Azure Cloud Discovery
Purpose
This document describes how to set up Microsoft Azure the App for Discovery on OUTSCAN.
Introduction
The Azure Cloud Discovery scan identifies your Azure instances in cloud environments with provided Azure credentials and querying the Azure API. It enumerates assets via Azure API and get asset identifiers populated describing the tenant, subscription, resource group and instance as well as any assigned IP, hostname or MAC possible to enumerate in the API. Import tags are assigned to the discovered virtual machine instances.
Prerequisites
Microsoft Azure account (Home - Microsoft Azure)
An application in Microsoft Entra ID (formerly Azure Active Directory) with the client secret credential created
Setup the App for Discovery in Azure
Create a Role
To discover resources, we must create a role in IAM, which is belongs to a subscription, you can read more about it in Organize your Azure resources effectively.
- Go to the current subscription > IAM.
- Click Add followed by Add custom role.
In Create a custom role, provide the JSON with the necessary permissions, replace your role name and your subscription ID.
Create a custom role
JS{ "properties": { "roleName": "<Your role name here>", "description": "", "assignableScopes": [ "/subscriptions/<Your subscription ID here>" ], "permissions": [ { "actions": [ "Microsoft.Compute/virtualMachines/*/read", "Microsoft.Compute/virtualMachines/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/*/read", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/publicIPAddresses/*/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/*/read", "Microsoft.Network/dnszones/read", "Microsoft.Network/dnszones/*/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } }
After saving the changes, press Review + Create and create the role with the necessary permissions.
Assign the Role to the App
- Go to the newly created role in Subscription > IAM > Add > Add role assignment.
- Filter by type Custom Role and select that role.
- Select a member in Select members, which is the app name previously created.
- Review + Assign to finish the process.
Create Azure credential in Portal
- Obtain application’s information in Microsoft Entra ID > Applications.
- Fill it in the Portal’s new credential. See Generate Azure Credentials for more information.
In the drop-down menu select Microsoft Azure.
Add the Name of your Azure account.
Add the Tenant ID.
Add the Client ID.
Add the Secret.
See Steps to Find Azure Parameters in the Azure Console for reference
Click the blue Add button.
Run Discovery
Create a new discovery scan, with selected credential and perform the scan.
- Create a scan configuration. You can provide subscription directly by input string inside input "Subscriptions", or you can leave empty and trigger scan for the first time to get all subscription.
- Run the first time to get all the subscriptions.
- Wait till the scan finished.
- Go back to scan configuration and update scan configuration with subscription.
- Trigger the scan and wait till the scan is finished.
Trouble shooting
Scan Ended with Issues
If the user lacks some permissions to scan against AZURE resources, the scan results will report an Issue.
Scan Ended with Failed
If the credentials for AZURE discovery is invalid, the scan results will report the scan as Failed.
Reference
- https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
- Organize your Azure resources effectively.
Related Articles
- Cloudsec Scan Configuration
- Generate AWS Credentials
- How to Scan AWS ECR Images
- Authenticated Scanning Using WinRM
- Scan a Docker Image
- Generate GCP Credentials
- Google Registries Scanning with Container Inspection
- Azure Cloud Discovery
- Cloud Discovery on HIAB
- AWS Scanning With OUTSCAN
- Cloud Assessment
- Docker Image Assessment
- Cloud Discovery
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.