By Brandon Goldstein, Senior Customer Success Engineer
Overview
This guide describes how to configure agentless vulnerability and compliance
scanning of virtual machines in Microsoft Azure subscriptions.
This example uses Prisma Cloud Enterprise Edition (PCEE, Compute SaaS)
which has a different configuration process from using the same feature in
the Compute Edition (Self-Hosted).
Additionally, we will be onboarding and scanning a single Azure subscription.
Before You Begin (Access / Permission Checks)
● The Compute module of Prisma Cloud
● Ability to onboard Prisma Cloud accounts
● In the Compute module: view cloud accounts, console logs, the
vulnerability monitor, and the compliance monitor.
● Azure Command Shell
● Global Admin permissions in your Azure Tenant
A useful list of reference material can be found at the bottom of this
document.
Configuration
Procedure 1: Onboard your Azure Subscription with Agentless
Permissions
Step 1 Login to the Prisma Cloud Console and navigate to Settings / Cloud
Accounts and click “Add Cloud Account”
Figure 1: Settings_palo-alto-networks
Step 2 Click “Azure”
Figure 2: Add Cloud Account_palo-alto-networks
Step 3 On the “Get Started Page”
(1) Select “Subscription
(2) Select your subscription type (Commercial or Government)
(3) Select each of the “Security Capabilities and Permissions” that you’d like
to enable
Figure 3: Add Cloud Account_palo-alto-networks (cont.)
Step 4 On the “Configure Account” page, enter the following details:
(1) Enter an account name that you’d like to use (this can be changed later)
(2) Your Directory (Tenant) ID (process on finding this is shown in Appendix
A)
(3) Your Subscription ID (process on finding this is shown in Appendix B)
(4) Click on “Download Terraform Script”
(5) Complete the remaining requested information after running the
Terraform Script (as shown below in Step 5)
(6) Select one or more Account Groups to place this account into
(7) Click “Next”
Step 5 Download and run the Terraform Script to create an App Registration with
the required permission assignments.
Figure 4: Add Cloud Account_palo-alto-networks (cont.)
(1) Open the Microsoft Azure Cloud Shell
(2) Upload the Terraform Script
Figure 5: Microsoft Azure_palo-alto-networks
(3) Execute “terraform init”
Figure 6: Azure Cloud Shell_palo-alto-networks
(4) Execute “terraform apply”
Step 6 ! Troubleshooting ! You may find that the “terraform apply”
command never seems to complete and you will receive similar
output as the below when canceling the command or potentially
receiving a timeout.
Error: Error obtaining Authorization Token from the Azure CLI: Error parsing
json result from the Azure CLI: Error waiting for the Azure CLI: exit status
1: ERROR: Tenant shouldn't be specified for Cloud Shell account with provider
["registry.terraform.io/hashicorp/azuread"], on terraform.tf line 91,
in provider "azuread": 91: provider "azuread" {
Figure 7: Terraform apply prompt_palo-alto-networks
Step 7 lf you receive an error similar to the one shown in Step 15, that is a
Microsoft issue and not a problem with the terraform script.
Authenticating to Azure prior to running the terraform script should
solve the problem. Execute “az login” and follow the prompts to
complete authentication via a web browser.
brandon@Azure:~$ az login
Cloud Shell is automatically authenticated under the initial account
signed-in with. Run 'az login' only if you need to use a different account.
To sign in, use a web browser to open the page
https://microsoft.com/devicelogin and enter the code FZ2GSQHEX to
Authenticate.
Step 8 Then you should have no problem continuing with the terraform
script. Execute “terraform init” and then “terraform apply”.
Step 9 When you reach the prompt “Do you want to perform these actions”
answer “yes”
Figure 7: Terraform prompt_palo-alto-networks
Step 10 You should receive results similar to the following:
Apply complete! Resources: 1 added, 1 changed, 1 destroyed.
Outputs:
a__directory_tenant_id = "YOUR-TENANT-ID"
b__subscription_id = "YOUR-SUBSCRIPTION-ID"
c__application_client_id = "APPLICATION-CLIENT-ID"
d__application_client_secret = "APPLICATION-CLIENT-SECRET"
e__enterprise_application_object_id = "ENTERPRISE-APPLICATION-OBJECTID"
Figure 8: Apply Complete_palo-alto-networks
Step 11 Review Status. You should find that each status check is green!
Figure 9: Review Status_palo-alto-networks
Step 12 Troubleshooting
(1) If any of the checks are red, you’ll receive feedback on which
check has failed and why. The most common scenario is missing
permissions.
(2) New service and API ingestions are being added to Prisma Cloud
frequently and it's possible that the Terraform Script has not been
updated yet. In this case, you can add the missing permissions to
the custom Prisma Cloud role without any problem.
Step 13 Now you will be able to find your successfully onboarded Azure
subscription in the Cloud Accounts section.
Figure 10: Settings > Cloud Accounts_palo-alto-networks
Procedure 2: Configure Agentless Scanning
Step 1 Navigate to Compute / Manage / Cloud Accounts
(1) You should find that your new account has automatically been
inherited by Compute as a Cloud Account. There should be a blue
Prisma Cloud symbol in the left column next to “Account Name”
(2) You should find that your new Cloud Account has already started
an agentless scan
Figure 11: Accounts and Agentless_palo-alto-networks
Procedure 3: Check the status of the first agentless scan
Step 1 You should find the activity and progress for Azure agentless
scanning in the top right corner of the console window
Figure 12: Activity and Progress for agentless scanning_palo-alto-networks
Step 2 You can also search for the keyword “scan” in the Virtual Machine list
within the Azure console to confirm that the temporary scanners
have been created.
Figure 12: Virtual machines list_palo-alto-networks
Eventually you will see more progress in the Compute console
status
Figure 13: Agentless scanning progress_palo-alto-networks
Step 3 View the console logs at Manage / Logs / Console and search for
“Agentless”
to see the related API activity
Figure 14: Console debug logs_palo-alto-networks
Procedure 4: Confirm Success!
Step 1 In the Compute console, navigate to Monitor / Vulnerabilities / Hosts
then select the Hosts subsection. Set the filter to “Scanned by:
Agentless” and add a VM name or keyword to the search for virtual
machines which should be scanned.
Figure 15: Monitor > Vulnerabilities > Hosts subsection_palo-alto-networks
Step 2 Click on one of the entries to see the scan details. Check the scan
time to see that it’s recent. You’ll also be able to confirm that it was
discovered in Azure.
Figure 16: Host details_palo-alto-networks
Step 3 Check the Compliance Monitor under Monitor / Compliance / Hosts
and the Hosts subsection to ensure you are getting valuable results
there as well!
Figure 17: Monitor > Compliance > Hosts_palo-alto-networks
Step 4 Check that agentless image scanning has succeeded by viewing
results under Monitor / Vulnerabilities / Images / Deployed
(1) Filter your results using “Scanned by” and select “Agentless”
(2) You can also see the cluster where the image is deployed
Figure 18: Deployed images_palo-alto-networks
Step 5 You’re Done! You have successfully configured and completed
agentless virtual machine scanning of your Azure subscription!
Note: Please refer to Appendix A (Find your Tenant ID) or Appendix B
(Find your Subscription ID) for additional guidance
APPENDIX A - Find your Tenant ID
Navigate to the Tenant Properties and copy the Tenant ID.
Figure 19: Tenant Properties
Figure 20: Tenant Properties_palo-alto-networks
APPENDIX B - Find your Subscription ID
Navigate to the Subscriptions service.
Figure 21: Subscription ID_palo-alto-networks
Click on the subscription that you want to onboard.
Figure 21: Subscription Example_palo-alto-networks
In the subscription’s “Essentials” section, you can easily copy the subscription ID.
Figure 22: Subscriptions example_palo-alto-networks
Reference:
- Prisma Cloud - Onboard Your Azure Account
- PCEE - Onboard Azure Accounts for Agentless Scanning
- PCEE - Manually Authorize Prisma Cloud
About the Author:
Brandon Goldstein is the Senior Customer Success Engineer specializing in Prisma
Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes.
Brandon uses collaborative approaches to break down complex problems into solutions
for global enterprise customers and leverage his multi-industry knowledge to inspire success.
