Next
      .
    4. Enter a
      Cloud Account Name
      .
      cloud-account-name-azure-china.png
    5. Enter your Azure
      Subscription ID
      ,
      Active Directory ID
      ,
      Application ID
      ,
      Application Key
      and
      Service Principal ID
      .
      These are the details you collected from the Azure portal.
      add-azure-gov-step-2.png
    6. Select
      Ingest & Monitor Network Security Group flow logs
      and click
      Next
      .
      Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. Make sure that Azure Flow logs are stored within a storage account in the same region as the NSG. See Azure Cloud Account Onboarding Checklist for the set up details to ensure that Prisma Cloud can successfully ingest NSG flow logs.
    7. Select the
      Account Groups
      you want to add and click
      Next
      .
      You must assign each cloud account to an account group, and Create an Alert Rule to associate the account group with it to generate alerts when a policy violation occurs.
    8. Verify the
      Status
      and
      Save
      your changes.
      If Prisma Cloud was able to successfully make an API request to retrieve the configuration metadata, the status is displayed with a green check mark. If Prisma Cloud is unable to retrieve the logs, the error message indicates what failed.
      cloud-account-status-verify-azure-china.png
      Review the details for the account you added on
      Settings
      Cloud Accounts
      . The cloud account owner name is displayed for you.
      cloud-account-status-azure-china.png
  2. Verify that you can view the information on your Azure resources on Prisma Cloud.
    Wait for approximately 10-24 hours after you onboard the Azure subscription to Prisma Cloud, to review the data that was collected about your Azure resources. After Prisma Cloud ingests data, the information is available for asset inventory, compliance checks and configuration review.
    1. Log in to Prisma Cloud.
    2. Select
      Inventory
      Assets
      .
      View a snapshot of the current state of all cloud resources or assets that you are monitoring and securing using Prisma Cloud.
      cloud-account-status-verify-azure-china-2.png

Create a Custom Role for Prisma Cloud

If you want to manually create the role and review all the permissions required for monitoring your Azure subscription, instead of using the Terraform template, you can use the custom role JSON file from Prisma Cloud. To create a custom role on Azure, you must have an Azure Active Directory Premium 1 or Premium 2 license plan.
  1. Download and save the JSON file from here.
    Save the JSON file on your local machine or laptop.
    If you are using this file for onboarding your Azure China subscription, remove the permission for
    Microsoft.Databricks/workspaces/read
    because Databricks is not available on Azure China.
  2. Install the Azure CLI and log in to Azure.
  3. Go to the directory where you stored the JSON file.
  4. Enter the following Azure CLI command.
    If you renamed the file, you will need to replace the JSON filename to match that in the following command.
    az role definition create --role-definition "azure_prisma_cloud_lp_read_only.json"
    For services that are not available in the Azure environment where you are creating the role, the following error message displays
    New-AzRoleDefinition : The resource provider referenced in the action is not returned in the list of providers from Azure Resource Manager.
    You must edit the JSON file to remove the permissions for services that are not available.

Recommended For You