Azure
Install using the Wizard
The installation options include:
Agentless CSPM and/or
Agentless Cloud Detection and Response (CDR)
Prerequisites
Sysdig Secure SaaS with
administrator
permissionsTerraform v. 1.3.1+ installed on the machine from which you will deploy the installation
The Azure CLI installed on the same machine
For more information, see How to install the Azure CLI.
Azure requirements for roles, permissions, and environment, as described in Prepare Your Environment
Review Azure Roles and Permissions
Review these concepts before preparing your environment and running the installation wizard.
User Types
There are two user types in the Azure onboarding:
- “You:” The human user performing the installation is the primary type of user. Sometimes this “you” may encompass multiple people in an organization. The human user(s) need specific Entra ID and Azure RBAC roles to perform the cloud account onboarding.
- Service Principal: The onboarding process creates a “robot user” called a Service Principal. It has different, less permissive roles that are used by Sysdig.
Azure Role Types
Azure has two types of Roles that must be correctly assigned for you to onboard:
Entra ID roles that are applied to the entire Tenant and control what actions you can take in that tenant.
For background information, see the Azure documentation on Entra ID (formerly Active Directory) roles.
Azure RBAC roles that are applied to the Subscription or Management Group and control what actions you can take on that subscription/management group.
For background information, see the Azure documentation on Azure Role-Based Access Control and Assigning Azure Roles in the Azure Portal.
Permissions Required to Install
Entra ID
To perform the installation, you will need to authenticate as a user with the following Entra ID roles:
Application Administrator
andPrivileged Role Administrator
Application Administrator is required to create a Service Principal associated with a Sysdig-owned application.
Privileged Role Administrator is required to assign the
Directory Reader
Entra ID role to the created Service Principal.
OR
Global Administrator
- Global Administrator contains both of the above permissions in a single role.
For background information, see the Azure documentation on Application Administrator and Privileged Role Administrator
Azure RBAC
Your user must have the following permission to assign Azure RBAC roles:
Microsoft.Authorization/roleAssignments/write
- This permission is used to assign the Service Principal permission on the specified Subscriptions. The permissions assigned are documented below.
Common roles that contain this permission are:
User Access Administrator
Owner
Permissions Granted to Sysdig
The installation creates a Service Principal that Sysdig can access. This Service Principal is granted the following roles:
Entra ID:
Directory Readers
- this role is used to allow Sysdig to list Users and Service Principals for CSPM.
Azure RBAC:
Reader
- this role is used to allow Sysdig to list resources within your subscriptions for CSPM.Custom Role
- this is a custom role used to give Sysdig permissions to collect the AuthSettings object required for CSPM.
Prepare Your Environment
Preparation of your Azure environment, roles, and permissions is the key to a seamless connection between your Azure cloud accounts and Sysdig. When preparation is complete, the installation itself is a simple, wizard-guided process from the Sysdig Secure UI.
Follow each of the steps below to prepare for onboarding.
Step 1: Provide User with Appropriate Roles
Log into Azure and ensure that the user you log in with has all the necessary roles and permissions required to install.
You can:
- Use an existing user who meets the permissions requirements
- Create a new user and set up permissions
- Add permissions to an existing user
To begin:
Log in to Azure and check your Entra ID roles.
Navigate to the Entra ID console and select Roles and Administrators.
Click on Your Role.
Entra ID is displayed with associated roles.
Add any missing Entra ID roles. (See Permissions Required to Install.)
Check your Azure RBAC Roles.
For Single Subscriptions:
Navigate to Subscriptions.
Click the target subscription and go to Access Control (IAM).
Click Role Assignments.
Ensure that the required Azure role is assigned to your user. (See Permissions Required to Install.)
For Management Groups:
Navigate to Management Groups.
Click the target Management Group and go to Access Control (IAM).
Click Role Assignments.
Ensure that the required Azure role is assigned to your user.
Add any missing Azure RBAC Role assignments. (See Permissions Required to Install.)
Step 2: Configure Your Subscriptions
Register the resource provider Microsoft.ManagedService
in each subscription to be onboarded.
For further guidance, see Azure’s registration instructions.
Step 3: Authenticate and Configure Terraform
Configure your environment from your local machine, preparing to apply Terraform.
Ensure the prerequisites are met:
- Terraform v.1.3.1+ installed
- Terraform CLI installed
Authenticate your user and configure Terraform to use these credentials.
A common way to do this is:
Ensure you are logged in to the correct Tenant.
Log in using the Azure CLI:
az login --tenant "TENANT_ID_OR_DOMAIN"
You will be presented with a web page to select your user account. Be sure to log in as the user you configured in Step 1.
Confirm you are logged in as the correct user, by running:
az ad signed-in-user show
(For alternative ways to authenticate Terraform, see the Terraform documentation: Authenticating to Azure Active Directory and Authenticating to Azure.)
Install using Wizard
To install agentless CSPM and/or CDR, follow the Wizard Quick Start.
Log in and authenticate in Azure, per the Preparation steps above.
Log in to Sysdig Secure as
admin
and select Integrations > Cloud Accounts | Azure.Click Add Azure Account and elect which installation method matches your enterprise methods:
Select CSPM and/or CDR features and click Next.
Note: CIEM is not available on Azure at this time.
Choose whether you are connecting a Single or Tenant Subscription and click Next.
The Wizard will auto-populate a code snippet including autodetected Sysdig Secure endpoint and Sysdig Secure API token information.
Create a file called
main.tf
and copy the code snippet from the Wizard into the file.Run
terraform init && terraform apply
.Return to the Wizard interface and click Complete.
After deploying, validate the services are working.
Note that each step is necessary. Run the code snippet in the command line, then return to the Sysdig UI and click Complete.
Validate
Log in to Sysdig Secure and check that each module you deployed is functioning. Events may take 10 minutes or so to collect and display.
Check Overall Connection Status
Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.
Check CSPM
Inventory: Select the Inventory module and filter for subscription =
. Check for your Azure cloud account in the drop-down.
Features and Resources on Azure
Agentless CSPM
Resources Created
azuread_service_principal
azuread_directory_role_assignment
azurerm_role_assignment
azurerm_role_definition
Agentless Cloud Detection and Response (CDR)
This feature performs threat detection using Falco rules and policies on platform logs. Agentless CDR relies on the following Azure features; see the linked Azure docs for details:
- Diagnostic Settings send logs to
- Event Hub, to which Sysdig subscribes through a
- Service Principal
Resources Created
azuread_service_principal
azurerm_role_assignment
azurerm_resource_group
azurerm_eventhub_namespace
azurerm_eventhub
azurerm_eventhub_consumer_group
azurerm_eventhub_namespace_authorization_rule
azurerm_monitor_diagnostic_setting
Advanced: Tuning Event Hub
Sysdig provides a default configuration for Event Hub that relies on a standard tier Event Hub with four partitions and throughput unit autoscaling enabled, starting from 1 TU and capped at 20 maximum TUs.
To customize this, you can adapt the arguments of the threat detection Terraform module (source = sysdiglabs/secure/azurerm//modules/services/event-hub-data-source
). Review the module specifications here.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.