Azure
| Use Cases | Lacework Feature(s) | Data Source |
|---|---|---|
| Cloud Security Posture Management (CSPM) | Compliance Dashboard and Reports Attack Path Analysis and Exposure Polygraph | Azure Cloud Configuration |
| User Entity Behaviour Analytics (UEBA) | Cloud Anomaly Detection Cloud Drift Detection Cloud Audit Polygraph | Azure Cloud Audit Logs |
| Vulnerability Management | Container Vulnerability Management | ACR |
- Cloud Audit and Configuration
- ACR
| Use Cases | Lacework Feature(s) | Data Source |
|---|---|---|
| Cloud Security Posture Management (CSPM) Cloud Infrastructure Entitilement Management (CIEM) | Compliance Dashboard and Reports Cloud Infrastructure Entitilement Management Dashboard Attack Path Analysis and Exposure Polygraph | Azure Cloud Configuration |
| User Entity Behaviour Analytics (UEBA) | Cloud Anomaly Detection Cloud Drift Detection Cloud Audit Polygraph | Azure Cloud Audit Logs |
- Guided Configuration
- Lacework CLI
- Terraform
Cloud Audit and Configuration π
This topic describes how to use guided configuration to integrate Azure with Lacework. Guided configuration is a wizard-like interface that takes your input and generates a script that downloads and sets up all necessary Lacework CLI and Terraform components to create the Azure integration non-interactively through Azure Cloud Shell. You can also choose to run the generated bundle from any host supported by Terraform.
Requirementsβ
The final step of guided configuration is to run the generated bundle from either Azure Cloud Shell or any Terraform-supported host. Ensure your environment meets the corresponding requirements.
From Azure Cloud Shellβ
- Azure Global Administrator - An Azure portal account that has a Global Administrator role for your tenant's directory.
- Azure Owner Role - An Azure portal account with the Owner role in all subscriptions that you want to monitor.
- Lacework Administrator - A Lacework account with administrator privileges.
From Any Supported Hostβ
- Azure Global Administrator - An Azure portal account that has a Global Administrator role for your tenant's directory.
- Azure Owner Role - An Azure portal account with the Owner role in all subscriptions that you want to monitor.
- Azure CLI - The Terraform provider for Azure leverages configuration from the Azure CLI to configure resources in Azure.
- Linux Tools - The following Linux tools must be installed and present on PATH: curl, Git, and unzip.
- Lacework Administrator - A Lacework account with administrator privileges.
Navigate to Guided Configurationβ
Follow these steps to integrate using guided configuration.
- Log in to the Lacework Console.
- Go to Settings > Integrations > Cloud accounts.
- Click + Add New.
- Click Microsoft Azure and select Guided configuration.
- Click Next.
- Follow the steps in the next section.
Create an Azure Integrationβ
Answer the questions about how to configure the integration.
Basic Configurationβ
- Do you want to enable Azure Configuration integration?
A Configuration integration analyzes your Azure environment's configuration compliance. - Do you want to enable Azure Activity Log integration?
An Activity Log integration analyzes activity log activity. - Select an API key.
- Select an existing API key from the list.
- If no API keys exist, click Create New Key, provide a name and description, and click Save. Then select the key to use in the integration.
Advanced Configurationβ
For optional advanced configuration, click Advanced configuration (optional) and click Configure for the options you want to configure. The following options are available.
Configuration integration nameβ
- Specify the Configuration integration name - A unique name for the integration that displays in the Lacework Console.
Activity Log integration nameβ
- Specify the Activity Log integration name - A unique name for the integration that displays in the Lacework Console.
Subscriptionsβ
- Enable all subscriptions? - Enable to grant read access to all subscriptions within the selected tenant.
- Specify list of subscriptions - List of subscriptions to grant read access to. Default behavior uses only the primary subscription.
Active Directoryβ
- Do you want to create an Active Directory integration? - Enable to create an Active Directory integration. An Azure AD application provides Lacework read-only access to Azure subscriptions and tenants.
- Specify AD application ID - Active Directory application ID to use.
- Specify AD application password - Active Directory application password to use.
- Specify AD principal service ID - Enterprise app object ID related to the application ID.
Storage accountβ
- Storage account location - Azure region where the storage account for logging will reside (default is West US 2).
- Use an existing storage account? - Enable to use an existing storage account.
- Storage account name - Name of the storage account.
- Storage account resource group - Resource group for the existing storage account.
Management groupβ
- Enable management group level integration? - If enabled, the AD application will be a Reader at the management group level instead of subscription level
- Specify management group ID - Management group ID to add Reader permissions to.
Generate CLI Bundleβ
After providing basic configuration information and any desired advanced configuration information, generate the CLI bundle.
- Click Generate CLI bundle. This generates a CLI bundle specifically for you based on the information entered. You will copy and paste this into the Azure Cloud Shell to create the integration.
- Ensure your environment meets all prerequisites.
- Click Copy download bundle command to clipboard.
- As an account with global administrator access and owner privileges to the subscription being used, go to the Azure Cloud Shell.
- Paste the command and press enter.
This downloads the Lacework CLI, sets up the CLI with your configuration, calls the CLI non-interactively, and applies Terraform. When the command finishes, the new integration appears in the Cloud accounts list after a screen refresh.
Cloud Audit and Configuration π
lacework generate cloud-account azureβ
Generate and/or execute Terraform code for Azure integration
Synopsisβ
Use this command to generate Terraform code for deploying Lacework into new Azure environment.
By default, this command will function interactively, prompting for the required information to setup the new cloud account. In interactive mode, this command will:
- Prompt for the required information to setup the integration
- Generate new Terraform code using the inputs
- Optionally, run the generated Terraform code:
- If Terraform is already installed, the version will be confirmed suitable for use
- If Terraform is not installed, or the version installed is not suitable, a new version will be installed into a temporary location
- Once Terraform is detected or installed, Terraform plan will be executed
- The command will prompt with the outcome of the plan and allow to view more details or continue with Terraform apply
- If confirmed, Terraform apply will be run, completing the setup of the cloud account
lacework generate cloud-account azure [flags]
Optionsβ
--activity_log enable active log integration
--activity_log_integration_name string specify a custom activity log integration name
--ad_create create new active directory integration (default true)
--ad_id string existing active directory application id
--ad_pass string existing active directory application password
--ad_pid string existing active directory application service principle id
--all_subscriptions subscription ids grant read access to ALL subscriptions within Tenant (overrides subscription ids)
--apply run terraform apply for the generated hcl
--configuration enable configuration integration
--configuration_name string specify a custom configuration integration name
--existing_storage use existing storage account
-h, --help help for azure
--location string specify azure region where storage account logging resides
--management_group management group level integration
--management_group_id string specify management group id. Required if mgmt_group provided
--output string location to write generated content (default is ~/lacework/azure)
--storage_account_name string specify storage account name
--storage_resource_group string specify storage resource group
--subscription_id string specify the Azure Subscription ID to be used to provision Lacework resources
--subscription_ids strings list of subscriptions to grant read access; format is id1,id2,id3
Options inherited from parent commandsβ
-a, --account string account subdomain of URL (i.e. <ACCOUNT>.lacework.net)
-k, --api_key string access key id
-s, --api_secret string secret access key
--api_token string access token (replaces the use of api_key and api_secret)
--debug turn on debug logging
--json switch commands output from human-readable to json format
--nocache turn off caching
--nocolor turn off colors
--noninteractive turn off interactive mode (disable spinners, prompts, etc.)
--organization access organization level data sets (org admins only)
-p, --profile string switch between profiles configured at ~/.lacework.toml
--subaccount string sub-account name inside your organization (org admins only)
SEE ALSOβ
- lacework generate cloud-account - Generate cloud integration IaC
Cloud Audit and Configuration π
To integrate with Azure, Lacework recommends using guided configuration. The guided interface takes your input and generates a script that downloads and sets up all necessary Lacework CLI and Terraform components to create the integration non-interactively.
To use guided configuration:
- In the Lacework Console go to Settings > Integrations > Cloud accounts.
- Click + Add New.
- Click Microsoft Azure and select Guided configuration.
Alternatively, follow the steps in this topic for the following methods:
- Use the Lacework CLI to generate and run Terraform code.
- Create the
main.tffile manually and run Terraform from any supported host. This may be required for complex integration scenarios.
Overviewβ
This topic describes how to integrate with Azure by running Lacework Terraform modules from any host supported by Terraform.
If you are new to the Lacework Terraform provider, or Lacework Terraform modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.
The approach outlined in this topic is targeted towards companies that store Terraform code in source control and plan to continue to manage the state of the integration between Lacework and Azure using Terraform.
Lacework also supports running Terraform from Azure Cloud Shell, which comes with Terraform pre-installed. For instructions on running Terraform from Azure Cloud Shell, see Azure Integration - Terraform from Azure Cloud Shell.
Resourcesβ
To monitor Microsoft Azure Activity Logs and compliance, Lacework requires the following resources:
- Azure AD Application - An AD application with permissions to read directory information (using the Directory Reader Role).
- Azure Resource Group - A resource group is created to store all resources provisioned during the integration.
- Azure Storage Account - A storage account is used to store Activity Logs.
- Azure Storage Queue - A queue to hold activity log data.
- Azure Event Grid Subscription - An Event Grid used to send notifications about events in Activity Logs.
Requirementsβ
The following is a list of requirements to run Lacework Terraform modules for Azure locally:
- Azure Global Administrator - An Azure portal account that has a Global Administrator role for your tenant's directory.
- Azure Owner Role - An Azure portal account with the Owner role in all subscriptions that you want to monitor.
- Azure CLI - The Terraform provider for Azure leverages configuration from the Azure CLI to configure resources in Azure.
- Lacework Administrator - A Lacework account with administrator privileges.
- Lacework CLI - The Terraform Provider for Lacework leverages the configuration from the Lacework CLI.
- Terraform -
~> 0.14,~> 0.15,~> 1.0,~> 1.1.
Module Dependenciesβ
Lacework Terraform modules for Azure have the following dependencies that will be installed when running terraform init:
For detailed information on these dependencies, visit Lacework on the Terraform Registry.
Install and Configure the Lacework CLIβ
To configure accounts, the Terraform provider for Lacework leverages the Lacework CLI configuration to authenticate with the Lacework API server. Lacework provides a shell script to install the Lacework CLI in your system.
Follow these instructions to install and configure the Lacework CLI before continuing.
Integrate Azure for All Subscriptions within the Tenantβ
This section covers integrating all subscriptions within your Azure tenant.
Log in to Azure via the Azure CLIβ
To integrate Lacework with Azure you must log in to your Azure console via the Azure CLI by running the command:
az login
Run the Lacework CLIβ
Run the following Lacework CLI command:
lacework generate cloud-account azure \
--configuration --activity_log \
--noninteractive --all_subscriptionsThe Terraform files are created in the
~/lacework/azuredirectory.Navigate to the
~/lacework/azuredirectory.Run
terraform planand review the changes that will be applied.Once satisfied with the changes that will be applied, run
terraform applyto execute Terraform.
If creating the main.tf file manually, you can use Terraform inputs to customize Lacework Terraform modules. See the documentation on the Terraform Registry for the complete list of inputs for each module.
Validate the Configurationβ
To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: AzureCfg for the Configuration integration, and AzureAlSeq for the Activity Log integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Integrate Azure for the Primary Subscriptionβ
This section covers integrating only the primary subscription for a given tenant. The primary subscription is the subscription used to access Cloud Shell. Additionally, when you run the command, you can specify multiple subscriptions with the --subscription_ids flag, for example: --subscription_ids id1,id2,id3.
Log in to Azure via the Azure CLIβ
To integrate Lacework with Azure you must log in to your Azure console via the Azure CLI by running the command:
az login
Run the Lacework CLIβ
Run the following Lacework CLI command:
lacework generate cloud-account azure \
--configuration --activity_log \
--noninteractiveThe Terraform files are created in the
~/lacework/azuredirectory.Navigate to the
~/lacework/azuredirectory.Run
terraform planand review the changes that will be applied.Once satisfied with the changes that will be applied, run
terraform applyto execute Terraform.
If creating the main.tf file manually, you can use Terraform inputs to customize Lacework Terraform modules. See the documentation on the Terraform Registry for the complete list of inputs for each module.
Validate the Configurationβ
To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: AzureCfg for the Configuration integration, and AzureAlSeq for the Activity Log integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Integrate Azure for a Management Groupβ
Log in to Azure via the Azure CLIβ
To integrate Lacework with Azure you must log in to your Azure console via the Azure CLI by running the command:
az login
Run the Lacework CLIβ
Run the following Lacework CLI command:
lacework generate cloud-account azure \
--configuration --activity_log \
--noninteractive --management_group \
--management_group_id MngmtGroupIdThe Terraform files are created in the
~/lacework/azuredirectory.Navigate to the
~/lacework/azuredirectory.Run
terraform planand review the changes that will be applied.Once satisfied with the changes that will be applied, run
terraform applyto execute Terraform.
If creating the main.tf file manually, you can use Terraform inputs to customize Lacework Terraform modules. See the documentation on the Terraform Registry for the complete list of inputs for each module.
Validate the Configurationβ
To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: AzureCfg for the Configuration integration, and AzureAlSeq for the Activity Log integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Disable Collecting and Processing Azure AD Resourcesβ
If granted permissions to the directory (via the "Directory Reader" role), Lacework collects the list of users, groups, members, and app registrations from the Azure AD organization using Microsoft Graph API calls. This information is exposed for LQL datasources and compliance policies. Disabling this permission may be required if your organization has specific regulatory or privacy requirements that avoid collecting this information by third parties. If disabled, the LQL datasources and related IAM compliance policies will not be assessed.
For existing integrations, at any time, you can remove the "Directory Reader" role from the Azure AD service principal used for Lacework.
When creating a new integration, disable the enable_directory_reader flag in the Lacework ad-application module. By default, this setting is true.
module "az_ad_application" {
source = "lacework/ad-application/azure"
enable_directory_reader = false
version = "~> 1.2"
}
Deprecated Alternative Procedure for v0.x of the Modulesβ
The deprecated v0.x of the modules use Azure AD Graph API, deprecated by Microsoft, and required specific API permissions
Azure AD Application - API Permissions
API Permission Type Description Admin Consent RQD Azure Active Directory Graph Directory.Read.AllApplication Read directory data Yes Azure Key Vault user_impersonationDelegated Have full access to Azure Key Vault service on behalf of the signed in user. This permission does not grant Lacework full access to the Azure Key Vault - Azure Storage user_impersonationDelegated This permission gives the Lacework AD Application access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader - Microsoft Graph User.Read.AllApplication Read the full profiles for all users Yes
Using API permissions, the Azure Active Directory Application created for Lacework requires granting admin consent before the integration will work. Granting admin consent is not possible natively using Terraform, but the Lacework Terraform module will attempt to automate this process by running the following command the Azure CLI:
# Attempt to grant admin consent via the Azure CLI or print a URL to grant admin consent manually
az ad app permission admin-consent --id ${local.application_id} && echo SUCCESS!! \
|| echo ERROR!!! Unable to grant admin consent, grant it manually by following the URL: \
https://login.microsoftonline.com/${local.tenant_id}/adminconsent?client_id=${local.application_id}
If granting admin consent fails, click the link to log in to the Azure console and grant admin consent manually.
| Use Cases | Lacework Feature(s) | Data Source |
|---|---|---|
| Vulnerability Management | Vulnerability Management Dashboard | ACR |
- Lacework Console
ACR setup using the Lacework Console π
Navigate to Docker V2 Registry Integration
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Integrations > Container registries.
- Click + Add New.
- Click Docker V2 Registry.
- Click Next.
- Follow the steps in the next section.
Integrate with a Docker V2 Registry
To integrate a Docker V2 registry with Lacework, follow these steps:
- Configure the registry and complete any optional settings.
- Click Save. The integration status displays Integration Successful only after its first assessment completes.
- If you subscribed to notifications, go to Registry Notification and follow the steps for your registry.
Otherwise, go to Set Up Image Assessment through the API to set up on-demand scans.
Configure Registry
| Setting Name | Description |
|---|---|
| Name | Specify a unique name for the container registry in the Lacework Console. |
| Username | Specify a user that has permissions to pull the images (that will be assessed) from the container registry. NOTE: See Prerequisites for Azure Container Registry (ACR) Integrations for guidance if setting up an ACR integration. |
| Password | Specify the password for the specified user. |
| SSL | Select True if the registry uses SSL. You can use either a valid SSL certificate issued by a trusted Certificate Authority (CA) or a self-signed certificate. If you select False, you use an unencrypted communication channel. Known Issue for JFrog: JFrog Cloud integrations must be SSL-enabled due to a known issue. |
| Registry Domain | If you use docker login <Domain>:<Port>, specify the domain as <Domain>:<Port>. If you use docker login <Domain>, specify the domain as: <Domain>. If you use docker login <IP>:<Port> specify the domain as: <IP>:<Port>. |
| Subscribe to Registry Notifications | If the container registry supports notifications, you can optionally select True. |
Optional Settings
| Setting Name | Description |
|---|---|
| Limit Image Tags | If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. Single wildcards are also supported and can be used to match multiple image tags (for example: abc* or *xyz). |
| Limit Image Labels | If you do not want to assess all images in this registry, specify key pairs so that only images with matching label key pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: key:value. If you specify tag and label limits, they function as an AND. |
| Non-OS Package Support | This feature is enabled by default. Select No if you want to disable scanning of language libraries. |
| [END]:# |
JFrog Auto Polling Support
Configure JFrog registry integrations as a regular Docker V2 integration when using the platform scanner, but note the following limitations/considerations when configuring for auto polling:
-
Only JFrog Artifactory repositories can be configured for auto polling.
-
Each Artifactory repository must be configured individually when using the Lacework Platform Scanner.
For example, the Registry Domain must be entered using the following format:
<my-domain>/artifactory/api/docker/<repository-name> <my-domain>/artifactory/api/docker/<parent-repository-name>/<child-repository-name>The Lacework Platform Scanner uses the JFrog Artifactory REST API, hence why this domain format is required.
-
Do not include the
http(s)://portion in the domain. -
Only the images within the specified repository or child repository will be scanned using this configuration.
- If you want to set up an integration that will scan all repositories and images within a JFrog registry domain, see Integrate Proxy Scanner with JFrog Registry - Auto Polling.
Registry Notification
Lacework can receive notifications that the registry sends in response to events that happen within the registry. When Lacework receives manifest push notifications, Lacework performs an assessment. Lacework ignores pull notifications and media types that are not manifests.
You can subscribe to notifications and perform automatic assessments for the following registries:
- Registries with the same notification format described in https://docs.docker.com/registry/notifications/ - see Add Notification to Docker Registry.
- This includes GitLab On-premises (you can check the GitLab documentation for guidance, but the procedure is outlined in the following sections for Docker registries).
- Azure Container Registry (ACR) - see Add a Webhook to ACR
- JFrog - see Add a Webhook to JFrog
Obtain an Access Token for Registry Notifications
When you create the integration, if you select Subscribe to Registry Notifications, the Lacework Console provides an authorization token (integration token) and a listener URL that you can download.
The authorization token is an integration-specific, long running server token.
The listener URL and token are available on the Container Registry page.
Click the integration name and copy both the listener URL and token from the details pane. These are required when adding notifications or a webhook in the Docker registry.
Each integration can have one token. If the integration unsubscribes from notifications and then subscribes again, Lacework uses the same token.
Add Notification to Docker Registry
To use this procedure, your registryβs notification format must be the same as described in https://docs.docker.com/registry/notifications/.
To subscribe to notifications, you must add the registry notification listener URL and authorization token to the notification section of the container registryβs config.yml file.
Locate (or add) the notifications section in config.yml, as illustrated in the following example:
notifications:
endpoints:
- name: lacework_listener
url: https://YourLacework.lacework.net/api/v2/Webhooks/ServerTokens/{type}
headers:
Authorization: [${lacework_server_token_for_registry_notification}]
timeout: 120s
threshold: 10
backoff: 120s
ignoredmediatypes:
- application/octet-stream
ignore:
actions:
- pull
For the endpoints structure, provide these required parameter values.
-
url- Paste the registry notification listener URL that you copied from the Lacework Console.
https://YourLacework.lacework.net/api/v2/Webhooks/ServerTokens/DockerV2 -
headers- Add the following
Authorization: [${lacework_server_token_for_registry_notification}]
Replace[${lacework_server_token_for_registry_notification}]with the authorization token copied from the Lacework Console.
Restart the registry for your changes to take effect.
Add a Webhook to Azure Container Registry (ACR)
To subscribe to notifications, you must add a webhook to the container registry and then add the registry notification listener URL and authorization token to the webhook.
- In Azure, navigate to the container registry where you want to create a webhook.
- Under Services, select Webhooks.
- In the webhook toolbar, click Add.
- Complete the Create webhook form with the following information from Lacework:
- Webhook name: Lacework_webhook
- Service URL:
Paste the registry notification listener URL that you copied from the Lacework Console.
https://YourLacework.lacework.net/api/v2/Webhooks/ServerTokens/AzureCR - Custom headers: Enter the following authorization header required by API server
Authorization: Bearer [${lacework_server_token_for_registry_notification}]
Replace[${lacework_server_token_for_registry_notification}]with the authorization token copied from the Lacework Console. - Actions: push
For additional information, see Microsoft documentation https://docs.microsoft.com/en-us/azure/container-registry/container-registry-webhook.
Set Up Image Assessment through the API
If you did not subscribe to notifications, you can, for example, make an API call each time an image is built so that Lacework assesses it:
βPOST https://YourLacework.lacework.net/api/v2/Webhooks/ServerTokens/{type}