Attack Surface Analyzer for Azure Cloud
With the Attack Surface Analyzer, you can spot threats within your Azure cloud and enhance cloud security.
Listed below are the services tracked by the Attack Surface Analyzer for Azure:
- Azure Compute
- Azure Networking
- Azure Storage
- Azure Web
- Azure Monitor
- Azure Integration
- Azure Database
- Azure Security
- Azure Container
- Azure Recovery Service
Prerequisites
For the Attack Surface Analyzer to function seamlessly, the ADAudit Plus server should have a working internet connection. Additionally, the outbound HTTPS port 443 needs to be opened on the ADAudit Plus server to communicate with the Azure platform.
There are two scenarios when configuring your Azure cloud for attack surface analysis:
- Syncing an existing Entra ID tenant configured in ADAudit Plus
- Configuring a new Azure cloud for attack surface analysis
Sync an existing Entra ID (formerly Azure AD) tenant
If you want to add an Entra ID tenant that is already configured for auditing in ADAudit Plus for attack surface analysis, you need to assign additional permissions to the registered application.
Retrieve the registered application's name and client ID from ADAudit Plus
- Log in to the ADAudit Plus web console.
- Navigate to the Cloud Directory tab > Auditing > Configuration > Cloud Directory.
- Click the Modify option for the cloud directory that you want to configure for attack surface analysis.
- From the Cloud Directory pop-up, copy the Client ID.
Retrieve the client secret and subscription ID from the Azure portal
- Log in to the Azure portal.
- Paste the client ID in the search box to find the registered application that is associated with this client ID, and note down the application's name.
- Select the application and go to Manage > Certificates & secrets > New client secret.
- In the Add a client secret panel, give a suitable Description, select 730 days (24 months) from the Expires drop-down, and then click Add.
- Copy the Value as this will be needed when configuring the Azure cloud in ADAudit Plus.
- In the Azure portal, navigate to Subscriptions, select the subscription you want to configure in ADAudit Plus, and copy the Subscription ID as this will be required when configuring the Azure cloud in the Attack Surface Analyzer.
Assign required permissions
- Login to the Azure portal.
- Navigate to Subscriptions and select the subscription you want to configure in ADAudit Plus.
- From the left menu, go to Access control (IAM) > + Add > Add role assignment.
- In the Role tab, search for and select the Reader role and click Next.
- In the Members tab, click + Select Members, search for the name of the application that you copied in step six of the previous section, click Select, and then click Review + Assign.
- Repeat steps three to five for the Storage Account Contributor role.
- If you want ADAudit Plus to verify policies against your keys, secrets, and certificates in Azure Key Vaults, then navigate to the Key Vault resource you want to monitor, click Access Configuration from the left menu, and based on the permission model you have selected, follow the steps below:
- If you have selected Azure role-based access control (recommended), click Access control (IAM) and add the Key Vault Contributor role for the application by following steps three to five.
- If you have selected Vault Access Policy, click Go to access policies, and then click Create. Under Key permissions, Secret permissions, and Certificate permissions, select the check box next to List and click Next. In the Principal tab, search for and select the name of the application that you created, and click Next. Review your settings and click Review + Create.
Note: If you have multiple subscriptions, repeat the steps for each of them.
Add the existing Entra ID (formerly Azure AD) tenant in the Attack Surface Analyzer
You can add your Entra ID tenant for attack surface analysis either automatically or manually.
Automatic configuration
Once the required permissions are assigned, your Entra ID tenant will be enabled for attack surface analysis automatically through a sync process that runs regularly at 12am every day.
Manual configuration
If you want to configure the Entra ID tenant manually for attack surface analysis, proceed with the steps under Add the existing Entra ID tenant or the new Azure cloud in the Attack Surface Analyzer.
Before configuring your Azure cloud for attack surface analysis, you need to create an application in the Azure portal and assign the appropriate role.
Create an application in the Azure portal
- Log in to the Azure portal and navigate to Microsoft Entra ID.
- Go to Manage > App registrations > + New registration to open the Register an application window.
- Enter a suitable Name for the application (for example, ADAudit Plus Application), retain the default values for other options, and click Register.
- On the application's Overview page, copy the Application (client) ID as this will be needed when configuring the Azure cloud in ADAudit Plus.
- Go to Manage > Certificates & secrets > New client secret.
- In the Add a client secret panel, give a suitable Description, select 730 days (24 months) from the Expires drop-down, and then click Add.
- Copy the Value as this will be needed when configuring the Azure cloud in ADAudit Plus.
- In the Azure portal, navigate to Subscriptions, select the subscription you want to configure in ADAudit Plus, and copy the Subscription ID as this will be required when configuring the Azure cloud in ADAudit Plus.
- From the left menu, go to Access control (IAM) > + Add > Add role assignment.
- In the Role tab, search for and select the Reader role and click Next.
- In the Members tab, click + Select Members, search for the name of the application that you created in step three of the previous section, click Select, and then click Review + Assign.
- Repeat steps nine to 11 for the Storage Account Contributor role.
- If you want ADAudit Plus to verify policies against your keys, secrets, and certificates in Azure Key Vaults, then navigate to the Key Vault resource you want to monitor, click Access Configuration from the left menu, and based on the permission model you have selected, follow the steps below:
- If you have selected Azure role-based access control (recommended), click Access control (IAM) and add the Key Vault Contributor role for the application by following steps nine to 11.
- If you have selected Vault Access Policy, click Go to access policies, and then click Create. Under Key permissions, Secret permissions, and Certificate permissions, select the check box next to List and click Next. In the Principal tab, search for and select the name of the application that you created, and click Next. Review your settings and click Review + Create.
Note: If you have multiple subscriptions, repeat the steps for each of them.
Add the existing Entra ID tenant or the new Azure cloud in the Attack Surface Analyzer
- Log in to the ADAudit Plus web console.
- Navigate to the Cloud Directory tab > Attack Surface Analyzer > Configuration > Cloud Directory.
- Click +Add Cloud Directory in the top-right.
- Select Azure Cloud from the Add Cloud Directory pop-up.
- Enter the Display Name, Tenant Name, Client ID, Client Secret, Subscription ID, and Cloud Type.
- Select the Audit Log check box if you want to fetch the audit logs and monitor all the operations performed in the Azure cloud, and then click Next.
- Review your settings and click Finish.
Don't see what you're looking for?
-
Visit our community
Post your questions in the forum.
-
Request additional resources
Send us your requirements.
-
Need implementation assistance?
Try onboarding