The procedure below describes how to create Lacework Azure Integrations by running a Python script called app.py in a terminal window or Azure Cloud bash shell.
This new app.py script has the following features:
- Supports creating a single Lacework Azure Compliance Integration and a single Lacework Azure Activity Log Integration in a single script run. In a script run, you must create a Lacework Azure Compliance Integration. You cannot create just a Lacework Azure Activity Log Integration.
- Supports entering the configuration settings interactively from prompts or by specifying a configuration YAML file. Even if you enter the configuration settings interactively, the script saves the settings into a YAML file. The script retrieves input settings from the configuration YAML file and creates the Lacework-required Azure resources.
- Supports rolling back the changes made in Azure if you determine that the script encountered an issue.
- Supports rolling forward where the last run of the script left off. The script requests that Azure create resources and in some cases, this can take a long time. You just restart the script and the script continues were the script previous left off. This process is called roll forward.
This script and additional files can be downloaded from the Lacework csp-integrations GitHub repository as described in more detail below.
Currently, the Lacework Python app.py script supports Python 2.7.
To create integration between Lacework and Azure using the Azure Portal and the Lacework Console, you must have access to the following accounts:
- You must have an Azure Portal account that has a Global Administrator role for your tenant's directory.
- Your Azure Portal account must have Owner role in all the subscriptions that you want to monitor.
- You must have Lacework account with administrator privileges.
This script prompts if you have a valid Lacework API token. Decide how you will generate the valid Lacework API token.
- If you answer no to this prompt, the script prompts you to provide a Lacework access key file that you create and download from the Lacework Console. For instructions, see Access Keys and Tokens APIs.
- If you answer yes to this prompt, the script prompts you to provide Lacework API token. This API token is used to create the Lacework Integration that is visible from the Lacework Console. To acquire a Lacework API token, follow the instructions in Access Keys and Tokens APIs.
To allow Lacework to audit your Microsoft Azure account, Lacework will create an App called LaceworkSAAudit that:
- is assigned the role of 'Reader' in all subscriptions to be assessed
- has access to the Active Directory Graph API, Key Vault API and Storage API
- has restricted access to Windows Azure Active Directory API
For more information about the permissions granted to Lacework, see Azure Compliance - Lacework Permissions.
Open a CLI Shell, Download the Scripts and Install the Required Python Packages
Open an Azure Cloud Bash shell from the Azure Portal or install and open an Azure CLI window in a terminal window. If using the Azure Cloud Bash shell, enter az when prompted. If using the Azure CLI, start the CLI using the az login command. Keep the bash shell or CLI window open.
Change to the directory where you want to store the python files using the cd command.
To download the python scripts using git, enter the command below. (If you do not have git installed, you can download the files using the Download Zip option from the Lacework CSP-integrations GitHub repository. If installing from a ZIP File, you must also unzip the file. )
$ git clone https://github.com/lacework/csp-integrations.git
Change to the directory that contains the Azure app.py python script.
$ cd csp-integrations/azure-cli
Determine which version of pip is for Python 2.7 in your environment, either pip2 or pip.
$ pip -V
Install the required versions of the python packages by specifying the appropriate pip for Python 2.7, either pip or pip2. When running the pip script from the Azure Cloud bash shell, use pip2.
$ pip install -r requirements.txt --user
Run the Script
You can have the script prompt for the configuration settings or you can specify the path to a configuration settings YAML file. Lacework recommends first running the script interactively using a series of prompts to generate the first YAML configuration file.
To run the script:
Go to the directory that contains the Azure scripts.
$ cd csp-integrations/azure-cli
Determine the python 2.7 executable for your environment. In your terminal, the Python 2 executable may be called python or python2. When running python from the Azure Cloud Shell, the Python 2 executable is called python2.
$ python -V
In the Azure Cloud Shell or the Azure CLI, start the script using the Python 2 executable in your environment, either python or python2.
$ python app.py
Follow the prompts to enter your configuration settings. Answer Y to run the script interactively using a series of prompts. Lacework recommends first running the script interactively using a series of prompts to generate the first YAML configuration file. The script saves the configuration settings into a YAML file. If you accept the settings, the script retrieves the required input settings from the configuration YAML file and creates the Lacework required resources in Azure.
The generated configuration YAML file called configCustom.yml and is created in the azure-cli directory.
Specify Authorization Method
The script prompts for a method for authorizing to Azure.
|CLI or PORTAL||Specify CLI or PORTAL if you are invoking the script from your terminal (with the az login command) or the Azure Cloud bash shell. You are not prompted for a password.|
|USER_PASS||Specify USER_PASS if you want the script to log into Azure using an Azure username and password. You are prompted for a password.|
When prompted, specify a setup string that is prefixed to the Azure resources. The string must be lowercase characters or numbers and the string must be 1 to 3 characters.
Optional - Run the Script from a Configuration File
After the creation of a first integration, you can alter the existing YAML configuration file with the settings for the new integration, rerun the script again and select the option to specify the path to the configuration settings YAML file using the --config option, as shown by the following example.
$ python app.py --config /Users/myfullpath/config.yml
If you specified that the script should automatically create Azure integrations, the script creates Azure integration(s) in your Lacework Application. After the Azure compliance integration is created, the script also generates a compliance report.
The script also creates a file called deploymentOutput.txt that contains the settings required to create Azure integrations in Lacework. If you specified that the script should not automatically create Azure integrations or the creation of the Azure integrations(s) failed, you can create the integration(s) manually as described in the procedures listed below.
If the creation of the Azure integration(s) fail, check the deploymentOutput.txt file for missing permissions and error messages. Fix any problems and create the integration(s) manually.
To create the Azure integration(s) manually, see the following procedures:
- See Create an Azure Activity Log Integration on the Lacework Console at the bottom of Azure Activity Log Integration - Manually using the Azure Portal - Beta
- See Create the Azure Compliance Integration on the Lacework Console at the bottom of Azure Compliance Integration - Manually using the Azure Portal
Azure Creation Script Failures
If the script determines it does not have adequate privileges or it fails to create all the required Azure resources, the script fails and writes the error to a log file called laceworkIntegrationScript.log. If you would also like to rollback permissions, enter the following command.
$ python app.py --config /Users/myfullpath/config.yml --rollback true
Specify the configuration file that was created when you originally ran the script.
The script requests that Azure create resources and in some cases, this can take a long time. You just restart the script and the script continues were the script previous left off. Specify the configuration file that was created when you originally ran the script. This process is called roll forward.
$ python app.py --config /Users/myfullpath/config.yml
Grant the Azure App the Required API Permissions
The Azure App you created in the previous section must be given access permissions to the following Azure APIs.
- Microsoft Graph
- Azure Storage
- Azure Key Vault
- Windows Azure Active Directory
To grant the Azure App the required API permissions, follow the steps in Grant the Azure App the Required API Permissions.