This guide describes how to configure agentless vulnerability and compliance scanning of virtual machines in Microsoft Azure subscriptions.
This example uses Prisma Cloud Enterprise Edition (PCEE, Compute SaaS) which has a different configuration process from using the same feature in the Compute Edition (Self-Hosted).
Additionally, we will be onboarding and scanning a single Azure subscription.
Before You Begin (Access / Permission Checks)
● The Compute module of Prisma Cloud.
● Ability to onboard Prisma Cloud accounts.
● In the Compute module: view cloud accounts, console logs, the vulnerability monitor, and
the compliance monitor.
● Azure Command Shell.
● Global Admin permissions in your Azure Tenant.
A useful list of reference material can be found at the bottom of this article.
Step 1 Login to the Prisma Cloud Console and navigate to Settings / Cloud Accounts and click “Add Cloud Account”.
Figure 1: Settings_palo-alto-networks
Step 2 Click “Azure”.
Figure 2: Add Cloud Account_palo-alto-networks
Step 3 On the “Get Started Page”.
(1) Select “Subscription.
(2) Select your subscription type (Commercial or Government).
(3) Select each of the “Security Capabilities and Permissions” that you’d like to enable.
Figure 3: Add Cloud Account (cont.)_palo-alto-networks
Step 4 On the “Configure Account” page, enter the following details:
(1) Enter an account name that you’d like to use (this can be changed later).
(2) Your Directory (Tenant) ID (process on finding this is shown in Appendix A).
(3) Your Subscription ID (process on finding this is shown in Appendix B).
(4) “Remediation” is optional.
(5) “Ingest and Monitor Network Security Group Flow Logs” is also optional.
(6) Click on “Download Terraform Script”.
(7) Complete the remaining requested information after running the Terraform Script
(as shown below in Step 5).
(8) Select one or more Account Groups to place this account into.
(9) Click “Next”.
Figure 4: Download Terraform Script_palo-alto-networks
Step 5 Download and run the Terraform Script to create an App Registration with the required permission assignments.
(1) Open the Microsoft Azure Cloud Shell.
Figure 5: Launch Azure Cloud Shell_palo-alto-networks
(2) Upload the Terraform Script.
Figure 6: Select Upload_palo-alto-networks
Figure 7: Select the Terraform script to upload_palo-alto-networks
Figure 8: Completion of the file upload_palo-alto-networks
(3) Execute “terraform init”.
Figure 9: Execute “terraform init”_palo-alto-networks
(4) Execute “terraform apply”.
Figure 10: Execute “terraform apply”_palo-alto-networks
Step 6 Troubleshooting: You may find that the “terraform apply” command never seems to complete and you will receive
similar output as the below when canceling the command or potentially receiving a timeout.
Error: Error obtaining Authorization Token from the Azure CLI: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1: ERROR: Tenant shouldn't be specified for Cloud Shell account with provider["registry.terraform.io/hashicorp/azuread"], on terraform.tf line 91, in provider "azuread": 91: provider "azuread" {
Step 7 lf you receive an error similar to the one shown in Step 15, that is a Microsoft issue and not a problem with the terraform script. Authenticating to Azure prior to running the terraform script should solve the problem. Execute “az login” and follow the prompts to complete authentication via a web browser.
brandon@Azure:~$ az login
Cloud Shell is automatically authenticated under the initial account signed-in with.
Run 'az login' only if you need to use a different account.
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and
enter the code FZ2GSQHEX to authenticate.
Step 8 You should have no problem continuing with the terraform script. Execute “terraform init” and then “terraform apply”.
Step 9 When you reach the prompt “Do you want to perform these actions” answer “yes”
Figure 11: Response to “terraform apply”_palo-alto-networks
Step 10 You should receive results similar to the following:
Apply complete! Resources: 1 added, 1 changed, 1 destroyed.
Outputs:
a__directory_tenant_id = "YOUR-TENANT-ID"
b__subscription_id = "YOUR-SUBSCRIPTION-ID"
c__application_client_id = "APPLICATION-CLIENT-ID"
d__application_client_secret = "APPLICATION-CLIENT-SECRET"
e__enterprise_application_object_id = "ENTERPRISE-APPLICATION-OBJECTID"
Figure 12: Apply Complete_palo-alto-networks
Step 11 Review Status. You should find that each status check is green!
Figure 13: Review Status_palo-alto-networks
Step 12 Troubleshooting
(1) If any of the checks are red, you’ll receive feedback on which check has failed and why. The most common scenario is missing permissions.
(2) New service and API ingestions are being added to Prisma Cloud frequently and it's possible that the Terraform Script has not been updated yet. In this case, you can add the missing permissions to the custom Prisma Cloud role.
Step 13 Now you will be able to find your successfully onboarded Azure subscription in the Providers section.
Figure 14: Settings > Manage > Providers_palo-alto-networks
Step 1 Navigate to Runtime Security / Manage / Cloud Accounts.
(1) You should find that your new account has automatically been inherited by Compute as a Cloud Account. There should be a blue Prisma Cloud symbol in the left column next to “Account Name”.
Figure 15: Accounts and Agentless_palo-alto-networks
(2) You should find that your new Cloud Account has already started an agentless scan.
Step 1 You should find the activity and progress for Azure agentless scanning in the top right corner of the console window.
Figure 16: Activity and Progress for agentless scanning_palo-alto-networks
Step 2 You can also search for the keyword “scan” in the Virtual Machine list within the Azure console to confirm that the temporary scanners have been created.
Figure 17: Virtual machines list_palo-alto-networks
Figure 18: More agentless scanning in progress_palo-alto-networks
You will see more progress in the Compute console status.
Step 3 View the console logs at Runtime Security / Manage / Logs / Console and search for “agentless” to see the related API activity.
Figure 19: Console debug logs_palo-alto-networks
Step 1 In the Compute console, navigate to Runtime Security / Monitor / Vulnerabilities / Hosts then select the Hosts subsection. Set the filter to “Scanned by Agentless: Yes” and add “Provider: Azure” to the filter. Enter a VM name or keyword to the search for virtual machines which should have been scanned.
Figure 20: Runtime Security / Monitor > Vulnerabilities > Hosts subsection_palo-alto-networks
Step 2 Click on one of the entries to see the scan details. Check the scan time to see that it’s recent. You’ll also be able to confirm that it was discovered in Azure.
Figure 21: Host details_palo-alto-networks
Step 3 Check the Compliance Monitor under Runtime Security / Monitor / Compliance / Hosts and then click on the “Hosts” sub-section as well to ensure that you are getting results there.
Figure 22: Runtime Security / Monitor > Compliance > Hosts_palo-alto-networks
Step 4 Check that agentless image scanning has succeeded by viewing results under Runtime Security / Monitor / Vulnerabilities / Images / Deployed.
(1) Filter your results using “Scanned by Agentless: Yes”
(2) You can also see the cluster where the image is deployed
Figure 23: Deployed image vulnerabilities_palo-alto-networks
Step 5 You’re Done! You have successfully configured and completed agentless virtual machine scanning of your Azure subscription!
Note: Please refer to Appendix A (Find your Tenant ID) or Appendix B (Find your Subscription ID) for additional guidance.
APPENDIX A - Find your Tenant ID
Navigate to the Tenant Properties and copy the Tenant ID.
Figure 24: Searching for Tenant Properties_palo-alto-networks
Figure 25: Tenant Properties_palo-alto-networks
APPENDIX B - Find your Subscription ID
Navigate to the Subscriptions service.
Figure 26: Finding the list of subscriptions_palo-alto-networks
Figure 27: Choosing a subscription_palo-alto-networks
Click on the subscription that you want to onboard.
Figure 28: Copy Subscription ID_palo-alto-networks
In the subscription’s “Essentials” section, you can easily copy the subscription ID.
Brandon Goldstein is the Senior Customer Success Engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. Brandon uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi-industry knowledge to inspire success.
