Azure

Prepare your environment, then follow the wizard’s prompts to install agentless Cloud Security Posture Management (CSPM) and Cloud Detection and Response (CDR) on Azure. You can connect single subscriptions or tenants using Terraform.

Install using the Wizard

The installation options include:

  • Agentless CSPM and/or

  • Agentless Cloud Detection and Response (CDR)

Prerequisites

  • Sysdig Secure SaaS with administrator permissions

  • Terraform v. 1.3.1+ installed on the machine from which you will deploy the installation

  • The Azure CLI installed on the same machine

    For more information, see How to install the Azure CLI.

  • Azure requirements for roles, permissions, and environment, as described in Prepare Your Environment

Review Azure Roles and Permissions

Review these concepts before preparing your environment and running the installation wizard.

User Types

There are two user types in the Azure onboarding:

  • “You:” The human user performing the installation is the primary type of user. Sometimes this “you” may encompass multiple people in an organization. The human user(s) need specific Entra ID and Azure RBAC roles to perform the cloud account onboarding.
  • Service Principal: The onboarding process creates a “robot user” called a Service Principal. It has different, less permissive roles that are used by Sysdig.

Azure Role Types

Azure has two types of Roles that must be correctly assigned for you to onboard:

  • Entra ID roles that are applied to the entire Tenant and control what actions you can take in that tenant.

    For background information, see the Azure documentation on Entra ID (formerly Active Directory) roles.

  • Azure RBAC roles that are applied to the Subscription or Management Group and control what actions you can take on that subscription/management group.

    For background information, see the Azure documentation on Azure Role-Based Access Control and Assigning Azure Roles in the Azure Portal.

Permissions Required to Install

Entra ID

To perform the installation, you will need to authenticate as a user with the following Entra ID roles:

  • Application Administrator and Privileged Role Administrator
    • Application Administrator is required to create a Service Principal associated with a Sysdig-owned application.

    • Privileged Role Administrator is required to assign the Directory Reader Entra ID role to the created Service Principal.

OR

Azure RBAC

Your user must have the following permission to assign Azure RBAC roles:

  • Microsoft.Authorization/roleAssignments/write
    • This permission is used to assign the Service Principal permission on the specified Subscriptions. The permissions assigned are documented below.

Common roles that contain this permission are:

  • User Access Administrator
  • Owner

Permissions Granted to Sysdig

The installation creates a Service Principal that Sysdig can access. This Service Principal is granted the following roles:

Entra ID:

  • Directory Readers - this role is used to allow Sysdig to list Users and Service Principals for CSPM.

Azure RBAC:

  • Reader - this role is used to allow Sysdig to list resources within your subscriptions for CSPM.
  • Custom Role - this is a custom role used to give Sysdig permissions to collect the AuthSettings object required for CSPM.

Prepare Your Environment

Preparation of your Azure environment, roles, and permissions is the key to a seamless connection between your Azure cloud accounts and Sysdig. When preparation is complete, the installation itself is a simple, wizard-guided process from the Sysdig Secure UI.

Follow each of the steps below to prepare for onboarding.

Step 1: Provide User with Appropriate Roles

Log into Azure and ensure that the user you log in with has all the necessary roles and permissions required to install.

You can:

  • Use an existing user who meets the permissions requirements
  • Create a new user and set up permissions
  • Add permissions to an existing user

To begin:

  1. Log in to Azure and check your Entra ID roles.

    • Navigate to the Entra ID console and select Roles and Administrators.

    • Click on Your Role.

      Entra ID is displayed with associated roles.

    • Add any missing Entra ID roles. (See Permissions Required to Install.)

  2. Check your Azure RBAC Roles.

    • For Single Subscriptions:

      • Navigate to Subscriptions.

      • Click the target subscription and go to Access Control (IAM).

      • Click Role Assignments.

      • Ensure that the required Azure role is assigned to your user. (See Permissions Required to Install.)

    • For Management Groups:

      • Navigate to Management Groups.

      • Click the target Management Group and go to Access Control (IAM).

      • Click Role Assignments.

      • Ensure that the required Azure role is assigned to your user.

      • Add any missing Azure RBAC Role assignments. (See Permissions Required to Install.)

Step 2: Configure Your Subscriptions

Register the resource provider Microsoft.ManagedService in each subscription to be onboarded.

For further guidance, see Azure’s registration instructions.

Step 3: Authenticate and Configure Terraform

Configure your environment from your local machine, preparing to apply Terraform.

  1. Ensure the prerequisites are met:

    • Terraform v.1.3.1+ installed
    • Terraform CLI installed
  2. Authenticate your user and configure Terraform to use these credentials.

    A common way to do this is:

    1. Ensure you are logged in to the correct Tenant.

      Log in using the Azure CLI:

      az login --tenant "TENANT_ID_OR_DOMAIN"
      

      You will be presented with a web page to select your user account. Be sure to log in as the user you configured in Step 1.

    2. Confirm you are logged in as the correct user, by running:

      az ad signed-in-user show
      

      (For alternative ways to authenticate Terraform, see the Terraform documentation: Authenticating to Azure Active Directory and Authenticating to Azure.)

Install using Wizard

To install agentless CSPM and/or CDR, follow the Wizard Quick Start.

  1. Log in and authenticate in Azure, per the Preparation steps above.

  2. Log in to Sysdig Secure as admin and select Integrations > Cloud Accounts | Azure.

  3. Click Add Azure Account and elect which installation method matches your enterprise methods:

    • Select CSPM and/or CDR features and click Next.

      Note: CIEM is not available on Azure at this time.

    • Choose whether you are connecting a Single or Tenant Subscription and click Next.

    • The Wizard will auto-populate a code snippet including autodetected Sysdig Secure endpoint and Sysdig Secure API token information.

  4. Create a file called main.tf and copy the code snippet from the Wizard into the file.

  5. Run terraform init && terraform apply.

  6. Return to the Wizard interface and click Complete.

  7. After deploying, validate the services are working.

Note that each step is necessary. Run the code snippet in the command line, then return to the Sysdig UI and click Complete.

Validate

Log in to Sysdig Secure and check that each module you deployed is functioning. Events may take 10 minutes or so to collect and display.

Check Overall Connection Status

Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.

Check CSPM

Inventory: Select the Inventory module and filter for subscription =. Check for your Azure cloud account in the drop-down.

Features and Resources on Azure

Agentless CSPM

Resources Created

  • azuread_service_principal
  • azuread_directory_role_assignment
  • azurerm_role_assignment
  • azurerm_role_definition

Agentless Cloud Detection and Response (CDR)

This feature performs threat detection using Falco rules and policies on platform logs. Agentless CDR relies on the following Azure features; see the linked Azure docs for details:

Resources Created

  • azuread_service_principal
  • azurerm_role_assignment
  • azurerm_resource_group
  • azurerm_eventhub_namespace
  • azurerm_eventhub
  • azurerm_eventhub_consumer_group
  • azurerm_eventhub_namespace_authorization_rule
  • azurerm_monitor_diagnostic_setting

Advanced: Tuning Event Hub

Sysdig provides a default configuration for Event Hub that relies on a standard tier Event Hub with four partitions and throughput unit autoscaling enabled, starting from 1 TU and capped at 20 maximum TUs.

To customize this, you can adapt the arguments of the threat detection Terraform module (source = sysdiglabs/secure/azurerm//modules/services/event-hub-data-source). Review the module specifications here.