About CloudEngineer

                  By Brandon Goldstein, Senior Customer Success Engineer Overview This guide describes how to configure agentless vulnerability and compliance scanning of virtual machines in Microsoft Azure subscriptions. This example uses Prisma Cloud Enterprise Edition (PCEE, Compute SaaS) which has a different configuration process from using the same feature in the Compute Edition (Self-Hosted). Additionally, we will be onboarding and scanning a single Azure subscription. Before You Begin (Access / Permission Checks) ● The Compute module of Prisma Cloud ● Ability to onboard Prisma Cloud accounts ● In the Compute module: view cloud accounts, console logs, the vulnerability monitor, and the compliance monitor. ● Azure Command Shell ● Global Admin permissions in your Azure Tenant A useful list of reference material can be found at the bottom of this document. Configuration Procedure 1: Onboard your Azure Subscription with Agentless Permissions Step 1 Login to the Prisma Cloud Console and navigate to Settings / Cloud Accounts and click “Add Cloud Account”   Figure 1: Settings_palo-alto-networks Step 2 Click “Azure”   Figure 2: Add Cloud Account_palo-alto-networks Step 3 On the “Get Started Page” (1) Select “Subscription (2) Select your subscription type (Commercial or Government) (3) Select each of the “Security Capabilities and Permissions” that you’d like to enable Figure 3: Add Cloud Account_palo-alto-networks (cont.) Step 4 On the “Configure Account” page, enter the following details: (1) Enter an account name that you’d like to use (this can be changed later) (2) Your Directory (Tenant) ID (process on finding this is shown in Appendix A) (3) Your Subscription ID (process on finding this is shown in Appendix B) (4) Click on “Download Terraform Script” (5) Complete the remaining requested information after running the Terraform Script (as shown below in Step 5) (6) Select one or more Account Groups to place this account into (7) Click “Next” Step 5 Download and run the Terraform Script to create an App Registration with the required permission assignments.   Figure 4: Add Cloud Account_palo-alto-networks (cont.) (1) Open the Microsoft Azure Cloud Shell (2) Upload the Terraform Script   Figure 5: Microsoft Azure_palo-alto-networks (3) Execute “terraform init”   Figure 6: Azure Cloud Shell_palo-alto-networks   (4) Execute “terraform apply” Step 6 ! Troubleshooting ! You may find that the “terraform apply” command never seems to complete and you will receive similar output as the below when canceling the command or potentially receiving a timeout. Error: Error obtaining Authorization Token from the Azure CLI: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1: ERROR: Tenant shouldn't be specified for Cloud Shell account with  provider ["registry.terraform.io/hashicorp/azuread"], on terraform.tf line 91, in provider "azuread": 91: provider "azuread" {   Figure 7: Terraform apply prompt_palo-alto-networks Step 7 lf you receive an error similar to the one shown in Step 15, that is a Microsoft issue and not a problem with the terraform script. Authenticating to Azure prior to running the terraform script should solve the problem. Execute “az login” and follow the prompts to complete authentication via a web browser. brandon@Azure:~$ az login Cloud Shell is automatically authenticated under the initial account signed-in with. Run 'az login' only if you need to use a different account. To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code FZ2GSQHEX to Authenticate. Step 8 Then you should have no problem continuing with the terraform script. Execute “terraform init” and then “terraform apply”. Step 9 When you reach the prompt “Do you want to perform these actions” answer “yes”   Figure 7: Terraform prompt_palo-alto-networks Step 10 You should receive results similar to the following: Apply complete! Resources: 1 added, 1 changed, 1 destroyed. Outputs: a__directory_tenant_id = "YOUR-TENANT-ID" b__subscription_id = "YOUR-SUBSCRIPTION-ID" c__application_client_id = "APPLICATION-CLIENT-ID" d__application_client_secret = "APPLICATION-CLIENT-SECRET" e__enterprise_application_object_id = "ENTERPRISE-APPLICATION-OBJECTID" Figure 8: Apply Complete_palo-alto-networks Step 11 Review Status. You should find that each status check is green! Figure 9: Review Status_palo-alto-networks Step 12 Troubleshooting (1) If any of the checks are red, you’ll receive feedback on which check has failed and why. The most common scenario is missing permissions. (2) New service and API ingestions are being added to Prisma Cloud frequently and it's possible that the Terraform Script has not been updated yet. In this case, you can add the missing permissions to the custom Prisma Cloud role without any problem. Step 13 Now you will be able to find your successfully onboarded Azure subscription in the Cloud Accounts section. Figure 10: Settings > Cloud Accounts_palo-alto-networks Procedure 2: Configure Agentless Scanning Step 1 Navigate to Compute / Manage / Cloud Accounts (1) You should find that your new account has automatically been inherited by Compute as a Cloud Account. There should be a blue Prisma Cloud symbol in the left column next to “Account Name” (2) You should find that your new Cloud Account has already started an agentless scan Figure 11: Accounts and Agentless_palo-alto-networks Procedure 3: Check the status of the first agentless scan Step 1 You should find the activity and progress for Azure agentless scanning in the top right corner of the console window   Figure 12: Activity and Progress for agentless scanning_palo-alto-networks Step 2 You can also search for the keyword “scan” in the Virtual Machine list within the Azure console to confirm that the temporary scanners have been created. F igure 12: Virtual machines list_palo-alto-networks Eventually you will see more progress in the Compute console status   Figure 13: Agentless scanning progress_palo-alto-networks Step 3 View the console logs at Manage / Logs / Console and search for “Agentless” to see the related API activity   Figure 14: Console debug logs_palo-alto-networks Procedure 4: Confirm Success!   Step 1 In the Compute console, navigate to Monitor / Vulnerabilities / Hosts then select the Hosts subsection. Set the filter to “Scanned by: Agentless” and add a VM name or keyword to the search for virtual machines which should be scanned. Figure 15: Monitor > Vulnerabilities > Hosts subsection_palo-alto-networks Step 2 Click on one of the entries to see the scan details. Check the scan time to see that it’s recent. You’ll also be able to confirm that it was discovered in Azure. Figure 16: Host details_palo-alto-networks Step 3 Check the Compliance Monitor under Monitor / Compliance / Hosts and the Hosts subsection to ensure you are getting valuable results there as well! Figure 17: Monitor > Compliance > Hosts_palo-alto-networks Step 4 Check that agentless image scanning has succeeded by viewing results under Monitor / Vulnerabilities / Images / Deployed (1) Filter your results using “Scanned by” and select “Agentless” (2) You can also see the cluster where the image is deployed Figure 18: Deployed images_palo-alto-networks Step 5 You’re Done! You have successfully configured and completed agentless virtual machine scanning of your Azure subscription! Note: Please refer to Appendix A (Find your Tenant ID) or Appendix B (Find your Subscription ID) for additional guidance APPENDIX A - Find your Tenant ID Navigate to the Tenant Properties and copy the Tenant ID. Figure 19: Tenant Properties   Figure 20: Tenant Properties_palo-alto-networks APPENDIX B - Find your Subscription ID Navigate to the Subscriptions service.     Figure 21: Subscription ID_palo-alto-networks Click on the subscription that you want to onboard.   Figure 21: Subscription Example_palo-alto-networks In the subscription’s “Essentials” section, you can easily copy the subscription ID. Figure 22: Subscriptions example_palo-alto-networks Reference: Prisma Cloud - Onboard Your Azure Account PCEE - Onboard Azure Accounts for Agentless Scanning PCEE - Manually Authorize Prisma Cloud   About the Author: Brandon Goldstein is the Senior Customer Success Engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. Brandon uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi-industry knowledge to inspire success. ... View more