Get started with CSPM for Azure
editGet started with CSPM for Azure
editOverview
editThis page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature.
Set up CSPM for Azure
editTo set up CSPM for Azure, first add the CSPM integration, then enable cloud account access.
Add your CSPM integration
edit- From the Elastic Security Get started page, click Add integrations.
-
Search for
CSPM
, then click on the result. - Click Add Cloud Security Posture Management (CSPM).
- Under Configure integration, select Azure.
-
Give your integration a name that matches the purpose or team of the Azure subscription you want to monitor, for example,
azure-CSPM-1
.
Set up cloud account access
editTo set up CSPM for an Azure subscription, you will need admin privileges for that subscription.
For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below.
ARM template setup (recommended)
edit- Under Setup Access, select ARM Template.
-
Under Where to add this integration:
- Select New Hosts.
-
Name the Elastic Agent policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example,
azure-dev-policy
. Click Save and continue. The ARM Template deployment window appears. - In a new tab, log in to the Azure portal, then return to Kibana and click Launch ARM Template. This will open the ARM template in Azure.
-
(Optional) Change the
Resource Group Name
parameter. Otherwise the name of the resource group defaults to a timestamp prefixed withcloudbeat-
. -
Copy the
Fleet URL
andEnrollment Token
that appear in Kibana to the corresponding fields in the ARM Template, then click Review + create.
- Return to Kibana and wait for the confirmation of data received from your new integration. Then you can click View Assets to see your data.
Manual setup
editFor manual setup, there are two authentication methods: using managed identities (recommended), or using environment variables with authentication secrets. The first method requires you to deploy Elastic Agent to a VM in the Azure subscription you want to monitor with CSPM; the second method allows Elastic Agent to be deployed anywhere, including a VM outside Azure or a personal laptop.
Option 1: Managed identity (recommended)
editThis method involves creating an Azure VM (or using an existing one), giving it read access to the subscription you want to monitor with CSPM, and installing Elastic Agent on it.
- Go to the Azure portal to create a new Azure VM.
- Follow the setup process, and make sure you enable System assigned managed identity under the Management tab.
- Go to your Azure subscription list and select the subscription you want to monitor with CSPM.
- Go to Access control (IAM), and select Add Role Assignment.
-
Select the
Reader
function role, assign access to Managed Identity, then select your VM.
After assigning the role:
- Return to the Add CSPM page in Kibana.
- Under Configure integration, select Azure. Under Setup access, select Manual.
- Under Where to add this integration, select New hosts.
- Click Save and continue, then follow the instructions to install Elastic Agent on your Azure VM.
Wait for the confirmation that Kibana received data from your new integration. Then you can click View Assets to see your data.
Option 2: Environment variables with authentication secrets
editBefore using this method, you must have set up a Microsoft Entra application and service principal that can access resources.
- Go to the Registered apps section of Microsoft Entra ID.
- Click on New Registration, name your app and click Register.
-
Copy your new app’s
Directory (tenant) ID
andApplication (client) ID
. - Select Certificates & secrets, then select New client secret. Copy the new secret.
- Go to your Azure subscription list and select the subscription you want to monitor with CSPM.
- Go to Access control (IAM) and select Add Role Assignment.
-
Select the
Reader
function role, assign access to User, group, or service principal, and select your new app.
On the VM where you plan to install Elastic Agent, create the file /etc/sysconfig/elastic-agent
. Paste the following content into the new file, substituting the values you copied for the placeholder values:
AZURE_TENANT_ID=<Directory (tenant) ID> AZURE_CLIENT_ID=<Application (client) ID> AZURE_CLIENT_SECRET=<Secret Value>
After creating the file:
- Return to the Add CSPM page in Kibana.
- Under Configure integration, select Azure. Under Setup access, select Manual.
- Under Where to add this integration, select New hosts.
- Click Save and continue, then follow the instructions to install Elastic Agent on your selected host.
If you created /etc/sysconfig/elastic-agent
after installing Elastic Agent, you might need to restart it with the following commands:
systemctl daemon-reload systemctl restart elastic-agent
Wait for the confirmation that Kibana received data from your new integration. Then you can click View Assets to see your data.