1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Your Azure Account
    7. Add an Azure Subscription on Prisma Cloud

    Add an Azure Subscription on Prisma Cloud

    Connect your Azure commercial or Government, or Azure China subscription on Prisma Cloud to analyze traffic logs and monitor resources for potential security and compliance issues.
    Connecting Prisma™ Cloud to your Azure cloud account enables you to analyze and monitor traffic logs, and detect potential malicious network activity or compliance issues. To enable API access between Prisma Cloud and your Microsoft Azure Subscription, you need to gather account information about your subscription and Azure Active Directory so that Prisma Cloud can monitor the resources in your cloud account, and add one subscription at a time.
    If you are adding an Azure commercial account, this workflow uses Terraform templates to streamline the set up process. The template automates the process of creating and registering Prisma Cloud as an application on your Active Directory and creating the Service Principal and associating the roles required to enable authentication.
    If you don’t want to use Terraform, or are adding an Azure Government or Azure China subscription, you must complete some tasks manually on the Azure portal.

    Add Azure Commercial Subscription on Prisma Cloud

    1. Access Prisma Cloud and select
      Settings
      Cloud Accounts
      Add New
      .
    2. Select
      Azure
       as the
      Cloud to Protect
      .
    3. Enter a
      Cloud Account Name
      .
      A cloud account name is auto-populated for you. You can replace it with it a cloud account name that uniquely identifies your Azure subscription on Prisma Cloud.
    4. Select the
      Mode
      .
      Decide whether to enable permissions to only
      monitor
       (read-only access) or to
      monitor and protect
       (read-write access) the resources in your cloud account. Your selection determines which Terraform template is used to automate the process of creating the custom role required for Prisma Cloud.
    5. Enter your Directory (Tenant) ID and Subscription ID.
      Prisma Cloud requires your Azure
      Subscription ID
       so that it can identify your Azure cloud account and retrieve the storage account and key vault information. Prisma Cloud also needs the
      Directory (Tenant) ID
       which identifies your tenant.
      1. Get the directory tenant id
        —In Azure portal, click
        Properties
         and copy the
        Tenant ID
        .
      2. Get the subscription id
        —In Azure portal, select
        All resources
        (Your Azure subscription)
        , and then copy
        Subscription ID
        .
    6. Download the Terraform template.
      Prisma Cloud recommends that you create a directory to store the Terraform template you download. This allows you to manage the templates when you add a different Azure subscription to Prisma Cloud. Give the directory a name that uniquely identifies the subscription for which you're using it (for example, onboard-<subscription-name>).
      1. Log in to the Azure portal Cloud Shell (Bash).
      2. Upload the template to the Cloud Shell.
      3. Run the following Terraform commands.
        • terraform init
        • terraform apply
          After you enter
          terraform apply
           the CLI will ask:
          Do you want to perform these actions?
          . Type
          yes
           and hit enter.
          Get the
          Application Client Secret
          ,
          Application (Client) ID
          , and the
          Enterprise Application Object ID
           from the CLI and enter it into the Prisma Cloud UI.
      4. Select
        Ingest & Monitor Network Security Group flow logs
         and click
        Next
        .
        Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. You must first configure Network Security Groups on Azure and assign a storage account to enable Flow log ingestion on Prisma Cloud. Make sure that Azure Flow logs are stored within a storage account in the same region as the NSG. If you want to enable flow log ingestion, you must complete the tasks outlined in Step 9 in Register an App on Azure Active Directory. If you enable this option without setting it up on the Azure portal, Prisma Cloud will not be able to retrieve any Flow logs.
    7. Select the
      Account Groups
       you want to add and click
      Next
      .
      You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
    8. Verify the
      Status
       and click
      Done
      .
      If Prisma Cloud is able to successfully connect to your Azure subscription and retrieve information, the status is displayed with a green check mark. If Prisma Cloud is unable to retrieve the logs, the error message indicates what failed. See Troubleshoot Azure Account Onboarding for help.
    9. Verify that you can view the information on your Azure resources on Prisma Cloud.
      Depending on the number of resources in the accounts onboarded the data that was collected about your Azure resources can take up until a hour to display. After Prisma Cloud ingests data, the information is available for compliance checks, configuration review, audit history, and network visualization.
      It takes about four to six hours before you can view flow logs in Prisma Cloud. Prisma Cloud ingests flow logs from the previous seven days from when you onboard the account.
      1. Log in to Prisma Cloud.
      2. Select
        Investigate
         and enter the following RQL query.
        This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment. Replace
        ‘<cloud account name>’
         with the name of your actual cloud account. 
        
									
        network from vpc.flow_record where cloud.account = '<cloud account name>' AND source.publicnetwork IN ( 'Internet IPs', 'Suspicious IPs' ) AND bytes > 0

    Add Azure Commercial Subscription on Prisma Cloud—Manual

    This workflow uses Azure portal to manually create your Azure resources to onboard to Prisma Cloud. After you register an app on Azure Active Directory, you will get the details to enter into Prisma Cloud so that you can continuous monitor your Azure resources for security vulnerabilities and to enforce compliance.
    1. Save the information to a secure location on your computer.
    2. Access Prisma Cloud and select
      Settings
      Cloud Accounts
      Add New
      .
    3. Select
      Azure
       as the
      Cloud to Protect
      .
    4. Enter a
      Cloud Account Name
      .
      A cloud account name is auto-populated for you. You can replace it with it a cloud account name that uniquely identifies your Azure subscription on Prisma Cloud.
    5. Select the
      Mode
      .
      Decide whether to enable permissions to only
      monitor
       (read-only access) or to
      monitor and protect
       (read-write access) the resources in your cloud account.
      what if you’re doing manual onboarding?
    6. Enter your Directory (Tenant) ID and Subscription ID.
      Prisma Cloud requires your Azure
      Subscription ID
       so that it can identify your Azure cloud account and retrieve the storage account and key vault information. Prisma Cloud also needs the
      Directory (Tenant) ID
       which identifies your tenant.
      1. Get the directory tenant id
        —In Azure portal, click
        Properties
         and copy the
        Tenant ID
        .
      2. Get the subscription id
        —In Azure portal, select
        All resources
        (Your Azure subscription)
        , and then copy
        Subscription ID
        .
    7. Enter your app details into Prisma Cloud.
      Enter the
      Application (Client) ID
      ,
      Application Client Secret
      , and
      Enterprise Application Object ID
       into the Prisma Cloud UI and click
      Next
      . These details are the output after you complete Step 1.
      Keep
      Ingest and Monitor Network Security Group Flow Logs
      enabled to view your NSG flow logs.

    Add Azure Government Subscription on Prisma Cloud

    Connect your Azure Government subscription on Prisma Cloud to monitor resources for potential security and compliance issues.
    2. Add your Azure subscription on Prisma Cloud.
      1. Access Prisma Cloud and select
        Settings
        Cloud Accounts
        Add New
        .
      2. Enter a
        Cloud Account Name
        .
      3. Select
        Cloud Type
         Azure and the
        Government
         environment where your resources are deployed, click
        Next
        .
      4. Enter your Azure
        Subscription ID
        ,
        Directory (Tenant) ID
        ,
        Application (Client) ID
        ,
        Application Client Secret
         and
        Enterprise Application Object ID
        .
      5. Select
        Ingest & Monitor Network Security Group flow logs
         and click
        Next
        .
        Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. Make sure that Azure Flow logs are stored within a storage account in the same region as the NSG. See Azure Cloud Account Onboarding Checklist for the set up details to ensure that Prisma Cloud can successfully ingest NSG flow logs.
      6. Select the
        Account Groups
         you want to add and click
        Next
        .
        You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
      7. Verify the
        Status
         and
        Done
         to save your changes.
        If Prisma Cloud was able to successfully make an API request to retrieve the Azure flow logs, the status is displayed with a green check mark. If Prisma Cloud is unable to retrieve the logs, the error message indicates what failed. See Troubleshoot Azure Account Onboarding for help.
    3. Verify that you can view the information on your Azure resources on Prisma Cloud.
      Wait for approximately 10-24 hours after you onboard the Azure subscription to Prisma Cloud, to review the data that was collected about your Azure resources. After Prisma Cloud ingests data, the information is available for compliance checks, configuration review, audit history, and network visualization.
      It takes about four to six hours before you can view flow logs in Prisma Cloud. Prisma Cloud ingests flow logs from the previous seven days from when you onboard the account.
      1. Log in to Prisma Cloud.
      2. Select
        Investigate
         and enter the following RQL query.
        This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment. Replace
        '<Your Cloud Account Name>'
         with the name of your actual cloud account. 
        
									
        network from vpc.flow_record where cloud.account = '<Your Cloud Account Name>' AND source.publicnetwork IN ( 'Internet IPs', 'Suspicious IPs') AND bytes > 0

    Add an Azure China Subscription on Prisma Cloud

    Connect your Azure China subscription on Prisma Cloud to monitor resources for potential security and compliance issues.
    You require a Prisma Cloud instance in China to monitor or monitor and protect your deployments in the Microsoft Azure China regions. To get started with monitoring your subscriptions in Azure China, gather the details listed in Register an App on Azure Active Directory from the Azure China portal. When you add the subscription, Prisma Cloud monitors the configuration metadata for your IaaS and PaaS services and identifies potential resource misconfiguration and improper exposure. It also enables you to use data ingested from event logs and network flow logs for better visibility and governance.
    When you onboard your Azure China subscription on Prisma Cloud, review the following differences as compared to Azure Commercial:
    • Support for Terraform templates to onboard a cloud account for Azure China is not available.
    • On app.prismacloud.cn, you cannot onboard any accounts that are not deployed on Azure China regions.
    1. Add your Azure subscription on Prisma Cloud.
      1. Log in to Prisma Cloud.
      2. Select
        Settings
        Cloud Accounts
        Add New
      3. Select
        Cloud Type
         Azure and click
        Next
        .
      4. Enter a
        Cloud Account Name
        .
      5. Enter your Azure
        Subscription ID
        ,
        Directory (Tenant) ID
        ,
        Application (Client) ID
        ,
        Application Client Secret
         and
        Enterprise Application Object ID
        .
        These are the details you collected from the Azure portal.
      6. Select
        Ingest & Monitor Network Security Group flow logs
         and click
        Next
        .
        Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. Make sure that Azure Flow logs are stored within a storage account in the same region as the NSG. See Register an App on Azure Active Directory for the set up details to ensure that Prisma Cloud can successfully ingest NSG flow logs.
      7. Select the
        Account Groups
         you want to add and click
        Next
        .
        You must assign each cloud account to an account group, and Create an Alert Rule for Run-Time Checks to associate the account group with it to generate alerts when a policy violation occurs.
      8. Verify the
        Status
         and
        Save
         your changes.
        If Prisma Cloud was able to successfully make an API request to retrieve the configuration metadata, the status is displayed with a green check mark. If Prisma Cloud is unable to retrieve the logs, the error message indicates what failed.
        Review the details for the account you added on
        Settings
        Cloud Accounts
        .
    2. Verify that you can view the information on your Azure resources on Prisma Cloud.
      Wait for approximately 1 hour after you onboard the Azure subscription to Prisma Cloud, to review the data that was collected about your Azure resources. After Prisma Cloud ingests data, the information is available for asset inventory, compliance checks and configuration review.
      1. Log in to Prisma Cloud.
      2. Select
        Inventory
        Assets
        .
        View a snapshot of the current state of all cloud resources or assets that you are monitoring and securing using Prisma Cloud.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo