Add an Azure Subscription on Prisma Cloud

Connect your Azure commercial or Government, or Azure China subscription on Prisma Cloud to analyze traffic logs and monitor resources for potential security and compliance issues.
Connecting Prisma™ Cloud to your Azure cloud account enables you to analyze and monitor traffic logs, and detect potential malicious network activity or compliance issues. To enable API access between Prisma Cloud and your Microsoft Azure Subscription, you need to gather account information about your subscription and Azure Active Directory so that Prisma Cloud can monitor the resources in your cloud account, and add one subscription at a time.
If you are adding an Azure commercial account, this workflow uses Terraform templates to streamline the set up process. The template automates the process of creating and registering Prisma Cloud as an application on your Active Directory and creating the Service Principal and associating the roles required to enable authentication.
If you don’t want to use Terraform, or are adding an Azure Government or Azure China subscription, you must complete some tasks manually on the Azure portal.

Add Azure Commercial Subscription on Prisma Cloud

  1. Access Prisma Cloud and select
    Settings
    Cloud Accounts
    Add New
    .
  2. Select
    Azure
    as the
    Cloud to Protect
    .
  3. Enter a
    Cloud Account Name
    .
    A cloud account name is auto-populated for you. You can replace it with it a cloud account name that uniquely identifies your Azure subscription on Prisma Cloud.
  4. Select the
    Mode
    .
    Decide whether to enable permissions to only
    monitor
    (read-only access) or to
    monitor and protect
    (read-write access) the resources in your cloud account. Your selection determines which Terraform template is used to automate the process of creating the custom role required for Prisma Cloud.
  5. Enter your Directory (Tenant) ID and Subscription ID.
    Prisma Cloud requires your Azure
    Subscription ID
    so that it can identify your Azure cloud account and retrieve the storage account and key vault information. Prisma Cloud also needs the
    Directory (Tenant) ID
    which identifies your tenant.
    1. Get the directory tenant id
      —In Azure portal, click
      Properties
      and copy the
      Tenant ID
      .
    2. Get the subscription id
      —In Azure portal, select
      All resources
      (Your Azure subscription)
      , and then copy
      Subscription ID
      .
  6. Download the Terraform template.
    Prisma Cloud recommends that you create a directory to store the Terraform template you download. This allows you to manage the templates when you add a different Azure subscription to Prisma Cloud. Give the directory a name that uniquely identifies the subscription for which you're using it (for example, onboard-<subscription-name>).
    1. Log in to the Azure portal Cloud Shell (Bash).
    2. Upload the template to the Cloud Shell.
    3. Run the following Terraform commands.
      • terraform init
      • terraform apply
        After you enter
        terraform apply
        the CLI will ask:
        Do you want to perform these actions?
        . Type
        yes
        and hit enter.
        Get the
        Application Client Secret
        ,
        Application (Client) ID
        , and the
        Enterprise Application Object ID
        from the CLI and enter it into the Prisma Cloud UI.
    4. Select
      Ingest & Monitor Network Security Group flow logs
      and click
      Next
      .
      Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. You must first configure Network Security Groups on Azure and assign a storage account to enable Flow log ingestion on Prisma Cloud. Make sure that Azure Flow logs are stored within a storage account in the same region as the NSG. If you want to enable flow log ingestion, you must complete the tasks outlined in Step 9 in Register an App on Azure Active Directory. If you enable this option without setting it up on the Azure portal, Prisma Cloud will not be able to retrieve any Flow logs.
  7. Select the
    Account Groups
    you want to add and click
    Next
    .
    You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
  8. Verify the
    Status
    and click
    Done
    .
    If Prisma Cloud is able to successfully connect to your Azure subscription and retrieve information, the status is displayed with a green check mark. If Prisma Cloud is unable to retrieve the logs, the error message indicates what failed. See Troubleshoot Azure Account Onboarding for help.
  9. Verify that you can view the information on your Azure resources on Prisma Cloud.
    Depending on the number of resources in the accounts onboarded the data that was collected about your Azure resources can take up until a hour to display. After Prisma Cloud ingests data, the information is available for compliance checks, configuration review, audit history, and network visualization.
    It takes about four to six hours before you can view flow logs in Prisma Cloud. Prisma Cloud ingests flow logs from the previous seven days from when you onboard the account.
    1. Log in to Prisma Cloud.
    2. Select
      Investigate
      and enter the following RQL query.
      This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment. Replace
      ‘<cloud account name>’
      with the name of your actual cloud account.
      network from vpc.flow_record where cloud.account = '<cloud account name>' AND source.publicnetwork IN ( 'Internet IPs', 'Suspicious IPs' ) AND bytes > 0

Add Azure Commercial Subscription on Prisma Cloud—Manual

This workflow uses Azure portal to manually create your Azure resources to onboard to Prisma Cloud. After you register an app on Azure Active Directory, you will get the details to enter into Prisma Cloud so that you can continuous monitor your Azure resources for security vulnerabilities and to enforce compliance.
  1. Save the information to a secure location on your computer.
  2. Access Prisma Cloud and select
    Settings
    Cloud Accounts
    Add New
    .
  3. Select
    Azure
    as the
    Cloud to Protect
    .
  4. Enter a
    Cloud Account Name
    .
    A cloud account name is auto-populated for you. You can replace it with it a cloud account name that uniquely identifies your Azure subscription on Prisma Cloud.
  5. Select the
    Mode
    .
    Decide whether to enable permissions to only
    monitor
    (read-only access) or to
    monitor and protect
    (read-write access) the resources in your cloud account.
    what if you’re doing manual onboarding?
  6. Enter your Directory (Tenant) ID and Subscription ID.
    Prisma Cloud requires your Azure
    Subscription ID
    so that it can identify your Azure cloud account and retrieve the storage account and key vault information. Prisma Cloud also needs the
    Directory (Tenant) ID
    which identifies your tenant.
    1. Get the directory tenant id
      —In Azure portal, click
      Properties
      and copy the
      Tenant ID
      .
    2. Get the subscription id
      —In Azure portal, select
      All resources
      (Your Azure subscription)
      , and then copy
      Subscription ID
      .
  7. Enter your app details into Prisma Cloud.
    Enter the
    Application (Client) ID
    ,
    Application Client Secret
    , and
    Enterprise Application Object ID
    into the Prisma Cloud UI and click
    Next
    . These details are the output after you complete Step 1.
    Keep
    Ingest and Monitor Network Security Group Flow Logs
    enabled to view your NSG flow logs.

Add Azure Government Subscription on Prisma Cloud

Connect your Azure Government subscription on Prisma Cloud to monitor resources for potential security and compliance issues.
  1. Add your Azure subscription on Prisma Cloud.
    1. Access Prisma Cloud and select
      Settings
      Cloud Accounts
      Add New
      .
    2. Enter a
      Cloud Account Name
      .
    3. Select
      Cloud Type
      Azure and the
      Government
      environment where your resources are deployed, click
      Next
      .
    4. Enter your Azure
      Subscription ID
      ,
      Directory (Tenant) ID
      ,
      Application (Client) ID
      ,
      Application Client Secret
      and
      Enterprise Application Object ID
      .
    5. Select
      Ingest & Monitor Network Security Group flow logs
      and click
      Next
      .
      Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. Make sure that Azure Flow logs are stored within a storage account in the same region as the NSG. See Azure Cloud Account Onboarding Checklist for the set up details to ensure that Prisma Cloud can successfully ingest NSG flow logs.
    6. Select the
      Account Groups
      you want to add and click
      Next
      .
      You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
    7. Verify the
      Status
      and
      Done
      to save your changes.
      If Prisma Cloud was able to successfully make an API request to retrieve the Azure flow logs, the status is displayed with a green check mark. If Prisma Cloud is unable to retrieve the logs, the error message indicates what failed. See Troubleshoot Azure Account Onboarding for help.
  2. Verify that you can view the information on your Azure resources on Prisma Cloud.
    Wait for approximately 10-24 hours after you onboard the Azure subscription to Prisma Cloud, to review the data that was collected about your Azure resources. After Prisma Cloud ingests data, the information is available for compliance checks, configuration review, audit history, and network visualization.
    It takes about four to six hours before you can view flow logs in Prisma Cloud. Prisma Cloud ingests flow logs from the previous seven days from when you onboard the account.
    1. Log in to Prisma Cloud.
    2. Select
      Investigate
      and enter the following RQL query.
      This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment. Replace
      '<Your Cloud Account Name>'
      with the name of your actual cloud account.
      network from vpc.flow_record where cloud.account = '<Your Cloud Account Name>' AND source.publicnetwork IN ( 'Internet IPs', 'Suspicious IPs') AND bytes > 0

Add an Azure China Subscription on Prisma Cloud

Connect your Azure China subscription on Prisma Cloud to monitor resources for potential security and compliance issues.
You require a Prisma Cloud instance in China to monitor or monitor and protect your deployments in the Microsoft Azure China regions. To get started with monitoring your subscriptions in Azure China, gather the details listed in Register an App on Azure Active Directory from the Azure China portal. When you add the subscription, Prisma Cloud monitors the configuration metadata for your IaaS and PaaS services and identifies potential resource misconfiguration and improper exposure. It also enables you to use data ingested from event logs and network flow logs for better visibility and governance.
When you onboard your Azure China subscription on Prisma Cloud, review the following differences as compared to Azure Commercial:
  • Support for Terraform templates to onboard a cloud account for Azure China is not available.
  • On app.prismacloud.cn, you cannot onboard any accounts that are not deployed on Azure China regions.
  1. Add your Azure subscription on Prisma Cloud.
    1. Log in to Prisma Cloud.
    2. Select
      Settings
      Cloud Accounts
      Add New
    3. Select
      Cloud Type
      Azure and click
      Next
      .
    4. Enter a
      Cloud Account Name
      .
    5. Enter your Azure
      Subscription ID
      ,
      Directory (Tenant) ID
      ,
      Application (Client) ID
      ,
      Application Client Secret
      and
      Enterprise Application Object ID
      .
      These are the details you collected from the Azure portal.
    6. Select
      Ingest & Monitor Network Security Group flow logs
      and click
      Next
      .
      Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. Make sure that Azure Flow logs are stored within a storage account in the same region as the NSG. See Register an App on Azure Active Directory for the set up details to ensure that Prisma Cloud can successfully ingest NSG flow logs.
    7. Select the
      Account Groups
      you want to add and click
      Next
      .
      You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
    8. Verify the
      Status
      and
      Save
      your changes.
      If Prisma Cloud was able to successfully make an API request to retrieve the configuration metadata, the status is displayed with a green check mark. If Prisma Cloud is unable to retrieve the logs, the error message indicates what failed.
      Review the details for the account you added on
      Settings
      Cloud Accounts
      .
  2. Verify that you can view the information on your Azure resources on Prisma Cloud.
    Wait for approximately 1 hour after you onboard the Azure subscription to Prisma Cloud, to review the data that was collected about your Azure resources. After Prisma Cloud ingests data, the information is available for asset inventory, compliance checks and configuration review.
    1. Log in to Prisma Cloud.
    2. Select
      Inventory
      Assets
      .
      View a snapshot of the current state of all cloud resources or assets that you are monitoring and securing using Prisma Cloud.

Recommended For You