Azure

Sysdig supports Microsoft Azure. Prepare your environment, then follow the wizard’s prompts to install agentless Cloud Security Posture Management (CSPM) on Azure. You can connect single subscriptions or tenants using Terraform. Azure coverage includes threat detection for Micosoft Entra ID.

Cloud Security Posture Management (CSPM)

Connecting your Azure instance will set up a trust relationship between you and Sysdig, enabling Cloud Security Posture Management (CSPM) for your Azure environment with Sysdig, which:

  • Monitors and detects misconfigurations in your cloud resources.
  • Ensures your cloud environment complies with industry standards and regulations.
  • Provides a comprehensive inventory of all cloud assets, helping you maintain visibility and control over your environment.

Prerequisites

General Requirements

  • Sysdig Secure SaaS with Admin permissions
  • Terraform v1.3.1+ installed
  • Azure CLI installed

Specific Requirements

Permissions Granted to Sysdig

The installation creates a service principal that Sysdig can access. This service principal is granted the following roles:

  • Entra ID:
    • Directory Readers: Allows Sysdig to list users and service principals for CSPM.
  • Azure RBAC:
    • Reader: Allows Sysdig to list resources within your subscriptions for CSPM.
    • Custom Role: Gives Sysdig permissions to collect the AuthSettings object required for CSPM.

Review Azure Roles and Permissions

Security Principals

  • Installer: The primary security principal, either a human user or a service principal.
  • Sysdig: A “robot user” created during onboarding with specific, less permissive roles.

Azure Role Types

  • Entra ID Roles: Applied to the entire tenant.
  • Azure RBAC Roles: Applied to the subscription or management group.

Permissions Required to Install

  • Entra ID Roles
    • Application Administrator and Privileged Role Administrator Or
    • Global Administrator
  • Azure RBAC Roles
    • User Access Administrator Or
    • Owner

Prepare Your Environment

1. Configure Installation Permissions

Ensure the principal you log in to Azure with has the necessary roles and permissions to install. You can:

  • Use an existing principal who meets the permissions requirements.
  • Create a new principal and set up permissions.
  • Add permissions to an existing principal.
  1. Log in to Azure.
  2. Check Entra ID Roles:
    • Navigate to the Entra ID console and select Roles and Administrators.
    • Verify and add necessary roles.
  3. Check Azure RBAC Roles:
    • For Single Subscriptions: Navigate to Subscriptions, select the target subscription, and verify roles.
    • For Management Groups: Navigate to Management Groups, select the target group, and verify roles.

2. Authenticate and Configure Terraform

  1. Authenticate your user using the command:
    az login --tenant "TENANT_ID_OR_DOMAIN"
    
  2. Verify your login using the command:
    az ad signed-in-user show
    

3. Collect your Azure Tenant ID and Subscription ID

Tenant ID

  1. Sign in to the Azure portal.
  2. Browse to Microsoft Entra ID > Properties.
  3. Scroll down to the Tenant ID section and you can find your tenant ID in the box.
  4. Select the Copy to clipboard icon shown next to the Tenant ID. You can paste this value into a text document or other location.

Subscription ID

  1. Sign in to the Azure portal.
  2. Under the Azure services heading, select Subscriptions. If you don’t see Subscriptions here, use the search box to find it.
  3. Find the subscription in the list, and note the Subscription ID shown in the second column. If no subscriptions appear, or you don’t see the right one, you may need to switch directories to show the subscriptions from a different Microsoft Entra tenant.
  4. To easily copy the Subscription ID, select the subscription name to display more details. Select the Copy to clipboard icon shown next to the Subscription ID in the Essentials section. You can paste this value into a text document or other location.

Install Azure Using the Wizard

  1. Log in to Sysdig Secure.
  2. Select Integrations > Cloud Accounts > Azure and click Add Azure Account on the top right corner.
  3. Connect your Azure Tenant or Single Subscription.
    • This enables CSPM and lets you onboard Vulnerability Management and CDR after completing.

Tenant Multi-Subscription

  1. Enter your:
    • Tenant ID: The ID of the tenant you want to onboard.
    • Subscription ID: The ID of the subscription where the Sysdig resources will be created.
  2. Specify Management Groups:
    • For onboarding the entire Tenant: Enter Root Management Group ID.
    • For a subset: Enter Management Group IDs in a comma-separated list.
  3. Generate and apply the Terraform code:
    1. Create a main.tf file.
    2. Copy the snippet provided into the file.
    3. Run the command: terraform init && terraform apply.

Within an hour after deployment, your accounts will appear on the Cloud Accounts page.

Single Subscription

  1. Enter your:
    • Tenant ID: The ID of the tenant which contains the subscription you want to onboard.
    • Subscription ID: The ID of the subscription you want to onboard.
  2. Generate and apply the Terraform code:
    1. Create a main.tf file.
    2. Copy the snippet provided into the file.
    3. Run the command: terraform init && terraform apply.

Within an hour after deployment, your accounts will appear on the Cloud Accounts page.

Validate

You can verify your CSPM configuration by checking the connection status:

  • Log in to Sysdig Secure and select Integrations > Cloud Accounts > Azure.

Within 5 minutes, after you apply Terraform, your accounts will appear on the Sysdig Cloud Accounts page. You can add more features after this initial connection.