Configuring Azure Cloud Environment Configuration Scanning

Configuration Guide

Overview

This document describes how to configure scanning for your Microsoft Azure cloud environment configurations. Cloud scans are part of your Cloud Security Posture Management (CSPM).

Note: You are only able to configure cloud scanning if you are either an Arctic Wolf® Managed Risk customer, or you are both a Managed Risk and a Managed Detection and Response customer.

Registering the application

To register the application:

  1. Sign in to the Microsoft Azure Portal console.

  2. Open the navigation menu, and then select Azure Active Directory.

  3. Select App registrations from the navigation pane.

  4. Select New registration to open the Register an application page.

  5. Enter a memorable name for the application in the Name text box.

  6. In the Supported Account types section, confirm that Accounts in this organizational directory only (<Organization-Name> only - Single Tenant) is selected.

    Note: You can leave all other fields as their default.

  7. Click Register. This opens the page for the newly registered application.

  8. Make note of these values:

    • Application (client) ID
    • Directory (tenant) ID

    Note: You need to provide these values to Arctic Wolf as part of Providing credentials to Arctic Wolf.

  9. In the navigation pane, under Manage, select Certificates & secrets.

  10. In the Client secrets section, select + New client secret, and then create the secret:

    1. Enter a meaningful description for the client secret.
    2. Select your desired option for the Expires field.

    Tip: You must submit updated credentials to Arctic Wolf before the credentials expire.

    1. Click Add.
  11. Verify that your new client secret appears in the Client secrets section, and then copy the Client Secret to a secure location. You need to provide this value to Arctic Wolf as part of Providing credentials to Arctic Wolf.

    Note: This value is only available to view during the application registration.

Retrieving the subscription ID

To retrieve the subscription ID:

  1. From the navigation menu, select Subscriptions, and then select the subscription that you want Arctic Wolf to scan.

  2. Copy the Subscription ID to a secure place. You will provide this value to Arctic Wolf later.

Adding role assignments

To add the required role assignments:

  1. From the All Services menu, select «Subscriptions.

  2. Select the subscriptions that you want to integrate with Arctic Wolf.

  3. Select Access control (IAM). and then select the Role assignments tab.

  4. Click Add, and then select Add role assignment.

  5. In the Role list, enter Security Reader, and then select that option.

  6. In the Select list, add the application that you created in Registering the application.

    Note: Leave the Assign access to list with the default value.

  7. Click Save.

  8. Repeat steps 5-7 for the Log Analytics Reader role.

  9. Verify that the Role assignments tab lists the two roles that you created.

Providing credentials to Arctic Wolf

To submit your credentials on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Security Posture Management as the Account Type.

  5. Select Azure, and then fill in the form:

    1. Enter an Account Name.

    2. Paste these values that you saved as part of the above procedures:

      • Application (client) ID
      • Directory (tenant) ID
      • Subscription ID
      • Secret Key

    Azure credential form

  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team (CST) adds this account to your scan configuration, the status of your Azure credentials changes to Connected.