IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Get started with CSPM for GCP Findings page »
Elastic Docs Elastic Security Solution [8.11] Cloud native security Cloud security posture management

Get started with CSPM for Azure

edit

Get started with CSPM for Azure

edit

Overview

edit

This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature.

Requirements

  • The CSPM integration is available to all Elastic Cloud users. On-premise deployments require an Enterprise subscription.
  • CSPM only works in the Default Kibana space. Installing the CSPM integration on a different Kibana space will not work.
  • CSPM is supported on commercial cloud only. Government cloud is not supported (request support).

  • To view posture data, you need read privileges for the following Elasticsearch indices:

    • logs-cloud_security_posture.findings_latest-*
    • logs-cloud_security_posture.scores-*
    • logs-cloud_security_posture.findings
  • The user who gives the CSPM integration permissions must be an Azure subscription admin.

Set up CSPM for Azure

edit

To set up CSPM for Azure, first add the CSPM integration, then enable cloud account access.

Add your CSPM integration
edit
  1. From the Elastic Security Get started page, click Add integrations.
  2. Search for CSPM, then click on the result.
  3. Click Add Cloud Security Posture Management (CSPM).
  4. Under Configure integration, select Azure.
  5. Give your integration a name that matches the purpose or team of the Azure subscription you want to monitor, for example, azure-CSPM-1.
Set up cloud account access
edit

To set up CSPM for an Azure subscription, you will need admin privileges for that subscription.

For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below.

ARM template setup (recommended)

edit
  1. Under Setup Access, select ARM Template.

  2. Under Where to add this integration:

    1. Select New Hosts.
    2. Name the Elastic Agent policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, azure-dev-policy. Click Save and continue. The ARM Template deployment window appears.
    3. In a new tab, log in to the Azure portal, then return to Kibana and click Launch ARM Template. This will open the ARM template in Azure.
    4. (Optional) Change the Resource Group Name parameter. Otherwise the name of the resource group defaults to a timestamp prefixed with cloudbeat-.
    5. Copy the Fleet URL and Enrollment Token that appear in Kibana to the corresponding fields in the ARM Template, then click Review + create.
  3. Return to Kibana and wait for the confirmation of data received from your new integration. Then you can click View Assets to see your data.

Manual setup

edit

For manual setup, there are two authentication methods: using managed identities (recommended), or using environment variables with authentication secrets. The first method requires you to deploy Elastic Agent to a VM in the Azure subscription you want to monitor with CSPM; the second method allows Elastic Agent to be deployed anywhere, including a VM outside Azure or a personal laptop.

Option 1: Managed identity (recommended)
edit

This method involves creating an Azure VM (or using an existing one), giving it read access to the subscription you want to monitor with CSPM, and installing Elastic Agent on it.

  1. Go to the Azure portal to create a new Azure VM.
  2. Follow the setup process, and make sure you enable System assigned managed identity under the Management tab.
  3. Go to your Azure subscription list and select the subscription you want to monitor with CSPM.
  4. Go to Access control (IAM), and select Add Role Assignment.
  5. Select the Reader function role, assign access to Managed Identity, then select your VM.

After assigning the role:

  1. Return to the Add CSPM page in Kibana.
  2. Under Configure integration, select Azure. Under Setup access, select Manual.
  3. Under Where to add this integration, select New hosts.
  4. Click Save and continue, then follow the instructions to install Elastic Agent on your Azure VM.

Wait for the confirmation that Kibana received data from your new integration. Then you can click View Assets to see your data.

Option 2: Environment variables with authentication secrets
edit

Before using this method, you must have set up a Microsoft Entra application and service principal that can access resources.

  1. Go to the Registered apps section of Microsoft Entra ID.
  2. Click on New Registration, name your app and click Register.
  3. Copy your new app’s Directory (tenant) ID and Application (client) ID.
  4. Select Certificates & secrets, then select New client secret. Copy the new secret.
  5. Go to your Azure subscription list and select the subscription you want to monitor with CSPM.
  6. Go to Access control (IAM) and select Add Role Assignment.
  7. Select the Reader function role, assign access to User, group, or service principal, and select your new app.

On the VM where you plan to install Elastic Agent, create the file /etc/sysconfig/elastic-agent. Paste the following content into the new file, substituting the values you copied for the placeholder values:

AZURE_TENANT_ID=<Directory (tenant) ID>
AZURE_CLIENT_ID=<Application (client) ID>
AZURE_CLIENT_SECRET=<Secret Value>

After creating the file:

  1. Return to the Add CSPM page in Kibana.
  2. Under Configure integration, select Azure. Under Setup access, select Manual.
  3. Under Where to add this integration, select New hosts.
  4. Click Save and continue, then follow the instructions to install Elastic Agent on your selected host.

If you created /etc/sysconfig/elastic-agent after installing Elastic Agent, you might need to restart it with the following commands:

systemctl daemon-reload
systemctl restart elastic-agent

Wait for the confirmation that Kibana received data from your new integration. Then you can click View Assets to see your data.

« Get started with CSPM for GCP Findings page »