Begin Scanning a Microsoft Azure Storage App
Configure your Microsoft Azure Storage app to connect to Prisma SaaS to enable the monitoring and scanning of your resources.
Before you can begin scanning a Microsoft Azure Storage app, you must complete the following prerequisites:
Ensure that you have the required permissions to create an application in Azure Active Directory (AAD).
Create an AAD Application. In a text editor (such as Notepad), and copy the Application ID and name of the application to use later in this procedure.
Tenant ID, which is the ID of the AAD directory in which you created the application. In a text editor (such as Notepad), copy the Directory ID to use later in this procedure.
Directory IDvalue is the tenant ID required to install Azure to Prisma SaaS.
Reader Roleto the AAD Application on the subscriptions to scan.
Storage Account Key Operator Service Roleto the AAD Application on the subscriptions or storage accounts to scan.
Enable roles required by the AAD Application.
From your subscription select
. Enable the following roles:
Access control (IAM)
To begin scanning an Microsoft Azure Storage app:
- Prepare your Microsoft Azure Storage account to connect to Prisma SaaS.
- Select the application to register with the Azure AD tenant.
- Register the application to provide secure sign-in and authorization for Prisma SaaS. You can add aNew application registrationor select an app that has already been registered by clicking on the app from the list.
- (Optional)Enter the applicationName,Application Type, andSign-on URLtoCreatea new application registration.
- Enable the permissions API for Microsoft Graph.
- ClickSettingsfor the registered app.
- Select.Required PermissionsAddSelect an APIMicrosoft Graph
- Add permissions,inEnableRead all users’ full profilesApplication PermissionsandDelegated Permissions.
- Saveyour Microsoft Graph API setting.
- Enable the delegated permissions API for Windows Azure Active Directory.
- ClickSettingsfor the registered app.
- Select.Required PermissionsAddWindows Azure Active Directory
- inEnableRead directory dataApplication PermissionsandRead all users’ full profilesinDelegated Permissions.
- Saveyour Windows Azure Active Directory API setting.
- Grant application and delegated permissions.
A confirmation window will display toGrant Permissionsfor all accounts in the current directory. SelectYesto grant the permissions for the accounts.
- ClickSettingsfor the registered apps.
- Select.Required PermissionsGrant Permissions
- You will need theApplication ID,Directory ID, andApplication Keyfor your registered application, as they are required to complete the setup of the Microsoft Azure Storage app on Prisma SaaS.
- Select. Copy theAzure Active DirectoryPropertiesDirectory IDto enter during app installation.
- Click. Provide a description of the key, and a duration for the key.SettingsKeysSavethe key.The key value is theApplication Keyto enter during app installation. After saving the key, the value of the key is displayed. Copy this value because you are not able to retrieve the key later.
- Prisma SaaS can continuously scan for Azure Storage subscriptions and accounts to identify and report any new accounts, activities, and events with the iterative scanning service. The service also scans and identifies users assigned to Subscriptions, Resources, Groups, Containers and Storage Accounts. To enable iterative scan on Prisma SaaS, you need to configure the diagnostic service settings in Azure for each storage account.
- Select the storage account to configure the diagnostic service settings and then select. If not already, enable the settings by turning the statusMonitoringDiagnostic SettingsOn.
- Select the type ofMetricsandLoggingdata for each service you wish to monitor, and the retention policy for the data by moving the retention in days slider from 1 to 365. The default for new storage accounts is 7 days.
- Saveyour monitoring configuration.
- Add the Microsoft Azure Storage app on Prisma SaaS.
- From the Prisma SaaSDashboard,Add a Cloud App.
- SelectMicrosoft Azure Storage.
- Configure your Microsoft Azure Storage settings.
- ClickConnect to Account.
- Enter theDirectory ID,Application ID, andApplication Keyyou recorded in the previous steps.
- Select the Azure subscriptions to monitor.
- Enable aSubscriptionto scan from the discovered list, or you can selectAutomatically scan all new subscriptions.
- Review initial scan discoveries and complete the Azure app installation.View Detailson the discovered containers to review the discoveries and determine if you want to proceed with scanning:
- To proceed scanning all discovered containers, enableScan all current and any new containersand thenSaveyour scan setting.
- To proceed scanning individual containers and subscriptions, select the items to scan and thenSaveyour scan setting.
- If you do not want to proceed with scanning the discovered containers, selectCancelto abort the installation.
- Savethe Azure Cloud Storage app to the list of Cloud Apps.
- (Optional)Give a descriptive name to this app instance and specify an incident reviewer.
- Select the Azure Cloud Storage link on the Cloud Apps list.
- Enter a descriptiveNameto differentiate this instance of Azure Cloud Storage app from other instances you are managing.
- Add policy rules.When you add a new cloud app, Prisma SaaS automatically scans the app against the default data patterns and displays the match occurrences. As a best practice, consider the business use of MS Azure Storage to determine whether you need to add new asset rules, security control rules, or user activity rules to look for risks unique to your enterprise.
- (Optional)Configure or edit a data pattern.When you add a new cloud app, Prisma SaaS automatically scans the app against the default data patterns and displays the match occurrences. You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
- Start scanning the new Azure Cloud Storage app for risks.
- Select.SettingsCloud Apps & Scan Settings
- In the Cloud Apps row that corresponds to the new Azure Cloud Storage app, select.ActionsStart ScanningThe status changes to Scanning. Prisma SaaS starts scanning all assets in the associated Azure Cloud Storage app and begins identifying incidents. Depending on the number of Azure assets, it may take some time for service to complete the process of discovering all assets and users. However, as soon as you begin to see this information populating on the Prisma SaaSDashboard, you can begin to Assess Incidents.
- Monitor the results of the scan.As Prisma SaaS starts scanning files and matching them against enabled policy rules, Monitor Scan Results on the Dashboard to verify that your policy rules are effective.Monitoring the progress of the scan during the discovery phase allows you to Fine-Tune Policy to modify the match criteria and ensure better results.(Optional)To view the status ofSubscriptionsandContainersbeing scanned, select. Select an Azure app from the list ofSettingsCloud App and Scan SettingsCloud Appsand expand theSubscriptionsandContainersto view the scan details.
Recommended For You
Recommended videos not found.