Azure - Defender for Cloud
  • 7 Minutes to read
  • PDF

Azure - Defender for Cloud

  • PDF

Article summary

1. About this document


This document provides step-by-step instructions to configure "Azure - Defender for Cloud" (written as "Azure" in this document) in SAFE.

Info

We have recently enhanced the SAFE-Azure Integration with several new capabilities to provide our users with a more seamless and efficient experience. We are gradually rolling out the new version of this integration, and it may not be available to you at this time. If you require any assistance, please get in touch with SAFE Support for prompt help and guidance.

2. Introduction


This integration allows you to onboard assets from Azure and fetch recommendations (referred to as misconfiguration in SAFE). SAFE Admins can configure this integration from the "Azure - Defender for Cloud" card available on the SAFE Hooks page. Once this integration is configured, SAFE fetches the security misconfiguration detected by Microsoft Defender for Cloud using the Azure Security Center Default policy assignment. This policy assignment depends on the Azure Security Benchmark and utilizes it to quantify cloud-related risks.

  • After a successful configuration, SAFE will automatically onboard the Azure assets. You can view the Azure assets under the "Cloud-Azure" group.
  • SAEF pulls in the MITRE ATT&CK Technique mapping for controls from Azure. 
  • In addition to the auto-sync, SAFE admins can perform an on-demand sync with Azure to pull the assets and misconfigurations.
  • SAFE uses REST APIs provided by Microsoft to consume recommendations data from Microsoft Defender for Cloud. These REST APIs are available at https://management.azure.com/* endpoints. 
Note
  • SAFE supports all the Resource Types that Defender for Cloud supports. To get the list, refer to Defender For Cloud Support Matrix.
  • SAFE pulls in the recommendations that are defined by Azure. Refer to the Azure recommendations for more details.
  • To onboard multiple Azure accounts, refer to Add multiple integration accounts via APIs.

 

3. Prerequisites


  1. Microsoft Defender for Cloud is enabled for your Azure subscriptions.
  2. All subscriptions have the Defender for Cloud default policy enabled. 
  3. The following privileges are needed for a user in Azure to generate the connection details:
    1. For manually creating applications and assigning permissions:
      1. Sufficient privileges/permissions to create an application.
      2. Sufficient privileges/permissions to create a Service Principal account.
      3. Sufficient privileges/permissions to assign the Service Principal account a "Reader" role to the relevant subscriptions.
    2. [Optional] For generating credentials using a script:
      1. Access to the Cloud Shell of your Azure subscription to execute the PowerShell script provided by SAFE.
  4. SAFE access with an admin role.

4. Generate connection details


You have two methods for generating the connection details (Tenant ID, Client ID, and Client Secret):

  1. Manual method by registering an app
  2. PowerShell script method

4.1. Manual method by registering an app

4.1.1. App Registration 

  1. Log in to the Azure Portal
  2. Navigate to Azure Active Directory.
    manual Step for App registration in Azure(1)
  3. Go to the App registrations and click the New Registration button.
    manual Step for App registration in Azure 2(1)
  4. On the app registration page, enter a display name for the application, account type, and a redirect URI
  5. DisplayName: Enter a name of your choice. For example, SAFE-Azure App  
  6. AccountType: Set to accounts in the organizational directory only
  7. RedirectURI: can be left blank.
    manual Step for App registration in Azure 3(1)
  8. Click the Register button. The system registers the application.

4.1.2. Get the Client ID and Tenant ID

  1. Go to the Application overview page you have created above.
  2. You can find the ClientID and TenantID on the application's overview page.
    manual Step for App registration in Azure 4(1)
  3. Save the ClientID and TenantID on your system for later usage while configuring the Azure to SAFE.

4.1.3. Create the Client Secret

When we register a new application in Azure, it does not have any client secrets. To create a Client Secret:

  1. Navigate to Certificates & Secrets from the left navigation.
  2. Click the New Client Secret button.manual Step for App registration in Azure 5(1)
  3. Enter the description and expiry for the Client Secret.
    manual Step for App registration in Azure 6(1)
  4. Click the Add button.
  5. The system adds the ClientSecret and displays the details on the same page.
    manual Step for App registration in Azure 7(1)
  6. Save the Client Secret on your system for later usage while configuring the Azure in SAFE.

4.1.4. Assign reader role in the subscriptions to the created app

4.1.4.1 Get the Subscription ID

  1. Go to the Azure Portal.
  2. Search Subscriptions in the search bar and click it.
    manual Step for App registration in Azure 8(1)
  3. On the subscriptions page, the system displays all your Azuresubscriptions
  4. Search and click the subscription to which you want to assign the reader role for the app.
    manual Step for App registration in Azure 9(1)


4.1.4.1 Assign Reader Role

You must assign a reader role to the subscriptions to sync Azure with SAFE. To assign the reader role:

  1. Go to the Subscription Overview page on the Azure Portal.
  2. Click the Access Control (IAM) button from the left navigation.
    manual Step for App registration in Azure10(1)
  3. Click the Add button.
  4. On the Role tab of the Add role assignment page, select the Reader role and click Next.
    manual Step for App registration in Azure 11(1)
  5. On the Member tab Add role assignment page, click the +Select Member button and select the member of the application you created above.
    manual Step for App registration in Azure12(1)
  6. Click Next and Save the settings to assign the reader role.
    To learn more, refer to Microsoft documentation here.


4.2 [Alternate Method] Generate connection details via PowerShell Script

You must run a Powershell script on your Azure portal to generate the connection details (Tenant ID, Client ID, and Client Secret). First, download the PowerShell script attached here.


Follow the below step-by-step procedure to generate the connection details:

  1. Login to your Azure portal.
  2. Click the Cloud Shell terminal icon located at the top right corner (refer to the screenshot below).
  3. In the PowerShell terminal, execute the "Connect-AzureAD" command to enable the usage of Active Directory cmdlet requests.
    Powershell script method
  4. Upload the PowerShell script (azureSafeOnboardingScript.ps1) attached above.
    Azure 4(4)
  5. Execute the PowerShell script to create a Service Principal account and assign "Reader" access to subscriptions using one of the following approaches:
    ApproachA: If you want to provide "Reader" access to selected subscriptions for which your current user has privileged access, run the script with the following command-line argument:
    PS /home/user1> ./azureSafeOnboardingScript.ps1 "MySubscription1" "MySubscription2"
    ApproachB: If you want to provide "Reader" access to all subscriptions for which your current user has privileged access, run the script:
    PS /home/user1> ./azureSafeOnboardingScript.ps1
  6. Once the PowerShell script execution is complete, the system creates a Service Principal account named "SAFE-Azure-App" with "Reader" access to all subscriptions.
  7. The system will display the TenantID, ClientID, and ClientSecret. Make sure to copy and save these values for use while configuring Azure in SAFE in the next section.

5. Configure Azure in SAFE


Follow the below steps to configure Azure in SAFE.

  1. Go to the SAFE Hooks and click the "Azure - Defender for Cloud" card.
  2. Enter the TenantID, ClientID, and ClientSecret generated above.
  3. Enter a value for the Auto-SyncFrequency. This controls how often SAFE will synchronize with Azure for the most recent data.
  4. Click the TestConnection button.
  5. Once the connection is validated, click the Save button.
  6. Once the configuration is saved, click the SyncNow button to trigger the on-demand sync outside the scheduled auto sync.
    Azure Defender for Cloud


6. View Result


To view the assets and the assessment result:

  1. On the Azure configuration page, click the See Updated Assets option available at the top-right of the History table.
    Azure Defernder for Cloud 2
  2. The system redirects you to a filtered assets list of Azure assets
  3. Alternatively, you can navigate to Technology > Assets and filter the asset list for signal source equals security.safe.azure or navigate to the Groups and click the Cloud - Azure group under the technology tab.
    Azure Defernder for Cloud 3
  4. You will be redirected to the assets details page by clicking an asset from the list. Here you can view the controls and their status.
    Azure Defernder for Cloud 4
  5. Clicking a control, you will be redirected to the control details page, where you can see the MITRE ATT&CK mapping.
  6. The observation tab displays the remediation reference for the control.
    Azure Defernder for Cloud 5

7. Integration History


SAFE displays the Integration Sync History table on each integration's configuration page, providing a comprehensive overview of sync history, including action, start time, started by, and sync status.

Refer to Integration History for more details.

8. SAFE's Outgoing IP Addresses


Click here to find the outgoing IP addresses of SAFE. All traffic to any integrations in SAFE will see one IP address as the source IP of the incoming connection.

9. Add additional Azure accounts in SAFE


9.1. Configure

You can add additional Azure accounts in SAFE only via SAFE REST APIs. To add an additional Azure account, follow the below step-by-step instructions:

  1. Generate the connection details by following the steps discussed above in step 4.
  2. Prepare a JSON file with the necessary configuration details (Clicent ID, Tenant ID, Client Secret, and Auto-sync frequency).
    Here is an example JSON:
    {
    "type":"cloud",
    "subtype":"azure",
    "config":{
    "autoSync":1,
    "clientId":"<insert ID here>",
    "tenantId":"<insert ID here>",
    "clientSecret":"<insert secret here>",
    "sensitiveFields":[
    "clientSecret"
    ]
    }
    }
  3. Login to SAFE as an admin user and navigate to SAFE REST APIs by clicking the help icon at the top right corner. Refer to Accessing SAFE APIs.

  4. Scroll down to the Integrations section, and expand POST /api/v3/integrations.
    Integrations APIS
  5. Click the Try it out button. 
  6. In the request body, replace the example JSON with the one you prepared with connection details.
  7. Click the Execute button. The system adds the integration to SAFE.
    APIS Usage
  8. Scroll down and check the response body and record the Integration ID.
  9. Now scroll down a little further and expand POST /api/v3/integrations/{id}?action={action}.
  10. Click the Try it out button.
  11. Insert the Integration ID you recorded and type "test" as the action.
  12. Click the Execute button.
  13. If the test is successful, repeat the same step using "sync" as the action
  14. Click the Execute buttonSAFE will now start pulling in the data from Azure.

9.2. Check status

  1. On the SAFE REST API documentation, navigate to the integrations.
  2.  Expand GET /api/v3/integrations/{id}.
  3. Click the Try it out button.
  4. Enter the Integration ID used when setting up the integration.
  5. Enter Execute. The system displays the configuration and its current status.




Was this article helpful?