This guide describes how to configure agentless vulnerability and compliance scanning for virtual machines in Microsoft Azure subscriptions.
This article will use a credential dedicated to the agentless scanning process. In Prisma Cloud Enterprise Edition / SaaS, you have the additional option of using a Prisma Cloud onboarded account credential which will be covered in a future article. The creation and use of an Azure service principal credential are also supported in SaaS.
To follow along, you will need:
A helpful list of reference material can be found at the end of this document.
Create a Service Principal dedicated to the agentless scanning procedure.
Step 1: Using the Azure CLI, execute the command below. Replace the name and subscription ID with your own custom values:
az ad sp create-for-rbac --name your-service-principal-name name --scopes /subscriptions/your-subscription-id-here --role reader --sdk-auth
You should receive a result as this:
$ az ad sp create-for-rbac --name sp-new-azure-agentless-scanner --scopes /subscriptions/your-subscription-ID --role reader --sdk-auth
Creating 'reader' role assignment under scope '/subscriptions/your-subscription-ID'
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check
the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
{
"clientId": "service-principal-client-ID",
"clientSecret": "service-principal-client-secret",
"subscriptionId": "subscription-ID",
"tenantId": "tenant-ID",
"activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
"resourceManagerEndpointUrl": "https://management.azure.com/",
"activeDirectoryGraphResourceId": "https://graph.windows.net/",
"sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
"galleryEndpointUrl": "https://gallery.azure.com/",
"managementEndpointUrl": "https://management.core.windows.net/"
}
We need to configure the cloud credentials in order to get the permissions template assigned to the service principal.
Step 1: Login to the Compute console and navigate to Manage > Cloud Accounts
Step 2: Click Add Account.
Step 3: Select Azure from the “Select Cloud Provider” dropdown menu, enter a name, a description (optional), and then select the “Service Key” radio button.
Step 4: Copy and paste the entire JSON output from Step 1 into the “Service Key” field. Then click “Next”
Step 5: Enter your Console URL and port, then click “Download” to get a file archive with the permission templates.
Note: you will receive an archive similar to this .tar.gz
It will have the following .json files in it:
Step 6: All of the Advanced Settings are optional.
Step 7: Click “Next” to proceed to the next section.
Step 8: You can leave Cloud Discovery disabled because this credential will not have sufficient permissions to perform Cloud Discovery.
Step 9: Then click “Add Account” to complete the credential setup within Compute. You will find that the new credential has a green checkmark under “Agentless scan”; however, we still aren’t ready for a successful scan.
Step 1: Use the role_definition.json file to create a new custom role.
az role definition create --role-definition "role_definition.json"
You should receive a result like this:
$ az role definition create --role-definition "role_definition.json"
The underlying Active Directory Graph API will be replaced by Microsoft Graph API in Azure CLI 2.37.0. Please carefully review all breaking changes introduced during this migration: https://docs.microsoft.com/cli/azure/microsoft-graph-migration
{
"assignableScopes": [
"/subscriptions/your-subscription-ID"
],
"description": "Can create and manage VMs, snapshots, disks, network interfaces and security groups",
"id": "/subscriptions/your-subscription-ID/providers/Microsoft.Authorization/roleDefinitions/05504b7f-8d89-49ae-9a9e-e8e075185423",
"name": "05504b7f-8d89-49ae-9a9e-e8e075185423",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Network/networkInterfaces/read",
…
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/instanceView/read"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "Prisma Cloud Compute Agentless Scanner",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Step 2: Assign the new role to the new service principal.
az role assignment create --assignee "new-service-principal-id" --role "Prisma Cloud Compute Agentless Scanner" --scope "/subscriptions/your-subscription-id"
You should receive a result like this:
$ az role assignment create --assignee "new-service-principal-ID" --role "Prisma Cloud Compute Agentless Scanner" --scope "/subscriptions/new-service-principal-ID"
The underlying Active Directory Graph API will be replaced by Microsoft Graph API in Azure CLI 2.37.0. Please carefully review all breaking changes introduced during this migration:
https://docs.microsoft.com/cli/azure/microsoft-graph-migration
{
"canDelegate": null,
"condition": null,
"conditionVersion": null,
"description": null,
"id": "/subscriptions/new-service-principal-ID/providers/Microsoft.Authorization/roleAssignments/9d3943e7-fe1f-4230-82cf-2cfc6719196a",
"name": "9d3943e7-fe1f-4230-82cf-2cfc6719196a",
"principalId": "e4856716-f8e1-4c8c-9867-0d333a1dccf0",
"principalType": "ServicePrincipal",
"roleDefinitionId": "/subscriptions/new-service-principal-ID/providers/Microsoft.Authorization/roleDefinitions/05504b7f-8d89-49ae-9a9e-e8e075185423",
"scope": "/subscriptions/new-service-principal-ID",
"type": "Microsoft.Authorization/roleAssignments"
}
Step 1: Return to the Compute console and the Cloud Accounts page.
Step 2: Click the icon for “Trigger Discovery or Scan Agentless” to open a dropdown menu and then click “Start Agentless scan”.
Step 3: You should find the activity and progress for Azure agentless scanning in the top right corner of the console window.
Step 4: You can also search for the keyword “scan” in the Virtual Machine list within the Azure console to confirm that the temporary scanners have been created.
Step 5: Eventually you will see more progress in the Compute console status.
Step 6: View the console logs at Manage > Logs > Console and search for “agentless”
to see the related API activity.
Step 1: In the Compute console, navigate to Monitor > Vulnerabilities > Hosts then select the Hosts subsection. Set the filter to “Scanned by: Agentless” and add a VM name or keyword to the search for virtual machines which are to be scanned.
Step 2: Click on one of the entries to see the scan details. Check the scan time to see that it was recent. You will also be able to confirm that it was discovered in Azure.
Step 3: Check the Compliance Monitor under Monitor > Compliance > Hosts and the Hosts subsection to ensure you are getting valuable results there as well!
Brandon Goldstein is the senior customer success engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. They use collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success.
