Expel's Azure Kubernetes Service (AKS) offering consumes audit logs from the Azure platform via Azure Log Analytics  (aka Azure Monitor). Additionally, via a read-only Azure Role, Expel is able to communicate with AKS clusters. This visibility allows Expel to identify activity of interest in AKS, investigate, and notify organizations when action is recommended.

Screenshot_2023-07-20_at_1_45_59_PM.png

Step-1: Create a Storage Account for AKS Logs

The steps below outline creating a storage account for AKS logs. Expel integrates with this storage bucket to consume logs.

  1. Log in to the Azure Portal.

  2. Navigate to the Storage accounts page.

  3. Select Create storage account.

  4. Assign the storage account to a subscription and resource group, and then name it.

    Screenshot_2023-07-20_at_1_46_48_PM.png
  5. Keep all other settings as default.

    Optionally, on the Networking tab, you can restrict network access to Expel’s egress IPs:

    • 34.75.13.114

    • 34.75.152.7

    • 35.243.190.98

    • 104.196.158.205

    • 34.75.81.28

    • 34.75.210.18

  6. After you finish, review your settings and create the storage account.

  7. Navigate to ​Lifecycle Management​, and then select ​Add a rule​​.lifecyclemgmt.png
  8. On the ​Details​​ tab, select the following settings:
    • In the ​Rule scope​ section, select ​Apply rule to all blobs in your storage account​​.
    • In the ​Blob type​ section, select ​Append blobs​​.
    • In the ​Blob subtype​ section, select ​Base blobs​​.
  9. Select ​Next​​.
  10. On the ​Base blobs​​ tab, select the following settings:
    • In the ​Base blobs were​ section, select ​Last modified​​.
    • In the ​More than (days ago)​ field, enter ​7​​.

      Optionally, you can extend this time period.

  11. Select ​Add​​.

Step-2: Configure Kubernetes Logging

The steps below outline enabling the required audit logging for onboarding AKS with Expel Workbench.

  1. Log in to the Azure Portal.

  2. Navigate to the Kubernetes service page.

    azure-kubernetes.png
  3. Select your Kubernetes cluster, and then navigate to Diagnostic settings.azure-kubernetes-cluster.png

  4. Select Add diagnostic setting to begin configuring audit logging for the cluster.

  5. Complete the Diagnostic setting form:

    • In the Logs section, select ​Kubernetes Audit​.

    • In the Destination details section, select Archive to a storage account, and then choose the ​Storage account​​ you created in Step 1.

    Note

    Additional diagnostic logs can optionally be enabled, but are not used by Expel for security monitoring and can incur additional Azure cost.

    aks-audit-storage.png
  6. Select Save.

Step-3: Create Microsoft Entra ID Application Registration

The steps below outline how to grant Expel access to Kubernetes audit log data in Azure Log Analytics for onboarding with Workbench.

  1. Log in to the Azure Portal.

  2. Navigate to Microsoft Entra ID.

    entra-id-service.png
  3. Navigate to App registrations, and then select New registration.

    azure-app-register.png

     

  4. Give the application a meaningful name.

  5. In the Supported account types section, keep the default selection.
  6. Select Register.
  7. Copy the Application (client) ID and Directory (tenant) ID for later.

    azure-client-tenant.png
  8. Navigate to API permissions, and then select Add a permission.

  9. Select APIs my organization uses, and then search for and select Log Analytics API.

  10. On the Request API permissions panel, do the following: 

    • Select Application permissions.
    • Select the Data.Read checkbox.
    • Select Add permissions.
    azure-api-permissions.png
  11. Navigate to Certificates & secrets, and then select New client secret.

  12. On the Add a client secret panel, do the following: 

    • Add a description for the secret.
    • Choose the expiration date.
    • Select Add.
  13. Copy the secret value after it’s created.

Step-4: Create a Custom Azure Role for Expel

Note

Expel requires a custom Azure IAM role to grant finely grained read-only access to AKS clusters. This access is used in security alert investigations and proactive risk management. The custom role requires the use of the Azure AD authentication with Azure RBAC authentication setting. Clusters configured to use Kubernetes RBAC are not currently supported for proactive risk management and have limited investigative support.

  1. Navigate to Subscriptions, and then select the subscription to monitor.

  2. Navigate to Access control (IAM), and then select Add > Add custom role.

    azure-custom-role.png
  3. On the Create a custom role screen, do the following:

    • Give your role a meaningful name and description.
    • In the Baseline permissions section, select Start from JSON, and then upload the ExpelAKSRole.json file.

      The JSON file preloads Expel’s required permissions for the role.

    azure-custom-role-2.png
  4. On the Permissions tab, review the permissions for the custom role. You should see five permissions of type Action followed by a list of DataAction permissions.

  5. On the Assignable scopes tab, add any scopes where this role should be assigned. For example, any subscriptions or management groups where AKS clusters exist that Expel monitors.

  6. On the Review + create tab, select Create.

Step-5: Add Role Assignments

Step 5a: Grant Required Permissions for Each Monitored Subscription

For each Azure subscription with AKS clusters to be monitored, add:

  • The Log Analytics Reader, which allows Expel to query log data ad-hoc during investigations.

  • The custom Expel AKS Role you created in Step 4.

Do the following steps for each subscription:

  1. Navigate to Subscriptions, and then select the subscription to monitor.

  2. Select Access control (IAM), and then select the Role assignments tab.

    azure-subscription-role.png
  3. Select Add > Add role assignment.

  4. Assign the role to User, group or application, and then select the Expel application registration that you created in Step 3.

  5. Assign the following roles: 

    • Log Analytics Reader 
    • Expel AKS Role, created in Step 4.

Step 5b: Grant Access to the Storage Blob

To grant Expel access to the storage blob containing AKS logs, create an additional role assignment.

  1. Still in Subscriptions, select Access control (IAM), and then select the Role assignments tab.

  2. Select Add > Add role assignment.

  3. Select the Storage Blob Data Reader role.

    azure-blob.png
  4. Assign the role to the Expel application created in Step 3.

    azure-app-role.png
  5. On the Conditions (optional) tab, create a new condition that allows All read operations when the resource (the storage account) name equals the storage account created earlier. 

    This ensures Expel can only read from that specific storage account.

    See the following example for details.

    Screenshot_2023-07-20_at_1_49_43_PM.png
  6. On the Review + assign tab, select Review + assign.

    Screenshot_2023-07-20_at_1_49_50_PM.png

Step-6: Configure the Technology in Workbench

The following steps explain how to finish onboarding AKS in Expel Workbench.

  1. Log in to Workbench.

  2. Navigate to Organization Settings > Security Devices.

  3. Select Add security device.

  4. Search for and select Azure Kubernetes Service.

  5. Name the device, provide a description, and then complete the following fields: 

    • Application (client) ID - provide the client ID you copied in Step 3.
    • Directory (tenant) ID - provide the tenant ID you copied in Step 3.
    • Application secret - provide the secret you copied in Step 3.
    • Storage account name - provide the storage account name you copied in Step 1.
  6. Select Save.