Microsoft Azure Securlet activation
search cancel

Microsoft Azure Securlet activation

book

Article ID: 237666

calendar_today

Updated On:

Products

CASB Security Advanced CASB Security Advanced IAAS CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS

Issue/Introduction

Directions on how to activate Azure while documentation is updated

Resolution

Prerequisites  

  1. Azure Account

    Have admin access to the Azure account.

  2. CloudSoc API Key

    Create an API key and note Key ID, Key Secret and Tenant. For more information, refer to Creating an API key.

Configuring the Azure Securlet 

  1. To activate an Azure securlet, login to the CASB tenant and go to Store | Microsoft Azure, and Click Configure
      
    This will take you to the "Microsoft Azure Configuration" window.

  2. Enter the Connection Name.  


  3. By default, all storage accounts are scanned. If you want to limit the scanning to specific storage accounts, enable Data Scanning.

  4. Once Data Scanning is enabled, you then have the option to define a data scanning scope as well as exceptions to that scope.



    Selective scanning only scans storage accounts that match the configuration.

  5. Save the connection.
  6. Download Azure PowerShell Script and refer to the steps below to Run PS Script in Azure Account.  
    Note: The connection will be visible in connections in the draft state till the administrator runs PS Script in Azure successfully.
  7. Once PS Script is deployed in Azure Account, accounts\subscriptions  from Azure will get onboarded, and Current Connections Details will be visible under Azure Connection.

Run PS Script in Azure Account  

  1. Open PS Script and update the CloudSocKeys at Line#11
    $cloudsoc_public_key = "<key_id>"
    $cloudsoc_secret_key = "<key_secret>"
    $cloudsoc_tenant_id = "<tenant>"
  2. Login to Azure Account.
  3. Open Cloud Shell
  4. Upload the PSScript to the Cloud Shell.
  5. Run the script and follow the steps; it will prompt you to select a specific subscription or all subscriptions.
  6. It is completely automated, with just one manual step to provide user and directory-level permissions. The details are available in the script itself.

PS Script generated resources.

The following resources will be generated.

  1. CloudSoc App under Azure Active Directory
  2. This app will require User.Readall, Directory.ReadAll and Application.ReadAll permissions to the Active Directory Application (cloudsoc_brcm_conn_app)
  3. Event Grid Subscription (Azure Subscription) with a filter to Event types, Resource Write success, Resource Delete success, Resource Action success – for selected subscription.
  4. The script will create Event Subscriptions for all the storage accounts under the selected subscription.
Powered by Wolken Software