This article provides prerequisites and onboarding steps for Microsoft Azure Cloud (direct).
Before you start
- Before getting started, make sure you have an Azure Active Directory (AD) admin on hand to grant permissions.
- Enabling Azure Defender is strongly recommended by Expel to monitor Azure infrastructure. Azure Defender can be enabled on a per resource basis or for resource groups. The following Azure Defender services are currently supported by Expel:
- Azure Storage
- Azure KeyVault
- Azure Resource Manager
- Azure App Service
- Azure SQL Service
- Azure Cosmos DB Service
Step 1: Enable console access
Having read-only access to the interface of your technology allows Expel to dig deeper when performing incident investigations. Our device health team uses this access to investigate potential health issues with your tech.
- Sign into the Azure portal as a user who is assigned a limited administrator directory role or the Guest Inviter role.
- In the navigation pane, select Azure Active Directory.
- Under Manage, select Users.
- Select New guest user.
- On the New user page, click Invite user, fill out the email address (firstname.lastname@example.org), and optionally include a message.
- Under roles, add the role Global Reader role.
- Click Invite to automatically send the invitation to the guest user.
- After you send the invitation, the user account is automatically added to the directory as a guest.
Step 2: Enable Azure Application access
To integrate the technology with Expel, we need to create secure credentials to the API. You have 2 options for enabling API access:
- Option 1: Enable the Expel Azure Integration Enterprise Application within Azure.
- Option 2: Create a custom Azure Active Directory (AD) Application.
Usually, enabling the Enterprise Application is the recommended approach. However, because Enterprise Application supports access for multiple Microsoft integrations (Sentinel, Log Analytics, and so on), it may be the case that the permissions granted to the Enterprise Application are more than the minimum required for the Azure integration specifically.
The second option is offered for cases where the absolute minimum permissions are required. In either case, the table below lists the required items to be obtained during this step:
|Item we need||Description|
|Directory (tenant) ID||Unique identifier for your Azure AD instance. Expel needs this information to route our API requests to the right place.|
|Application (client) ID (Option 2 only)||Unique identifier for the application you create that grants Expel the access it needs to your Azure instance.|
|Application (client) Secret (Option 2 only)||API secret that allows Expel to authenticate as the created application to your Azure instance.|
Option 1: Enable Azure Enterprise Application
- As an Administrator, navigate to the Expel Admin Consent Page.
- Review and accept requested permissions.
- The Expel Azure Integration app now appears under Enterprise Applications. Review properties and make sure that all permissions are properly granted.
Option 2: Create Custom Azure AD Application
- As an Azure administrator, log in to the Azure Portal.
- Navigate to Azure Active Directory > App registrations and click +New registration.
- Fill in the application details. You can fill these in however you want, but we recommend the following:
- Name: Expel Cloud Service.
- Supported account types: Accounts in this organizational directory only (first option).
Step 3: Enable roles within Azure subscriptions
Some event sources within Azure require Role-Based Access (RBAC) roles to be granted to the Azure AD Application within each Azure subscription. One of these RBAC roles granted to our Azure AD Application should also be granted to the Expel user created in Step 1 to allow Expel to investigate further into any alerts.
- Navigate to Subscriptions in the main Azure service menu by searching Subscriptions.
- Select the subscription(s) Expel will monitor. This step is a requirement or Expel cannot poll any logs. Repeat the steps below for each subscription.
- Add the below roles by clicking Access Control (IAM) > +Add > Add role assignment, assigning access to Azure AD user, group or application, and selecting the Expel Azure Integration enterprise app or Expel Cloud Service app that was created earlier.
- Log Analytics Reader
- Repeat the above step and assign Log Analytic Reader role to Azure AD user: email@example.com.
Step 4: Enable Azure Resource Logs
The Expel Azure Integration monitors alerts and logs across a variety of Azure resources. Some of these alerts and logs are accessible by default, but some must be enabled for Expel to monitor that particular resource.
The following Azure resources require user configuration to be monitored. Note that not all Azure deployments use these resources and enabling logging within the resources only widens the Expel default monitoring capabilities for Azure.
Create a Resource Log Storage Account
The Expel integration collects resource logs from an Azure Storage Account. This section outlines how to create that storage account and provide access to Expel.
- Create a V2 Storage account.
- Add the below role by clicking Access Control (IAM) > +Add > Add role assignment, assigning access to Azure AD user, group or application, and selecting the Expel Azure Integration enterprise app or Expel Cloud Service app that was created earlier
- Storage Blob Data Reader
- Storage Blob Data Reader
- Click Save.
- Storage accounts can have Network Access Control Lists (ACLs) set that limit which IP addresses can access those accounts. Expel has six egress IP addresses that can be allowed. All requests to storage accounts come from 1 of 6 IP addresses. We’ve designed this so it can scale significantly without us having to add new IP addresses to the list.
Azure also provides a way to allow for logs to be read from these types of accounts without having to enable access or change existing Network ACLs. Navigate to Networking from the menu and click Firewalls and virtual networks.
- If Allow access from is set to Selected networks, select the Allow read access to storage logging from any network to allow access to logs. Note: The access to these logs is still managed through RBAC roles.
Enable Azure Storage Logs
Azure Storage logs give Expel context around Azure user activity to help us to determine whether that activity is malicious. If you’re unsure of whether to enable logging for storage accounts, work with your Expel Engagement Manager to help determine what approach is best for you.
- Navigate to the Storage Account view within the Azure portal. The following steps must be done for each Storage Account.
- Select Diagnostic settings (Preview) menu.
- For each storage type: Blob, File, Queue, and Table, click Add diagnostic setting.
- For the log category, select StorageRead, StorageWrite, StorageDelete, and archive to the storage account created in previous steps.
- Click Save.
- Repeat steps 2-5 for each storage account that Expel must monitor.
Enable Azure Storage Logs - Classic
If you are using Classic deployment, use the following steps to enable Classic storage account logging.
- Navigate to the Storage Account view within the Azure portal. The following steps must be done for each Classic Storage Account:
- Select Diagnostics settings (classic) menu.
- Turn Status to On if not already set. Ensure each operation is checked under Logging section for each tab: Blob, File, Queue, and Table properties.
- Click Save.
- Assign the Expel Enterprise Application the Storage Blob Data Reader role for each Classic Storage Account that is going to be monitored. Access Control (IAM) > +Add > Add role assignment, see beginning of Step 4 for details.
Step 5: Configure Azure in Workbench
Now that we have the correct access configured and noted the credentials, we can integrate Azure with Expel.
- In a new browser tab, log into https://workbench.expel.io/settings/security-devices?setupIntegration=azure.
- Complete all fields using the credentials and information you collected in Option 1 or Option 2.
What to put in it
Select Expel Cloud Service.
The name you assign the security device.
Directory (tenant) ID
Azure AD Directory/Tenant ID.
Application (client) ID (Option 2 only)
The Azure Application (Client) ID that we saved in Option 2.
Application (client) Secret (Option 2 only)
The Client Secret that we saved in Option 2.
Use storage account contributor role (Y/N)
Leave this blank - this field is only used to support legacy onboarding.
- Click Save.
After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.
To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.