How To Configure Agentless VM Scanning For Azure Cloud Accounts In Compute SaaS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L3 Networker
100% helpful (1/1)

By Brandon Goldstein, Senior Customer Success Engineer

 

Overview


This guide describes how to configure agentless vulnerability and compliance scanning of virtual machines in Microsoft Azure subscriptions.


This example uses Prisma Cloud Enterprise Edition (PCEE, Compute SaaS) which has a different configuration process from using the same feature in the Compute Edition (Self-Hosted).


Additionally, we will be onboarding and scanning a single Azure subscription.


Before You Begin (Access / Permission Checks)


● The Compute module of Prisma Cloud.
● Ability to onboard Prisma Cloud accounts.
● In the Compute module: view cloud accounts, console logs, the vulnerability monitor, and
the compliance monitor.
● Azure Command Shell.
● Global Admin permissions in your Azure Tenant.


A useful list of reference material can be found at the bottom of this article.

 

Configuration


Procedure 1: Onboard your Azure Subscription with Agentless Permissions


Step 1 Login to the Prisma Cloud Console and navigate to Settings / Cloud Accounts and click “Add Cloud Account”.

 

RPrasadi_0-1713827369174.jpeg

Figure 1: Settings_palo-alto-networks


Step 2 Click “Azure”.

 

RPrasadi_1-1713827399353.jpeg

Figure 2: Add Cloud Account_palo-alto-networks


Step 3 On the “Get Started Page”.


(1) Select “Subscription.
(2) Select your subscription type (Commercial or Government).
(3) Select each of the “Security Capabilities and Permissions” that you’d like to enable.

 

RPrasadi_2-1713827440210.jpeg

Figure 3: Add Cloud Account (cont.)_palo-alto-networks


Step 4 On the “Configure Account” page, enter the following details:


(1) Enter an account name that you’d like to use (this can be changed later).
(2) Your Directory (Tenant) ID (process on finding this is shown in Appendix A).
(3) Your Subscription ID (process on finding this is shown in Appendix B).
(4) “Remediation” is optional.
(5) “Ingest and Monitor Network Security Group Flow Logs” is also optional.
(6) Click on “Download Terraform Script”.
(7) Complete the remaining requested information after running the Terraform Script
(as shown below in Step 5).
(8) Select one or more Account Groups to place this account into.
(9) Click “Next”.

 

RPrasadi_3-1713827486760.jpeg

Figure 4: Download Terraform Script_palo-alto-networks


Step 5 Download and run the Terraform Script to create an App Registration with the required permission assignments.


(1) Open the Microsoft Azure Cloud Shell.

 

RPrasadi_4-1713827592425.jpeg

Figure 5: Launch Azure Cloud Shell_palo-alto-networks


(2) Upload the Terraform Script.

 

RPrasadi_5-1713827731195.jpeg

Figure 6: Select Upload_palo-alto-networks

 

RPrasadi_6-1713827786705.png

Figure 7: Select the Terraform script to upload_palo-alto-networks

 

RPrasadi_7-1713827841236.jpeg

Figure 8: Completion of the file upload_palo-alto-networks


(3) Execute “terraform init”.

 

RPrasadi_8-1713827882331.jpeg

Figure 9: Execute “terraform init”_palo-alto-networks


(4) Execute “terraform apply”.

 

RPrasadi_10-1713827981170.jpeg

Figure 10: Execute “terraform apply”_palo-alto-networks


Step 6 Troubleshooting: You may find that the “terraform apply” command never seems to complete and you will receive

similar output as the below when canceling the command or potentially receiving a timeout.


Error: Error obtaining Authorization Token from the Azure CLI: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1: ERROR: Tenant shouldn't be specified for Cloud Shell account with provider["registry.terraform.io/hashicorp/azuread"], on terraform.tf line 91, in provider "azuread": 91: provider "azuread" {


Step 7 lf you receive an error similar to the one shown in Step 15, that is a Microsoft issue and not a problem with the terraform script. Authenticating to Azure prior to running the terraform script should solve the problem. Execute “az login” and follow the prompts to complete authentication via a web browser.


brandon@Azure:~$ az login

 

Cloud Shell is automatically authenticated under the initial account signed-in with.
Run 'az login' only if you need to use a different account.
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and
enter the code FZ2GSQHEX to authenticate.


Step 8 You should have no problem continuing with the terraform script. Execute “terraform init” and then “terraform apply”.


Step 9 When you reach the prompt “Do you want to perform these actions” answer “yes”

 

RPrasadi_11-1713828023079.jpeg

Figure 11: Response to “terraform apply”_palo-alto-networks


Step 10 You should receive results similar to the following:


Apply complete! Resources: 1 added, 1 changed, 1 destroyed.

 

Outputs:


a__directory_tenant_id = "YOUR-TENANT-ID"
b__subscription_id = "YOUR-SUBSCRIPTION-ID"
c__application_client_id = "APPLICATION-CLIENT-ID"
d__application_client_secret = "APPLICATION-CLIENT-SECRET"
e__enterprise_application_object_id = "ENTERPRISE-APPLICATION-OBJECTID"

 

RPrasadi_12-1713828051683.jpeg

Figure 12: Apply Complete_palo-alto-networks


Step 11 Review Status. You should find that each status check is green!

 

RPrasadi_13-1713828126663.jpeg

Figure 13: Review Status_palo-alto-networks


Step 12 Troubleshooting


(1) If any of the checks are red, you’ll receive feedback on which check has failed and why. The most common scenario is missing permissions.
(2) New service and API ingestions are being added to Prisma Cloud frequently and it's possible that the Terraform Script has not been updated yet. In this case, you can add the missing permissions to the custom Prisma Cloud role.


Step 13 Now you will be able to find your successfully onboarded Azure subscription in the Providers section.

 

RPrasadi_14-1713828170918.jpeg

Figure 14: Settings > Manage > Providers_palo-alto-networks


Procedure 2: Configure Agentless Scanning


Step 1 Navigate to Runtime Security / Manage / Cloud Accounts.


(1) You should find that your new account has automatically been inherited by Compute as a Cloud Account. There should be a blue Prisma Cloud symbol in the left column next to “Account Name”.

 

RPrasadi_15-1713828224713.jpeg

Figure 15: Accounts and Agentless_palo-alto-networks


(2) You should find that your new Cloud Account has already started an agentless scan.

 

Procedure 3: Check the status of the first agentless scan


Step 1 You should find the activity and progress for Azure agentless scanning in the top right corner of the console window.

 

RPrasadi_16-1713828271451.jpeg

Figure 16: Activity and Progress for agentless scanning_palo-alto-networks


Step 2 You can also search for the keyword “scan” in the Virtual Machine list within the Azure console to confirm that the temporary scanners have been created.

 

RPrasadi_18-1713828427132.png

 Figure 17: Virtual machines list_palo-alto-networks

 

RPrasadi_19-1713828472738.jpeg

Figure 18: More agentless scanning in progress_palo-alto-networks


You will see more progress in the Compute console status.


Step 3 View the console logs at Runtime Security / Manage / Logs / Console and search for “agentless” to see the related API activity.

 

RPrasadi_21-1713828617090.jpeg

 


Figure 19: Console debug logs_palo-alto-networks


Procedure 4: Confirm Success!


Step 1 In the Compute console, navigate to Runtime Security / Monitor / Vulnerabilities / Hosts then select the Hosts subsection. Set the filter to “Scanned by Agentless: Yes” and add “Provider: Azure” to the filter. Enter a VM name or keyword to the search for virtual machines which should have been scanned.

 

RPrasadi_23-1713828743937.jpeg

 


Figure 20: Runtime Security / Monitor > Vulnerabilities > Hosts subsection_palo-alto-networks


Step 2 Click on one of the entries to see the scan details. Check the scan time to see that it’s recent. You’ll also be able to confirm that it was discovered in Azure.

 

RPrasadi_24-1713828775884.jpeg

Figure 21: Host details_palo-alto-networks


Step 3 Check the Compliance Monitor under Runtime Security / Monitor / Compliance / Hosts and then click on the “Hosts” sub-section as well to ensure that you are getting results there.

 

RPrasadi_26-1713828904548.jpeg

 


Figure 22: Runtime Security / Monitor > Compliance > Hosts_palo-alto-networks


Step 4 Check that agentless image scanning has succeeded by viewing results under Runtime Security / Monitor / Vulnerabilities / Images / Deployed.


(1) Filter your results using “Scanned by Agentless: Yes”
(2) You can also see the cluster where the image is deployed

 

RPrasadi_27-1713828972406.jpeg

Figure 23: Deployed image vulnerabilities_palo-alto-networks


Step 5 You’re Done! You have successfully configured and completed agentless virtual machine scanning of your Azure subscription!
Note: Please refer to Appendix A (Find your Tenant ID) or Appendix B (Find your Subscription ID) for additional guidance.


APPENDIX A - Find your Tenant ID


Navigate to the Tenant Properties and copy the Tenant ID.

 

RPrasadi_28-1713828999419.png

Figure 24: Searching for Tenant Properties_palo-alto-networks

 

RPrasadi_29-1713829059377.jpeg

Figure 25: Tenant Properties_palo-alto-networks


APPENDIX B - Find your Subscription ID
Navigate to the Subscriptions service.

 

RPrasadi_30-1713829108661.png

Figure 26: Finding the list of subscriptions_palo-alto-networks

 

RPrasadi_31-1713829144890.jpeg

Figure 27: Choosing a subscription_palo-alto-networks


Click on the subscription that you want to onboard.

 

RPrasadi_32-1713829230509.jpeg

Figure 28: Copy Subscription ID_palo-alto-networks


In the subscription’s “Essentials” section, you can easily copy the subscription ID.


APPENDIX C - Reference:

 

  1. Prisma Cloud - Connect Your Azure Account
  2. PCEE - Onboard Accounts for Agentless Scanning
  3. PCEE - Azure - Manually Authorize Prisma Cloud

 

About the Author

 

Brandon Goldstein is the Senior Customer Success Engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. Brandon uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi-industry knowledge to inspire success.  

 

 

 

Rate this article:
(1)
  • 2189 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎11-01-2024 03:37 PM
Updated by: