Troubleshoot Azure Account Onboarding

Follow these tips to troubleshoot any issues that arise when onboarding your Azure account to Prisma Cloud.
After you have completed onboarding your Azure subscription to Prisma Cloud, use these checks to resolve issues if Prisma Cloud cannot retrieve logs and metadata including resource configurations, user activities, network traffic, host vulnerabilities/activities on your Azure resources. Without enabling the correct permissions and configuration on the Azure portal and on Prisma Cloud, you’ll be unable to identify, detect, and remediate issues to manage the risks in your environment.
  • Verify that the cloud account permissions are accurate on
    Settings
    Cloud Accounts
    Cloud_Account_Name
    Status
    .
    At every ingestion cycle when Prisma Cloud connects to the Azure subscription to retrieve and process the data, the service validates that you continue to have the permissions required to continue monitoring the resources within your Azure subscription. Periodically, review the status of these checks to learn of any changes or modifications that limit your ability to maintain visibility and security governance over the resources within your Azure subscription.
    cloud-status-permissions-verify.png
    • Reader role, and Reader and Data Access role at the subscription level.
      If you see the error
      Subscription does not have Reader role(s) assigned
      , verify that you have entered the correct Service Principal ID. On the Azure portal, the Object ID for the Prisma Cloud application is what you must provide as the Service Principal ID on Prisma Cloud. Make sure to get the Object ID for the Prisma Cloud application from
      Enterprise Applications
      All applications
      on the Azure portal.
      azure-service-principal-id.png
    • Checks for the Network Contributor role or Custom role that is required to query flow log status.
    • Checks for the Reader and Data Access role on the storage accounts to access the flow logs stored in storage buckets in subscriptions that are not monitored by Prisma Cloud.
    • Checks for the Storage Account Contributor role (optional and required only for remediation) that is required for auto remediation of policy violations related to storage accounts.
    • Checks whether flow logs are published to the storage account.
  • Check that Azure flow logs are being generated and written to the storage account.
    1. Log in to the Azure portal.
    2. Select
      Storage Accounts
      and select the storage account that you want to check.
    3. Select
      Blobs
      Blob Service
      and navigate through the folders to find the *.json files.
      These are the flow logs that Prisma Cloud ingests.
  • On the Azure portal, check that you have created storage accounts in the same regions as the Network Security Groups.
    Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG. Azure flow logs must be stored within a storage account in the same region as the NSG.
    1. Log in to Prisma Cloud.
    2. Select
      Investigate
      and enter the following RQL query
      network where source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 0
      This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment.
  • On the Azure portal, verify that you have enabled Network Watcher instance.
    The Network Watcher is required to generate flow logs on Azure.
    1. Log in to the Azure portal and select
      Network Watcher
      Overview
      and verify that the status is
      Enabled
      .
      azure-enable-network-watcher.png
    2. Log in to Prisma Cloud.
    3. Select
      Investigate
      and enter the following RQL query
      config where cloud type =’azure’ AND api.name =’azure-network-nsg-list’ addcolumn provisioningState
      .
  • On the Azure portal, check that you have enabled flow logs on the NSGs.
    1. Log in to the Azure portal, and select
      Network Watcher
      NSG Flow Logs
      and verify that the status is
      Enabled
      .
      azure-network-watcher-enable.png
    2. Log in to Prisma Cloud.
    3. Select
      Investigate
      and enter the following RQL query
      network where source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) AND bytes > 0
      This query allows you to list all network traffic from the Internet or from Suspicious IP addresses with over 0 bytes of data transferred to a network interface on any resource on any cloud environment.
  • The cloud account status displays red and includes the error message "Authentication failed. Azure Subscription not found.
    When the Azure subscription is deleted or disabled on the Azure portal and Prisma Cloud cannot monitor the subscription, the cloud account status displays red and includes the error message
    Authentication failed. Azure Subscription not found
    .
    azure-subscription-status-red.png

Recommended For You