Onboarding Azure Subscriptions to Intelligence

You can use Intelligence to do an analysis of network and other account activities in AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. subscriptions. For this, onboard the subscriptions to Intelligence. This process creates a connection between Intelligence, Azure activity logs, and Azure network traffic logs. You can do this after Onboarding Azure Subscriptions to CloudGuard.

How it Works

During the Intelligence onboarding, CloudGuard sends you an ARM templateClosed Azure Resource Manager template is a block of code that defines the infrastructure and configuration for your project to execute. The ARMClosed Microsoft® Azure Resource Manager. Technology to administer assets using Resource Group. template makes onboarding simple, and it is not necessary to give CloudGuard special permissions for your subscriptions. Then CloudGuard creates a SystemTopic for each of the selected storages if this does not exist in your environment, and an EventGridSubscription for each of the selected log types. For example, if you select a storage account MyAccount and logs of the types Activity Log and Audit Log, the resources created in the ARM are one SystemTopic and two EventGridSubscriptions.

The ARM gives the CloudGuard App Registration these permissions in the scope of the selected storage and system topics:

  • Microsoft.EventGrid/systemTopics/eventSubscriptions/write

  • Microsoft.EventGrid/systemTopics/eventSubscriptions/delete

  • Microsoft.Storage/storageAccounts/blobServices/containers/read

  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Important - For existing Azure subscriptions previously onboarded to Intelligence, the subscription storage key is removed and replaced with App Registration. This is done to allow least privilege access to the Storage Account for the Activity Logs.

Network Security Group

You can onboard each individual Azure account to Network Activity through Network Security GroupClosed A set of access control rules that acts as a virtual firewall for your virtual machine instances to control incoming and outgoing traffic. (NSG) that generates traffic logs. The NSG is the unit on which you can configure the Flow Logs in Azure.

Centralized Storage Account

A centralized storage account stores logs for multiple Azure accounts. Use the onboarded centralized storage account to easily monitor and run log analysis of all your Azure subscriptions that send logs to it. For Traffic Activity, the centralized storage supports pulling NSG flow logs and VNet flow logs.

Prerequisites

Enabling Account Activity with Activity Logs

You can find Account Activity Logs in Azure in different log categories, such as:

  • Azure Activity log

  • Microsoft Entra ID - Sign-In logs

  • Microsoft Entra ID - Audit logs

  • Azure Storage Analytics logs (classic)

CloudGuard wizard allows you to onboard several types of logs to Intelligence. If you select to onboard only one type of logs, then afterward you can start the wizard again and onboard other types of logs.

To onboard one type of Azure Activity Logs to Intelligence:

  1. Navigate to the Assets > Environments page.

  2. Use the filter Platform: Azure or the search bar to display the Azure subscription that you want to onboard to Intelligence.

  3. In the subscription row and the Account Activity column, click Enable to start the Intelligence onboarding wizard.

    As an alternative, you can click and enter the Azure subscription page. In the top right menu, click Add Intelligence and select Activity Logs.

  4. Follow the on-screen instructions to complete the wizard.

Enabling Traffic Activity with Flow Logs

  1. Navigate to the Assets > Environments page.

  2. Use the filter Platform: Azureor the search bar to display the Azure subscription that you want to onboard to Intelligence.

  3. In the subscription row and the Traffic Activity column, click Enable to start the Intelligence onboarding wizard.

    As an alternative, you can click and enter the Azure subscription page. In the top right menu, click Add Intelligence and select Flow Logs.

  4. Follow the on-screen wizard to complete onboarding for Intelligence.

When you complete these steps, CloudGuard starts the onboarding process for Intelligence. It can take several minutes.

Wizard Stages

  1. Welcome - Read carefully the onboarding prerequisites and make sure that the Azure subscriptions to be onboarded meet all the required conditions.

  2. Storage or Network Security Group (NSG)

    • NSG

      1. Select an NSG to onboard.

      2. See the status of each NSG. If the NSG is not connected to a storage account, you can create a new storage account.

      For each network, selecting an NSG selects all NSGs connected to the same storage. CloudGuard onboards the entire storage account to Intelligence and receives network traffic logs from all NSGs that send logs to this storage.

    • Centralized Storage Account

      1. Select one:

        • Enter Manually - Select this option to manually enter the Account ID of a storage account from Azure. Click Add, paste the Account ID, and then continue to the ARM Template step of the Wizard.

        • Select from List - Select this option to choose storage accounts from a list that CloudGuard generates. Continue until the end of this procedure.

      2. Select one or more storage accounts to onboard.

      3. See the status of each storage account. For more information about the storage account status, see Storage Status.

      4. For account activity, select the log types.

      5. Set Auto Onboard to ON to let CloudGuard:

        • detect all onboarded Azure subscriptions that send logs of a certain type to this centralized storage account

        • automatically onboard these subscriptions to Intelligence

        Important - For existing Azure subscriptions previously onboarded to Intelligence, the subscription storage key is removed and replaced with App Registration. This is done to allow least privilege access to the Storage Account for the Activity Logs.

        The toggle button is enabled only for new storages that you select to onboard. For more information, see Automatic Onboarding.

  3. ARM Template - Based on your storage account configuration, CloudGuard generates a custom ARM template. Click the link to deploy it. Click Check Now to see the current status of the configuration.

  4. Subscriptions (For centralized storage accounts only) - Select the Azure subscriptions that you want to onboard and see their logs. You can select only those subscriptions that are not connected yet. For more information about subscription status, see Subscription Status.

  5. Azure Network Firewall - Allow Intelligence access to your Azure storage account. Click Check Access to see the access status. For more information on Firewall IPs, see FAQ.

  6. Summary - Make sure the onboarding is successful.

    Afterward, you can see the traffic activity or account activity on the Logs page when you navigate to Events > Cloud Logs > Network Traffic or Account Activity.

Storage Status

When you select from the available storage accounts for onboarding, you can see their status as follows:

  • Not connected - Includes logs that you want to onboard, and none of them are onboarded to Intelligence. For account activity, you can select the applicable logs and continue to the next step.

  • Connected - The account is onboarded with all applicable logs. For account activity, you can see the types of onboarded logs in the Log Types column.

  • Partially Connected - Only part of the logs are sent to Intelligence.

    • For account activity:

      • Not all available log types are sent to Intelligence.

      • The storage is onboarded with non-centralized configuration. This means that the event subscription sends logs from a specific subscription or NSG and not from all subscriptions.

    • For network activity (centralized onboarding only) - The account is onboarded to Intelligence with specific NSGs and only their logs are sent to Intelligence. It is necessary onboard the account again with centralized configuration, so that all network traffic logs (from all NSGs) are sent to Intelligence.

    Note - If the partially connected storage is configured with non-centralized configuration, during the onboarding step with ARM template, the storage is changed and considered centralized.

Note - Regardless of the type of Azure log that you select, CloudGuard retrieves the logs from Azure Storage Accounts.

Automatic Onboarding

CloudGuard can detect all onboarded Azure subscriptions that send logs of a certain type to the centralized storage account and automatically onboard them to Intelligence.

  • For accounts that send various activity logs to the centralized storage account, CloudGuard can automatically onboard them to Account Activity.

  • For accounts that send Flow Logs to the centralized storage account, CloudGuard can automatically onboard them to Traffic Activity.

If you do not select this option, you have to onboard each account to Intelligence manually.

To disable automatic onboarding with API, use the onboarding API (see Onboarding with API) and add to the request isAutoDiscoveryEnabled=false.

Subscription Status

  • Connected - The subscription is already onboarded to Intelligence

  • Ready to be connected - The subscription can be onboarded to Intelligence

  • Cannot be connected - The subscription is not onboarded to CloudGuard, so it cannot be onboarded to Intelligence

Onboarding with API

You can use API to onboard Azure subscriptions to Intelligence.

For more information, see