Create a Custom Role on Azure to Enable Prisma Cloud to Access
Flow Logs
Create and configure a custom role on Azure to enable
Prisma™ Cloud to access flow logs.
To enable Prisma™ Cloud to access Azure flow
logs and monitor flow-related data (such as volume of traffic generated
by a host, top sources of traffic to the host, or to identify which
ports are in use), you must provide the required permissions. While
you can use the built-in Network Contributor role that enables a
much broader set of permissions, it is a best practice to create
a custom role so that you follow the principle of least privilege
and limit access rights to the bare-minimum. Use the Azure Cloud Account Onboarding Checklist to verify
on which services you want to ingest data and manually assign the
permissions for this custom role that includes the permissions required.
To create a custom role, install Azure CLI and create a limited
role named
Prisma Cloud - Flow Logs Setting Reader
and
then enable the role to access flow logs. To create a custom role on Azure,
you must have an Azure Active Directory Premium 1 or Premium 2 license
plan.
- Create a custom role using Azure CLI.If you already assigned a Network Contributor Role to an Azure user, you can skip this step.
- Manually create a custom role JSON file for flow logs only.The permissions required are{ "Name": "Prisma Cloud - Flow Logs Setting Reader", "Id": null, "IsCustom": true, "Description": "Allows Reading Flow Logs Settings", "Actions": [ "Microsoft.Network/networkWatchers/queryFlowLogStatus/action" ], "NotActions": [], "AssignableScopes": [ "/subscriptions/SUBSCRIPTION-ID-HERE!!!" ]}
- Install the Azure CLI and log in to Azure.
- Open a text editor (such as notepad) and enter the following command in the JSON format to create a custom role. You can create custom roles using Azure PowerShell, Azure CLI, or the REST API. These instructions use the Azure CLI command (run on PowerShell or on the DOS command prompt) to create the custom role with queryFlowLogStatus permission. Make sure to provide your Azure Subscription ID in the last line.
- Save the JSON file on your local Windows system and give it a descriptive name, such asad-role-cli.json.
- Log in to the Azure portal from the same Windows system and complete the following steps:
- Open a PowerShell window (or a DOS Command Prompt Window)
- Go to the directory where you stored the JSON file.
- Enter the following Azure CLI command (replace the JSON filename to match the name you specified when you saved your custom role JSON file.az role definition create --role-definition "ad-role-cli.json"The output is as follows:{"assignableScopes": [ "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ], "description": "Allows Reading Flow Logs Settings", "id": "/subscriptions/16dfdbcc-e407-4fbe-9096-e7a97ee23fb5/providers/Microsoft.Authorization/roleDefinitions/088c8f48-201c-4f8d-893f-7716a8d58fa1", "name": "088c8f48-201c-4f8d-893f-7716a8d58fa1", "permissions": [{ "actions": [ "Microsoft.Network/networkWatchers/queryFlowLogStatus/action"], "dataActions": [], "notActions": [], "notDataActions": [] }], "roleName": "RedLock Flow Log Settings Reader", "roleType": "CustomRole", "type": "Microsoft.Authorization/roleDefinitions"}
Configure the custom role to access the flow logs.- Log in to the Microsoft Azure Portal.
- Select your subscription (
- Select .erify that you can see the new custom role you created in theRoledrop-down.
- Assign theRoleto Prisma Cloud, enable the permission to query flow log status, andSaveyour changes.
