Articles in this section

Azure Compliance Integration - Manually using the Azure Portal

To manually create integration between Lacework and Azure for Compliance using the Azure Portal and the Lacework Console, you must have access to the following accounts:

  • You must have an Azure Portal account that has a Global Administrator role for your tenant's directory.
  • Your Azure Portal account must have Owner role in all the subscriptions that you want to monitor.
  • You must have Lacework account with administrator privileges.  

This topic describes how to configure a Lacework-Azure integration manually using the Azure Portal and the Lacework Console.

Create the Azure App

The following procedure describes how to create a new Azure App that is required for an integration between Lacework and Azure.

To manually create Azure App:

  1. Log in to the Azure Portal.
  2. In the left panel, select Azure Active Directory.
  3. Select App registrations.
  4. Click + New registration.
  5. In the Register an application panel, enter the following values:
    1. In the Name field, enter Lacework SA Audit.
    2. For the Supported account types, leave the default Accounts in this organizational directory only (my_dir) option.
    3. For the Redirect URL, leave the URL blank.
  1. Click Register.
  2. Under Manage, click Branding. In the Home Page URL field, enter https://securityaudit.lacework.net and click Save.

The URL specified must be unique among all your applications. Lacework recommends specifying https://securityaudit.lacework.net to match the same URL expected by the Lacework scripts. If you run the scripts at a future date, the scripts will update the correct Azure App.

Register Providers for Key Vault and Storage

You can skip this procedure if your tenant does not have subscriptions.

For each subscription that uses the Key Vault service, you must register the Microsoft.KeyVault providers, as described in the steps below and for each subscription that uses storage accounts, you must register the Microsoft.Storage providers, as described in the steps below.

NOTE: Some providers are automatically registered by default, however, the Microsoft.Storage and Microsoft.KeyVault providers are not automatically registered.

To register the Key Vault and Storage subscriptions:

  1. In the main search field, enter subscription and from select Subscriptions from the drop-down.
  2. Browse and click your subscription.
  3. Click Resource providers.
  4. If the subscription will use the Key Vault service, in the Filter by name… field enter Key.
  5. Click Microsoft.KeyVault and Register.
  6. Keep clicking Refresh until the status changes to Registered.
  7. If the subscription will use storage accounts, in the Filter by name… field enter Storage.
  8. Click Microsoft.Storage and click Register. 
  9. Keep clicking Refresh until the status changes to Registered.
  10. Repeat these steps for all the subscriptions that are using Key Vault service and/or storage accounts.

Give the App the Appropriate API Permissions

The Azure App you created in the previous section must be given access permissions to the following Azure APIs:

  • Microsoft Graph
  • Azure Storage
  • Azure Key Vault
  • Windows Azure Active Directory

To grant the access permissions to the Azure APIs to the Azure App:

  1. In the left panel, select Azure Active Directory.
  2. Select App registrations.
  3. From the App registrations panel, select the Lacework SA Audit App created in the previous section.  
  4. Click API permissions and Add a permission.
  5. In the Request API permissions panel, select the Microsoft Graph tile.
  6. In the Request API permissions panel, click the Application permissions tile.
  7. In the Request API permissions panel, scroll down and expand User.
    Click the User.Read.All checkbox and Add permissions.
  8. Click Add a permission.
  9. In the Request API permissions panel, select the Azure Active Directory Graph tile or the Windows Azure Active Directory option in the APIs my organization uses tab.  Ignore the warning.
  10. In the Request API permissions panel, click the Application permissions tile.
    mceclip0.png
  11. In the Request API permissions panel, scroll down and expand Directory. Click the Directory.Read.All checkbox and Add permissions.
  12. Click Add a permission.
  13. In the Request API permissions panel, select the Azure Key Vault tile.
    NOTE: To see Azure Key Vault listed, the Microsoft.KeyVault provider may need to be registered as described in a previous step. 
  14. In the Request API permissions panel, click the Delegated permissions tile, the user_impersonation Have Full Access to the Azure Key Vault service checkbox, and Add permissions.
  15. Click Add a permission.
  16. In the Request API permissions panel, select Azure Storage. You may have to select the APIs my organization uses tab to find Azure Storage.
    NOTE: To see Azure Storage listed, the Microsoft.Storage provider may need to be registered as described in a previous step. 
  17. In the Request API permissions panel, click the Delegated permissions tile, the user_impersonation Access Azure Storage checkbox, and Add permissions. 
  18. Click Grant admin consent for <your_dir> and Yes. You should see the following permissions.

Additional Configuration of a Tenant with Subscriptions

The following procedure describes the additional configuration steps required for a tenant with subscriptions.

You can skip this procedure if your tenant does not have subscriptions.

Assign Roles to Subscriptions

You must give the Azure App permissions to access subscriptions that you want to be monitored.

To assign roles to all subscriptions: 

  1. In the main search field, enter subscription and from select Subscriptions from the drop-down.
  2. Browse and click your subscription.
  3. Click Access control (IAM).
    mceclip2.png
  4. In the Add a role assignment tile, click Add.
  5. In the Add role assignment panel, enter Reader in the Role field.
  6. Leave the Assign access to field set to Azure AD user, group, or service principal.
  7. In the Select field, enter the App name such as Lacework SA and under the Selected members field, click Lacework SA Audit.
  8. Click Save.
  9. Repeat these steps for all the subscriptions in your tenant.

Azure App Access to Key Vaults

If some of your subscriptions use Key Vault services, give your Azure App access to each Key Vault used in your subscriptions.

To give your Azure App access to each Key Vault used in your subscriptions:

  1. In the main search field, enter key and select Key vaults from the drop-down.
  2. Click a key vault and select Access policies.
  3. Click + Add new.
  4. Click Select principal >.
  5. Under Principal in the Select field, enter the App name such as Lacework SA Audit.
  6. Click Lacework SA Audit.
  7. Click Select.
  8. From the Key permissions drop-down, select List.
  9. From the Secret permissions drop-down, select List.
  10. Click OK.
  11. Repeat these steps for all the Key Vaults used in your subscriptions of your Azure App.

Gather the Required Azure Client ID, Tenant ID, and Client Secret

Use the Azure Portal, to gather the following settings:

  • Client ID (Application ID)
  • Client Secret
  • Tenant (Directory) ID

When creating the Azure Integration for Compliance in the Lacework Console, you must provide values for these properties. The following procedure describes how to get these values from the Azure portal.

Use the Azure Portal, to gather the required settings:

  1. In the left panel, select Azure Active Directory.
  2. Select App registrations.
  3. From the App registrations panel, select the Lacework SA Audit App.  
  4. Open a text editor and copy and paste the Application (client) ID and the Directory (tenant) ID into a tempory file. In the file, label the values. Leave the file open in the editor.
  5. Click Certificates & secrets.
  6. If you do not have a client secret, create one.
    1. Under Client secrets, click New client secret.
    2. Enter a name, an expiration date and click Add.
    3. Copy and paste the value of the Client secret into the open file and label the value.

Create the Azure Compliance Integration on the Lacework Console

Finish the integration using the Lacework Console as described by the following steps.

  1. Log in to the Lacework Console.
  2. Select Settings > Integrations.  
  3. Select INCOMING > Azure.
  4. Click + ADD INTEGRATION.
  5. In the Name field, enter a unique name for the integration.
  6. In the Client ID field, enter the Application (client) ID value copied from Azure Portal.
  7. In the Tenant ID field, enter the Directory (tenant) ID value copied from Azure Portal.
  8. In the Client Secret field, enter the Client secret value copied from Azure Portal.
  9. Click Save. In Settings > INCOMING, a new integration displays.
  10. When the integration is complete and successful, the status changes to Integration Successful.