Features and Resources on Azure

The following features and resources are available on Azure.

Agentless CSPM

Resources Created

  • azuread_service_principal
  • azuread_directory_role_assignment
  • azurerm_role_assignment
  • azurerm_role_definition

Agentless Cloud Detection and Response (CDR)

Agentless CDR performs threat detection using Falco rules and policies on platform logs. It relies on the following Azure features (see the linked Azure docs for details):

Resources Created

  • azuread_service_principal
  • azurerm_role_assignment
  • azurerm_resource_group
  • azurerm_eventhub_namespace
  • azurerm_eventhub
  • azurerm_eventhub_consumer_group
  • azurerm_eventhub_namespace_authorization_rule
  • azurerm_monitor_diagnostic_setting

Disable CDR for Microsoft Entra ID

Cloud Detection and Response (CDR) coverage of Azure includes threat detection for Microsoft Entra ID. Entra logs are monitored with dedicated policies and rule types through a dedicated Falco plugin.

Threat detection for Entra ID is enabled by default. To disable the ingestion of Entra ID logs, set the enable_entra parameter on Terraform to false.

Advanced: Tuning Event Hub

Sysdig provides a default configuration for Event Hub that relies on a standard tier Event Hub with four partitions and throughput unit autoscaling enabled, starting from 1 TU and capped at 20 maximum TUs.

To customize this, you can adapt the arguments of the threat detection Terraform module (source = sysdiglabs/secure/azurerm//modules/services/event-hub-data-source). See module specifications.

Vulnerability Management Agentless Host Scanning

This feature performs vulnerability host scanning using disk Snapshots and Lighthouse to provide highly accurate views of vulnerability risk, access to public exploits, and risk management. Vulnerability Host Scanning relies on the following Azure features; see the linked Azure docs for details:

  • Azure LightHouse to manage the relationship between the Sysdig Service Principal and the target subscriptions.
  • Snapshot to share disks with Sysdig.

Resources Created

  • azurerm_lighthouse_definition
  • azurerm_lighthouse_assignment

The Lighthouse Definition and Assignment are created in the target subscriptions to let Sysdig access the disks for scanning. The role assigned to the Sysdig Service Principal is VM scanner operator to let Sysdig read the disks and create snapshots. Here is the detailed list of permissions:

  • Microsoft.Compute/disks/read
  • Microsoft.Compute/disks/beginGetAccess/action
  • Microsoft.Compute/disks/diskEncryptionSets/read
  • Microsoft.Compute/virtualMachines/instanceView/read
  • Microsoft.Compute/virtualMachines/read
  • Microsoft.Compute/virtualMachineScaleSets/instanceView/read
  • Microsoft.Compute/virtualMachineScaleSets/read
  • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
  • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read

The VM scanner operator role has the minimal permission set to create snapshots.

How to Exclude/Include Resources from Vulnerability Scanning in Azure

When you connect your Azure subscription with Vulnerability Host Scanning, by default all Resource Groups and Virtual Machines with root disks in the subscription are included in the scan.

If you need to exclude specific Resource Groups or Virtual Machines from being scanned, you can use tags.

How to exclude Resource Groups or Hosts:. To exclude certain Resource Groups or Virtual Machines from being scanned, you must assign specific tags to them in the Azure Console or through Azure APIs.

Ensure that you set these tags before initiating the scanning process. If you add tags after onboarding, the exclusion will only take effect in subsequent scans.

How to include Data Disks in Scans:. By default, only root disks of Virtual Machines are scanned.

To also include data disks in scans, use the specific tags as follows.

You can use the following tags at the Disk, Virtual Machine, or Resource Group level. You can add tagging at any time, for example, if you want to exclude or include something that was or was not scanned.

Keys: sysdig:secure:scan, sysdig:secure:data-volumes:scan

Values: true, false

Usage Examples

  • “sysdig:secure:scan": "false” on a Resource Group excludes all resources within that group from scanning.
  • "sysdig:secure:scan": "false" on a Virtual Machine excludes the VM and all its disks from scanning.
  • “sysdig:secure:scan” : “true” on a data-disk of a VM includes such disk for scanning.
  • “sysdig:secure:data-volumes:scan” : “true” on a Resource Group has the same effect as applying the “sysdig:secure:scan” : “true” tag to all the data-disks of all the VMs in it.
  • “sysdig:secure:data-volumes:scan” : “true” on a VM has the same effect as applying the “sysdig:secure:scan” : “true” tag to all its data-disks.
  • “sysdig:secure:data-volumes:scan” : “true” on a Resource Group, while “sysdig:secure:data-volumes:scan” : “false” on a VM of the same Resource Group, has the same effect as applying the “sysdig:secure:scan” : “true” tag to all data-disks of all the VMs within the Resource Group but the one explicitly excluded via the tag.

The following tags are redundant - using them will have the same effect as not having them. This is either because Sysdig scans them by default or because the values have been overridden by a tag at a higher level (such as a Resource Group or a Virtual Machine).

  • “sysdig:secure:scan” : “true” on a Resource Group
  • “sysdig:secure:scan” : “true” on a VM
  • “sysdig:secure:scan” : “true” on a root disk of a VM
  • “sysdig:secure:scan” : “false” on any data-disks of a VM
  • “sysdig:secure:scan” : “false” on the root disk of a VM has no effect. The root disk is always scanned as part of the VM scan;
  • “sysdig:secure:data-volumes:scan” : “false” on a Resource Group
  • “sysdig:secure:data-volumes:scan” : “false” on a VM
  • “sysdig:secure:data-volumes:scan” : “false” on any data-disks of a VM