CONFIGURING YOUR AZURE ENVIRONMENT

LogAnalytics workspace and Automation account is required to get inventory for your Azure cloud,, ensure both exists as part of your subscription using Azure Portal. Link the automation account with the LogAnalytics workspace

ENABLE INVENTORY COLLECTION FOR THE AUTOMATION ACCOUNT.

In automation account , select “Configuration Management => Inventory” to enable inventory collection. Follow the instructions mentioned here for details, https://docs.microsoft.com/en-us/azure/automation/automationtutorial-installed-software

CREATE AN AZURE ACTIVE DIRECTORY APP

This app will be used by ThreatWatch to pull inventory information so you can choose to name it as your “ThreatWatch” app. - Associate the permissions, “Read Logs Analytics Data” and “user_impersonation” to this app. - Generate a client secret that the app uses to prove its identity Note, that ThreatWatch as a service does not not need access to this app and the credentials of this app remain local to your environment.

GRANT ACTIVE DIRECTORY APPLICATION ACCESS TO LOG ANALYTICS WORKSPACE

Select “Access Control (IAM)” after selecting the LogAnalytics workspace. Add the app and give it a “Reader” or “Contributor” role.

ENSURE THAT THE APPLICATION IS ALSO ADDED AS PART OF THE SUBSCRIPTION

Select the Subscription, and Access Control ( IAM ). Add your application with a “Reader” role

INVENTORY IN LOG ANLYTICS WORKSPACE

You should now see inventory in the log analytics workspace. Ensure that you do the inventory before moving on to the next steps. If you dont see inventory flowing in the log analytics workspace, follow the trouble shooting steps provided in the Azure documentation.

Using the twigs CLI you can now pull the inventory into your ThreatWatch instance ( threatwatch.io for public SaaS or yourcompany.threatwatch.io for dedicated ).

twigs -v azure —azure_tenant_id “ [TENANT_ID]" -- azure_application_id “[APPLICATION_ID]" — azure_application_key “[APPLICATION_KEY]" -- azure_subscription “[SUBSCRIPTION_ID]" -- azure_resource_group “[RESOURCE_GROUP_NAME]" -- azure_workspace “[LOG_ANALYTICS_WORKSPACE_ID]"

Analytics, security vulnerabilities, mis-configurations, static and dynamic analysis for base images, running apps and containers can now be managed from the I3 console.