Begin Scanning a Microsoft Azure Storage App

Configure your Microsoft Azure Storage app to connect to Prisma SaaS to enable the monitoring and scanning of your resources.
Before you can begin scanning a Microsoft Azure Storage app, you must complete the following prerequisites:
Item
Description
Ensure that you have the required permissions to create an application in Azure Active Directory (AAD).
Check Azure Active Directory Permissions
in the Microsoft documentation.
Create an AAD Application. In a text editor (such as Notepad), and copy the Application ID and name of the application to use later in this procedure.
Create an Azure Active Directory Application
in the Microsoft documentation.
Get the
Tenant ID
, which is the ID of the AAD directory in which you created the application. In a text editor (such as Notepad), copy the Directory ID to use later in this procedure.
The
Directory ID
value is the tenant ID required to install Azure to Prisma SaaS.
Get Tenant ID
in the Microsoft documentation.
Assign
Reader Role
to the AAD Application on the subscriptions to scan.
Assign
Storage Account Key Operator Service Role
to the AAD Application on the subscriptions or storage accounts to scan.
Assign Application to Role
in the Microsoft documentation.
Enable roles required by the AAD Application.
microsoft-azure-storage-enable-role.png
From your subscription select
Access control (IAM)
Add
Role
. Enable the following roles:
  • Reader Role
    (Subscription scans) — The reader role can view existing Azure resources and is required for monitoring subscriptions.
  • Storage Account Key Operator Service Role
    (Storage Account scans) — The storage account key operator role enables application identity and permissions. This role is required to list and regenerate storage account keys in the Azure key value application.
To begin scanning an Microsoft Azure Storage app:
  1. Prepare your Microsoft Azure Storage account to connect to Prisma SaaS.
    1. Select the application to register with the Azure AD tenant.
      1. Log in to Microsoft Azure.
      2. Select
        Azure Active Directory
        App registrations
        .
      microsoft-azure-app-registrations.png
    2. Register the application to provide secure sign-in and authorization for Prisma SaaS. You can add a
      New application registration
      or select an app that has already been registered by clicking on the app from the list.
      microsoft-azure-register-app.png
    3. (Optional)
      Enter the application
      Name
      ,
      Application Type
      , and
      Sign-on URL
      to
      Create
      a new application registration.
    4. Enable the permissions API for Microsoft Graph.
      1. Click
        Settings
        for the registered app.
        microsoft-azure-app-settings.png
      2. Select
        Required Permissions
        Add
        Select an API
        Microsoft Graph
        .
        microsoft-azure-required-permissions.png
      3. Add permissions,
        Enable
        Read all users’ full profiles
        in
        Application Permissions
        and
        Delegated Permissions
        .
        microsoft-azure-enable-access-graph.png
      4. Save
        your Microsoft Graph API setting.
    5. Enable the delegated permissions API for Windows Azure Active Directory.
      1. Click
        Settings
        for the registered app.
      2. Select
        Required Permissions
        Add
        Windows Azure Active Directory
        .
        microsoft-azure-add-api-access.png
      3. Enable
        Read directory data
        in
        Application Permissions
        and
        Read all users’ full profiles
        in
        Delegated Permissions
        .
      4. Save
        your Windows Azure Active Directory API setting.
        microsoft-azure-enable-access-windows.png
    6. Grant application and delegated permissions.
      1. Click
        Settings
        for the registered apps.
      2. Select
        Required Permissions
        Grant Permissions
        .
        microsoft-azure-grant-permissions.png
      A confirmation window will display to
      Grant Permissions
      for all accounts in the current directory. Select
      Yes
      to grant the permissions for the accounts.
    7. You will need the
      Application ID
      ,
      Directory ID
      , and
      Application Key
      for your registered application, as they are required to complete the setup of the Microsoft Azure Storage app on Prisma SaaS.
      For new applications that are not yet registered, set up an Application ID, Directory ID and Application Key on Azure Resource Manager.
      1. Log in to Microsoft Azure, select the registered app to view and copy the
        Application ID
        to enter during app installation.
        microsoft-azure-application-id.png
      2. Select
        Azure Active Directory
        Properties
        . Copy the
        Directory ID
        to enter during app installation.
        microsoft-azure-directory-id.png
      3. Click
        Settings
        Keys
        . Provide a description of the key, and a duration for the key.
        Save
        the key.
        The key value is the
        Application Key
        to enter during app installation. After saving the key, the value of the key is displayed. Copy this value because you are not able to retrieve the key later.
        microsoft-azure-enter-key.png
    8. Prisma SaaS can continuously scan for Azure Storage subscriptions and accounts to identify and report any new accounts, activities, and events with the iterative scanning service. The service also scans and identifies users assigned to Subscriptions, Resources, Groups, Containers and Storage Accounts. To enable iterative scan on Prisma SaaS, you need to configure the diagnostic service settings in Azure for each storage account.
      1. Select the storage account to configure the diagnostic service settings and then select
        Monitoring
        Diagnostic Settings
        . If not already, enable the settings by turning the status
        On
        .
      2. Select the type of
        Metrics
        and
        Logging
        data for each service you wish to monitor, and the retention policy for the data by moving the retention in days slider from 1 to 365. The default for new storage accounts is 7 days.
      3. Save
        your monitoring configuration.
      microsoft-azure-diagnostic-settings.png
  2. Add the Microsoft Azure Storage app on Prisma SaaS.
    1. From the Prisma SaaS
      Dashboard
      ,
      Add a Cloud App
      .
    2. Select
      Microsoft Azure Storage
      .
      microsoft-azure-tile-frame.png
    3. Configure your Microsoft Azure Storage settings.
      1. Click
        Connect to Account
        .
      2. Enter the
        Directory ID
        ,
        Application ID
        , and
        Application Key
        you recorded in the previous steps.
      3. Click
        Next
        .
      microsoft-azure-connect-acount-to-ps.png
    4. Select the Azure subscriptions to monitor.
      1. Enable a
        Subscription
        to scan from the discovered list, or you can select
        Automatically scan all new subscriptions
        .
      2. Click
        Next
        .
      microsoft-azure-select-subscriptions.png
    5. Review initial scan discoveries and complete the Azure app installation.
      View Details
      on the discovered containers to review the discoveries and determine if you want to proceed with scanning:
      • To proceed scanning all discovered containers, enable
        Scan all current and any new containers
        and then
        Save
        your scan setting.
      • To proceed scanning individual containers and subscriptions, select the items to scan and then
        Save
        your scan setting.
      • If you do not want to proceed with scanning the discovered containers, select
        Cancel
        to abort the installation.
      • Save
        the Azure Cloud Storage app to the list of Cloud Apps.
  3. (Optional)
    Give a descriptive name to this app instance and specify an incident reviewer.
    1. Select the Azure Cloud Storage link on the Cloud Apps list.
    2. Enter a descriptive
      Name
      to differentiate this instance of Azure Cloud Storage app from other instances you are managing.
  4. Add policy rules.
    When you add a new cloud app, Prisma SaaS automatically scans the app against the default data patterns and displays the match occurrences. As a best practice, consider the business use of MS Azure Storage to determine whether you need to add new asset rules, security control rules, or user activity rules to look for risks unique to your enterprise.
  5. (Optional)
    Configure or edit a data pattern.
    When you add a new cloud app, Prisma SaaS automatically scans the app against the default data patterns and displays the match occurrences. You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
  6. Start scanning the new Azure Cloud Storage app for risks.
    1. Select
      Settings
      Cloud Apps & Scan Settings
      .
    2. In the Cloud Apps row that corresponds to the new Azure Cloud Storage app, select
      Actions
      Start Scanning
      .
      The status changes to Scanning. Prisma SaaS starts scanning all assets in the associated Azure Cloud Storage app and begins identifying incidents. Depending on the number of Azure assets, it may take some time for service to complete the process of discovering all assets and users. However, as soon as you begin to see this information populating on the Prisma SaaS
      Dashboard
      , you can begin to Assess Incidents.
  7. Monitor the results of the scan.
    As Prisma SaaS starts scanning files and matching them against enabled policy rules, Monitor Scan Results on the Dashboard to verify that your policy rules are effective.
    Monitoring the progress of the scan during the discovery phase allows you to Fine-Tune Policy to modify the match criteria and ensure better results.
    (Optional)
    To view the status of
    Subscriptions
    and
    Containers
    being scanned, select
    Settings
    Cloud App and Scan Settings
    . Select an Azure app from the list of
    Cloud Apps
    and expand the
    Subscriptions
    and
    Containers
    to view the scan details.
    microsoft-azure-view-subscription-status.png

Recommended For You