Create a Custom Role on Azure to Enable Prisma Cloud to Access Flow Logs

Create and configure a custom role on Azure to enable Prisma™ Cloud to access flow logs.
To enable Prisma™ Cloud to access Azure flow logs and monitor flow-related data (such as volume of traffic generated by a host, top sources of traffic to the host, or to identify which ports are in use), you must provide the required permissions. While you can use the built-in Network Contributor role that enables a much broader set of permissions, it is a best practice to create a custom role so that you follow the principle of least privilege and limit access rights to the bare-minimum. Use the Azure Cloud Account Onboarding Checklist to verify on which services you want to ingest data and manually assign the permissions for this custom role that includes the permissions required. To create a custom role, install Azure CLI and create a limited role named
Prisma Cloud - Flow Logs Setting Reader
and then enable the role to access flow logs.
To create a custom role on Azure, you must have an Azure Active Directory Premium 1 or Premium 2 license plan.
  1. Create a custom role using Azure CLI.
    If you already assigned a Network Contributor Role to an Azure user, you can skip this step.
    • Manually create a custom role JSON file for flow logs only.
      The permissions required are
      { "Name": "Prisma Cloud - Flow Logs Setting Reader", "Id": null, "IsCustom": true, "Description": "Allows Reading Flow Logs Settings", "Actions": [ "Microsoft.Network/networkWatchers/queryFlowLogStatus/action" ], "NotActions": [], "AssignableScopes": [ "/subscriptions/SUBSCRIPTION-ID-HERE!!!" ]}
      1. Install the Azure CLI and log in to Azure.
      2. Open a text editor (such as notepad) and enter the following command in the JSON format to create a custom role. You can create custom roles using Azure PowerShell, Azure CLI, or the REST API. These instructions use the Azure CLI command (run on PowerShell or on the DOS command prompt) to create the custom role with queryFlowLogStatus permission. Make sure to provide your Azure Subscription ID in the last line.
      3. Save the JSON file on your local Windows system and give it a descriptive name, such as
      4. Log in to the Azure portal from the same Windows system and complete the following steps:
        1. Open a PowerShell window (or a DOS Command Prompt Window)
        2. Go to the directory where you stored the JSON file.
        3. Enter the following Azure CLI command (replace the JSON filename to match the name you specified when you saved your custom role JSON file.
          az role definition create --role-definition "ad-role-cli.json"
          The output is as follows:
          {"assignableScopes": [    "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"  ],  "description": "Allows Reading Flow Logs Settings",  "id": "/subscriptions/16dfdbcc-e407-4fbe-9096-e7a97ee23fb5/providers/Microsoft.Authorization/roleDefinitions/088c8f48-201c-4f8d-893f-7716a8d58fa1",  "name": "088c8f48-201c-4f8d-893f-7716a8d58fa1",  "permissions": [{      "actions": [        "Microsoft.Network/networkWatchers/queryFlowLogStatus/action"],      "dataActions": [],      "notActions": [],      "notDataActions": []    }],  "roleName": "RedLock Flow Log Settings Reader",  "roleType": "CustomRole",  "type": "Microsoft.Authorization/roleDefinitions"}
  2. Configure the custom role to access the flow logs.
    1. Log in to the Microsoft Azure Portal.
    2. Select your subscription (
      All services
    3. Select
      Access control (IAM)
      Add role assignment
      erify that you can see the new custom role you created in the
    4. Assign the
      to Prisma Cloud, enable the permission to query flow log status, and
      your changes.

Recommended For You