top of page

Azure Cloud Discovery Using twigs

Updated: Dec 28, 2022



CONFIGURING YOUR AZURE ENVIRONMENT


LogAnalytics workspace and Automation account is required to get inventory for your Azure cloud,, ensure both exists as part of your subscription using Azure Portal. Link the automation account with the LogAnalytics workspace


ENABLE INVENTORY COLLECTION FOR THE AUTOMATION ACCOUNT.


In automation account , select “Configuration Management => Inventory” to enable inventory collection. Follow the instructions mentioned here for details, https://docs.microsoft.com/en-us/azure/automation/automationtutorial-installed-software


CREATE AN AZURE ACTIVE DIRECTORY APP


This app will be used by ThreatWatch to pull inventory information so you can choose to name it as your “ThreatWatch” app. - Associate the permissions, “Read Logs Analytics Data” and “user_impersonation” to this app. - Generate a client secret that the app uses to prove its identity Note, that ThreatWatch as a service does not not need access to this app and the credentials of this app remain local to your environment.


GRANT ACTIVE DIRECTORY APPLICATION ACCESS TO LOG ANALYTICS WORKSPACE


Select “Access Control (IAM)” after selecting the LogAnalytics workspace. Add the app and give it a “Reader” or “Contributor” role.


ENSURE THAT THE APPLICATION IS ALSO ADDED AS PART OF THE SUBSCRIPTION


Select the Subscription, and Access Control ( IAM ). Add your application with a “Reader” role


INVENTORY IN LOG ANLYTICS WORKSPACE


You should now see inventory in the log analytics workspace. Ensure that you do the inventory before moving on to the next steps. If you dont see inventory flowing in the log analytics workspace, follow the trouble shooting steps provided in the Azure documentation.


Using the twigs CLI you can now pull the inventory into your ThreatWatch instance ( threatwatch.io for public SaaS or yourcompany.threatwatch.io for dedicated ).



twigs -v azure —azure_tenant_id “ [TENANT_ID]" -- azure_application_id “[APPLICATION_ID]" — azure_application_key “[APPLICATION_KEY]" -- azure_subscription “[SUBSCRIPTION_ID]" -- azure_resource_group “[RESOURCE_GROUP_NAME]" -- azure_workspace “[LOG_ANALYTICS_WORKSPACE_ID]"


Analytics, security vulnerabilities, mis-configurations, static and dynamic analysis for base images, running apps and containers can now be managed from the I3 console.

5 views0 comments

Recent Posts

See All

Comments


bottom of page