Get started with CSPM for Azure

edit
Overview
edit

This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature.

Requirements

  • CSPM only works in the Default Kibana space. Installing the CSPM integration on a different Kibana space will not work.
  • CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported (request support).
  • To view posture data, you need read privileges for the following Elasticsearch indices:

    • logs-cloud_security_posture.findings_latest-*
    • logs-cloud_security_posture.scores-*
    • logs-cloud_security_posture.findings
  • The user who gives the CSPM integration permissions in Azure must be an Azure subscription admin.
Set up CSPM for Azure
edit

You can set up CSPM for Azure by by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, first add the CSPM integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. Agentless deployment allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. Agent-based deployment requires you to deploy and manage an agent in the cloud account you want to monitor.

Agentless deployment
edit

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

  1. Find Integrations in the navigation menu or use the global search field.
  2. Search for CSPM, then click on the result.
  3. Click Add Cloud Security Posture Management (CSPM).
  4. Select Azure, then either Azure Organization to onboard your whole organization, or Single Subscription to onboard an individual subscription.
  5. Give your integration a name that matches the purpose or team of the Azure subscription/organization you want to monitor, for example, dev-azure-account.
  6. Click Advanced options, then select Agentless (BETA).
  7. Next, you’ll need to authenticate to Azure by providing a Client ID, Tenant ID, and Client Secret. To learn how to generate them, refer to Service principal with client secret.
  8. Once you’ve provided the necessary credentials, click Save and continue to finish deployment. Your data should start to appear within a few minutes.
Agent-based deployment
edit
Add your CSPM integrationedit
  1. Find Integrations in the navigation menu or use the global search field.
  2. Search for CSPM, then click on the result.
  3. Click Add Cloud Security Posture Management (CSPM).
  4. Under Configure integration, select Azure, then select either Azure Organization or Single Subscription, depending on which resources you want to monitor.
  5. Give your integration a name that matches the purpose or team of the Azure resources you want to monitor, for example, azure-CSPM-dev-1.
Set up cloud account accessedit

To set up CSPM for an Azure organization or subscription, you will need admin privileges for that organization or subscription.

For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below.

ARM template setup (recommended)edit
  1. Under Setup Access, select ARM Template.
  2. Under Where to add this integration:

    1. Select New Hosts.
    2. Name the Elastic Agent policy. Use a name that matches the resources you want to monitor, for example, azure-dev-policy. Click Save and continue. The ARM Template deployment window appears.
    3. In a new tab, log in to the Azure portal, then return to Kibana and click Launch ARM Template. This will open the ARM template in Azure.
    4. If you are deploying to an Azure organization, select the management group you want to monitor from the drop-down menu. Next, enter the subscription ID of the subscription where you want to deploy the VM that will scan your resources.
    5. Copy the Fleet URL and Enrollment Token that appear in Kibana to the corresponding fields in the ARM Template, then click Review + create.
    6. (Optional) Change the Resource Group Name parameter. Otherwise, the name of the resource group defaults to a timestamp prefixed with cloudbeat-.
  3. Return to Kibana and wait for the confirmation of data received from your new integration. Then you can click View Assets to see your data.
Manual setupedit

For manual setup, multiple authentication methods are available:

  1. Managed identity (recommended)
  2. Service principal with client secret
  3. Service principal with client certificate
Option 1: Managed identity (recommended)edit

This method involves creating an Azure VM (or using an existing one), giving it read access to the resources you want to monitor with CSPM, and installing Elastic Agent on it.

  1. Go to the Azure portal to create a new Azure VM.
  2. Follow the setup process, and make sure you enable System assigned managed identity under the Management tab.
  3. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM.
  4. Go to Access control (IAM), and select Add Role Assignment.
  5. Select the Reader role, assign access to Managed Identity, then select your VM.

After assigning the role:

  1. Return to the Add CSPM page in Kibana.
  2. Under Configure integration, select Azure. Under Setup access, select Manual.
  3. Under Where to add this integration, select New hosts.
  4. Click Save and continue, then follow the instructions to install Elastic Agent on your Azure VM.

Wait for the confirmation that Kibana received data from your new integration. Then you can click View Assets to see your data.

Option 2: Service principal with client secretedit

Before using this method, you must have set up a Microsoft Entra application and service principal that can access resources.

  1. On the Add Cloud Security Posture Management (CSPM) integration page, scroll to the Setup access section, then select Manual.
  2. Under Preferred manual method, select Service principal with Client Secret.
  3. Go to the Registered apps section of Microsoft Entra ID.
  4. Click on New Registration, name your app and click Register.
  5. Copy your new app’s Directory (tenant) ID and Application (client) ID. Paste them into the corresponding fields in Kibana.
  6. Return to the Azure portal. Select Certificates & secrets, then go to the Client secrets tab. Click New client secret.
  7. Copy the new secret. Paste it into the corresponding field in Kibana.
  8. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM.
  9. Go to Access control (IAM) and select Add Role Assignment.
  10. Select the Reader function role, assign access to User, group, or service principal, and select your new app.
  11. Return to the Add CSPM page in Kibana.
  12. Under Where to add this integration, select New hosts.
  13. Click Save and continue, then follow the instructions to install Elastic Agent on your selected host.

Wait for the confirmation that Kibana received data from your new integration. Then you can click View Assets to see your data.

Option 3: Service principal with client certificateedit

Before using this method, you must have set up a Microsoft Entra application and service principal that can access resources.

  1. On the Add Cloud Security Posture Management (CSPM) integration page, under Setup access, select Manual.
  2. Under Preferred manual method, select Service principal with client certificate.
  3. Go to the Registered apps section of Microsoft Entra ID.
  4. Click on New Registration, name your app and click Register.
  5. Copy your new app’s Directory (tenant) ID and Application (client) ID. Paste them into the corresponding fields in Kibana.
  6. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM.
  7. Go to Access control (IAM) and select Add Role Assignment.
  8. Select the Reader function role, assign access to User, group, or service principal, and select your new app.

Next, create a certificate. If you intend to use a password-protected certificate, you must use a pkcs12 certificate. Otherwise, you must use a pem certificate.

Create a pkcs12 certificate, for example:

# Create PEM file
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Create pkcs12 bundle using legacy flag (CLI will ask for export password)
openssl pkcs12 -legacy -export -out bundle.p12 -inkey key.pem -in cert.pem

Create a PEM certificate, for example:

# Generate certificate signing request (csr) and key
openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr

# Generate PEM and self-sign with key
openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out signed.pem

# Create bundle
cat cert.key > bundle.pem
cat signed.pem >> bundle.pem
  1. Return to Azure.
  2. Navigate to the Certificates & secrets menu. Select the Certificates tab.
  3. Click Upload certificate.

    1. If you’re using a PEM certificate that was created using the example commands above, upload signed.pem.
    2. If you’re using a pkcs12 certificate that was created using the example commands above, upload cert.pem.
  4. Upload the certificate bundle to the VM where you will deploy Elastic Agent.

    1. If you’re using a PEM certificate that was created using the example commands above, upload bundle.pem.
    2. If you’re using a pkcs12 certificate that was created using the example commands above, upload bundle.p12.
  5. Return to the Add CSPM page in Kibana.
  6. For Client Certificate Path, enter the full path to the certificate that you uploaded to the host where you will install Elastic Agent.
  7. If you used a pkcs12 certificate, enter its password under Client Certificate Password.
  8. Under Where to add this integration, select New hosts.
  9. Click Save and continue, then follow the instructions to install Elastic Agent on your selected host.

Wait for the confirmation that Kibana received data from your new integration. Then you can click View Assets to see your data.