Set Up Your Azure Subscription for Prisma Cloud
Configure your Azure Government subscription for Prisma™ Cloud to analyze traffic data flow and monitor resources for potential security and compliance issues.
Connect Prisma™ Cloud to your Azure cloud environment so that you can monitor for threats and compliance violations, enable auto-remediation of incidents, and identify hosts and containers that contain vulnerabilities. Before Prisma Cloud can monitor the resources within your Azure Government subscription, you must add Prisma Cloud as an application to your Azure Active Directory and configure your Azure subscription to allow Prisma Cloud to analyze flow log data.
Prisma Cloud requires your Azure
Subscription IDso that it can identify your Azure cloud account and retrieve the storage account and key vault information. Prisma Cloud also needs the
Application Key, and
Service Principal IDto establish the connection between Prisma Cloud and Azure Active Directory so that it can access the resources in your subscription.
- Locate and copy your Azure subscription ID.Prisma Cloud requires theSubscription IDso that it can identify your Azure cloud account and can retrieve the storage account and key vault information.
- Add Prisma Cloud as a new application on Azure Active Directory.Registering Prisma Cloud as an application on Azure AD generates an Application ID. You need this ID and an Application key to authenticate Prisma Cloud on Azure and to maintain a secure connection.
- Log in to Microsoft Azure and select.Azure Active DirectoryApp registrationsNew application registration
- Enter aNameto identify the Prisma Cloud application, select theSupported account typesthat can use the application asAccounts in this organizational directory only, enter your login URL for Prisma Cloud as theRedirect URI, and then clickRegister.The log in URL for Prisma Cloud is the URL you received in your order confirmation email, and it varies depending on your region.
- Generate a client secret for the Prisma Cloud application.The client secret is the application password for Prisma Cloud.
- Selectand select the Prisma Cloud application.Azure Active DirectoryApp RegistrationsAll Applications
- Add a client secret or the application password ().Certificates & SecretsNew client secret
- Enter aDescriptionand select aDuration, which is the term for which the key is valid.
- Addthe new client secret and then copy the value of that new client secret for your records because you cannot view this key after you close this dialog. You will need this new client secret application key when you Add an Azure Subscription on Prisma Cloud.
- Copy the information on the Prisma Cloud application from Azure Active Directory.For Prisma Cloud to interact with the Azure APIs and collect information on your Azure resources, you must capture the following values.
- Select, find the Prisma Cloud application you created, and copy theAzure Active DirectoryApp RegistrationsAll ApplicationsDirectory ID.
- Select.Azure Active DirectoryEnterprise Applications
- Select your Prisma Cloud applicationPropertiesand copy theApplication IDandObject ID.You must enter the Object ID as the Service Principal ID in the next step.Make sure that you get the Object ID for the Prisma Cloud application fromon the Azure portal—not fromEnterprise ApplicationsAll applicationsApp Registrations.
- Grant permissions for the Prisma Cloud application to access information at the Azure Subscription level.
- Select.All ServicesSubscriptions
- Select your subscription andAdd role assignment(Access Control (IAM)).
- Select theRole, verify that Azure AD user, group, or service principal is selected (Assign access to), and select the Prisma Cluod app to assign the roles.Review the Azure Cloud Account Onboarding Checklist for a description of the roles and permissions that are required at the subscription level. Then decide which roles you must add for your security and monitoring needs—Reader Role,Reader and Data Access Role, Create a Custom Role on Azure to Enable Prisma Cloud to Access Flow Logs,Network Contributor Role, orStorage Account Contributor Role.
- (Optional) Grant permission for the Prisma Cloud application to access the Azure Key Vault service.If you use Azure Key Vault to safeguard and manage cryptographic keys and secrets used by your cloud applications and services, Prisma Cloud needs permission to ingest this key vault data.
- From Azure, select.All ServicesKey Vaults
- Select your Key vault name andAccess Policies.
- Select(add) your Prisma Cloud application ().Add newSelect Principal
- SelectListforKey permissionsand forSecret permissions, select bothListandList Certificate AuthoritiesforCertification permissions, and then clickOK.
- (Optional) Grant permission for the Prisma Cloud application to access the catalog related information on Azure Data Lake Analytics account.each Azure Data Lake Analytics account you must assign the Prisma Cloud role to access catalog related information such as ACLs, databases, credentials, external data sources, so that it can ingest metadata.After you assign these permissions to the Azure Data Lake Storage Gen 1 instance if you use the same instance in other Azure Data Lake Analytics accounts, then you do not need to repeat these steps.
- On the Azure portal, go to your Data Lake Analytics account.
- Select Add user wizard.
- Select User, and search for the Prisma Cloud app and select it.
- In the role drop down, choose Reader and click Next
- Under Scope, Assign only Read only permissions and click Next to assign permissions to the files and folders.
- Select the checkboxes in the Read and Execute columns, and clear the Write column, then click Next.
- Verify the tasks and click Run.
- On the Azure portal, Enable Network Watcher and register Insights provider.
- On the Azure portal,Create a storage account on Azure for NSG flow logs.Your Azure storage account stores the flow logs that are required for Prisma Cloud to monitor and analyze network traffic. When Prisma Cloud ingests the data in these logs, you can interact with the information in Prisma Cloud. For example, you can run queries against the data, visualize network topology, and investigate traffic flows between two instances. You can also apply network policies to this traffic.If you do not have regulatory guidelines that specify a log retention period to which you must adhere, we recommend you set retention to at least 15 days.
- On the Azure portal,Enable NSG flow logs.
- Configure Prisma Cloud Reader and Data Access role for your Azure storage account.To ingest Azure flow logs, you have to grant access to the storage account in which the logs are stored. The Reader and Data Access role provides the ability to view everything and allows read/write access to all data contained in a storage account using the associated storage account keys. If your flow logs are stored in storage accounts that belong to one or more subscriptions that are not monitored by Prisma Cloud, you must configure the Prisma Cloud application with the Reader and Data Access role for each storage account.
- After creating your storage account, select.Access control (IAM)Add role assignment
- SelectReader and Data Accessas theRole,Selectthe administrative user to whom you want to assign the role, andSaveyour changes.
Recommended For You
Recommended videos not found.