Add an Azure Subscription on Prisma Cloud
Connect your Azure commercial or Government, or Azure
China subscription on Prisma Cloud to analyze traffic logs and monitor
resources for potential security and compliance issues.
Connecting Prisma™ Cloud to your Azure cloud
account enables you to analyze and monitor traffic logs, and detect
potential malicious network activity or compliance issues. To enable
API access between Prisma Cloud and your Microsoft Azure Subscription,
you need to gather account information about your subscription and
Azure Active Directory so that Prisma Cloud can monitor the resources
in your cloud account, and add one subscription at a time.
If
you are adding an Azure commercial account, this workflow uses Terraform
templates to streamline the set up process. The template automates
the process of creating and registering Prisma Cloud as an application
on your Active Directory and creating the Service Principal and
associating the roles required to enable authentication.
If
you are adding an Azure Government or Azure China subscription,
you must complete some tasks manually on the Azure portal.
Add Azure Commercial Subscription to Prisma Cloud
- Access Prisma Cloud and select .
- SelectAzureas theCloud to Protect.
- Enter aCloud Account Name.A cloud account name is auto-populated for you. You can replace it with it a cloud account name that uniquely identifies your Azure subscription on Prisma Cloud.
- Select theMode.Decide whether to enable permissions to only monitor (read-only access) or to monitor and protect (read-write access) the resources in your cloud account. Your selection determines which Terraform template is used to automate the process of creating the custom role required for Prisma Cloud.
- Register Prisma Cloud as an application on your Azure Active Directory.Prisma Cloud requires your AzureSubscription IDso that it can identify your Azure cloud account and retrieve the storage account and key vault information. Prisma Cloud also needs theDirectory (Tenant) ID,Application (Client) ID,Application Client Secret, andEnterprise Application Object IDto establish the connection between Prisma Cloud and Azure Active Directory so that it can access the resources in your subscription.
- Fill out the details to set up Prisma Cloud on your Azure subscription and clickNext.From the Azure portal, get your Azure Active Directory ID, that is referred to as Tenant ID on Prisma Cloud, and your Azure Subscription ID.The Terraform template uses the value you enter as inputs to automate the process of setting up the custom role with the associated permissions for theMonitororMonitor & Protectmode you selected earlier. It also automatically generates a Service principal password.
- Download the Terraform template.Prisma Cloud recommends that you create a directory to store the Terraform template you download. This allows you to manage the templates when you add a different Azure subscription to Prisma Cloud. Give the directory a name that uniquely identifies the subscription for which you're using it (for example, onboard-<subscription-name>).
- Login to the Azure portal Cloud Shell (Bash).
- Upload the template to the Cloud Shell.
- Run the following Terraform commands.
- terraform init
- terraform apply
- Copy the details after applying the Terraform template.Get the Application Client Secret, Application (Client) ID and the Enterprise Application Object ID from the output file.
- SelectIngest & Monitor Network Security Group flow logsand clickNext.Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. You must first configureNetwork Security Groupson Azure and assign a storage account to enable Flow log ingestion on Prisma Cloud. Make sure that Azure Flow logs are stored within a storage account in the same region as the NSG. If you want to enable flow log ingestion, you must complete the tasks outlined in Steps 6 to Step 10 in Set Up Your Azure Subscription for Prisma Cloud. If you enable this option without setting it up on the Azure portal, Prisma Cloud will not be able to retrieve any Flow logs.
- Select theAccount Groupsyou want to add and clickNext.You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
- Verify theStatusand clickDone.If Prisma Cloud is able to successfully connect to your Azure subscription and retrieve information, the status is displayed with a green check mark. If Prisma Cloud is unable to retrieve the logs, the error message indicates what failed. See Troubleshoot Azure Account Onboarding for help.
- Verify that you can view the information on your Azure resources on Prisma Cloud.Wait for approximately 10-24 hours after you onboard the Azure subscription to Prisma Cloud, to review the data that was collected about your Azure resources. After Prisma Cloud ingests data, the information is available for compliance checks, configuration review, audit history, and network visualization.It takes about four to six hours before you can view flow logs in Prisma Cloud. Prisma Cloud ingests flow logs from the previous seven days from when you onboard the account.
- Log in to Prisma Cloud.
- SelectInvestigateand enter the following RQL query.This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment.network where cloud.account = ‘{{cloud account name}}’ AND source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 0
Add Azure Government Subscription to Prisma Cloud
Connect your Azure Government subscription
on Prisma Cloud to monitor resources for potential security and
compliance issues.
- Add your Azure subscription on Prisma Cloud.
- Access Prisma Cloud and select .
- Enter aCloud Account Name.
- SelectCloud TypeAzure and theGovernmentenvironment where your resources are deployed, clickNext.
- Enter your AzureSubscription ID,Directory (Tenant) ID,Application (Client) ID,Application Client SecretandEnterprise Application Object ID.
- SelectIngest & Monitor Network Security Group flow logsand clickNext.Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. Make sure that Azure Flow logs are stored within a storage account in the same region as the NSG. See Azure Cloud Account Onboarding Checklist for the set up details to ensure that Prisma Cloud can successfully ingest NSG flow logs.
- Select theAccount Groupsyou want to add and clickNext.You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
- Verify theStatusandDoneto save your changes.If Prisma Cloud was able to successfully make an API request to retrieve the Azure flow logs, the status is displayed with a green check mark. If Prisma Cloud is unable to retrieve the logs, the error message indicates what failed. See Troubleshoot Azure Account Onboarding for help.
- Verify that you can view the information on your Azure resources on Prisma Cloud.Wait for approximately 10-24 hours after you onboard the Azure subscription to Prisma Cloud, to review the data that was collected about your Azure resources. After Prisma Cloud ingests data, the information is available for compliance checks, configuration review, audit history, and network visualization.It takes about four to six hours before you can view flow logs in Prisma Cloud. Prisma Cloud ingests flow logs from the previous seven days from when you onboard the account.
- Log in to Prisma Cloud.
- SelectInvestigateand enter the following RQL query.This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment.network where cloud.account = ‘{{cloud account name}}’ AND source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 0
Add an Azure China Subscription on Prisma Cloud
Connect your Azure China subscription on Prisma Cloud
to monitor resources for potential security and compliance issues.
With the Prisma Cloud Business Edition license
on app.prismacloud.cn, you can monitor your Microsoft Azure China
subscriptions. To get started, gather the details listed in Set Up Your Azure Subscription for Prisma Cloud from the Azure
China portal and connect your subscription to Prisma Cloud.
When you add the subscription, Prisma Cloud monitors the configuration
metadata for your IaaS and PaaS services and identifies potential
resource misconfiguration and improper exposure. It also enables
you to use data ingested from event logs and network flow logs for
better visibility and governance.
- Add your Azure subscription on Prisma Cloud.
- Log in to Prisma Cloud.
- Select
- SelectCloud TypeAzure and clickNext.
- Enter aCloud Account Name.
- Enter your AzureSubscription ID,Directory (Tenant) ID,Application (Client) ID,Application Client SecretandEnterprise Application Object ID.These are the details you collected from the Azure portal.
- SelectIngest & Monitor Network Security Group flow logsand clickNext.Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. Make sure that Azure Flow logs are stored within a storage account in the same region as the NSG. See Azure Cloud Account Onboarding Checklist for the set up details to ensure that Prisma Cloud can successfully ingest NSG flow logs.
- Select theAccount Groupsyou want to add and clickNext.You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
- Verify theStatusandSaveyour changes.If Prisma Cloud was able to successfully make an API request to retrieve the configuration metadata, the status is displayed with a green check mark. If Prisma Cloud is unable to retrieve the logs, the error message indicates what failed.
Review the details for the account you added on . The cloud account owner name is displayed for you.
- Verify that you can view the information on your Azure resources on Prisma Cloud.Wait for approximately 10-24 hours after you onboard the Azure subscription to Prisma Cloud, to review the data that was collected about your Azure resources. After Prisma Cloud ingests data, the information is available for asset inventory, compliance checks and configuration review.
- Log in to Prisma Cloud.
- Select .View a snapshot of the current state of all cloud resources or assets that you are monitoring and securing using Prisma Cloud.
Create a Custom Role for Prisma Cloud
If you want to manually create the role and
review all the permissions required for monitoring your Azure subscription,
instead of using the Terraform template, you can use the custom
role JSON file from Prisma Cloud. To create a custom role on Azure,
you must have an Azure Active Directory Premium 1 or Premium 2 license plan.
- Download and save the JSON file from here.Save the JSON file on your local machine or laptop.If you are using this file for onboarding your Azure China subscription, remove the permission for
because Databricks is not available on Azure China.Microsoft.Databricks/workspaces/read - Install the Azure CLI and log in to Azure.
- Go to the directory where you stored the JSON file.
- Enter the following Azure CLI command.If you renamed the file, you will need to replace the JSON filename to match that in the following command.az role definition create --role-definition "azure_prisma_cloud_lp_read_only.json"For services that are not available in the Azure environment where you are creating the role, the following error message displaysNew-AzRoleDefinition : The resource provider referenced in the action is not returned in the list of providers from Azure Resource Manager.You must edit the JSON file to remove the permissions for services that are not available.
