Azure Cloud Security Posture Management (CSPM)

Azure CSPM helps mitigate security risks, enforce compliance, and assess security posture using automated checks and best practices. This guide outlines the installation, configuration, and multi-subscription scanning setup for Azure CSPM.

1. API Keys & Permissions

To use Azure CSPM, you need the following API keys:

• Send-Your-Data API Key (Authentication for Coralogix CSPM)

Required Azure Role-Based Access Control (RBAC) Role

You need to create a custom Azure Role with the following permission from GitHub by navigating to AZURE-CSPM-Role.

Grant this role to the service principal used by CSPM.

2. Installation Methods

Azure CSPM supports deployment using:

1. Docker on an Azure Virtual Machine (VM)
2. Kubernetes CronJob on Azure Kubernetes Service (AKS)

3. Environment Variables

Configure the following environment variables during installation:

Environment Variable	Description
API_KEY	Send-Your-Data API Key
APPLICATION_NAME	Set the application name
SUBSYSTEM_NAME	Set the subsystem name
COMPANY_ID	The Coralogix Company ID
CORALOGIX_ENDPOINT_HOST	Coralogix gRPC endpoint
CLOUD_PROVIDER	"azure"
TENANT_ID	Azure Tenant ID
SUBSCRIPTION_ID	Azure Subscription ID (comma-separated for multiple)
RESOURCE_GROUP	Azure Resource Group to scan
REGION_LIST	Comma-separated Azure regions to scan
CORALOGIX_ALERT_API_KEY	(Optional) API key for failed resource alerts

4. Installing as a Docker Container

Prerequisites

• Azure VM with Ubuntu/Debian OS
• Azure Service Principal with necessary permissions
• Docker Installed

Setup Azure environment

Install Azure CLI:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Get principal ID:

az vm show --name <server-name> --resource-group <resource-group-name> --query identity.principalId --output tsv

Get resource ID:

az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].id" -o tsv

Set graph permissions:

az rest --method post \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/<principal-id>/appRoleAssignments[eAssignments](https://graph.microsoft.com/v1.0/servicePrincipals/5ab4d10c-8329-465c-85d6-3ba6ab0007e8/appRoleAssignments)" \
--headers "Content-Type=application/json" \
--body '{
"principalId": "<principal-ID>",
"resourceId": "<resource-ID>",
"appRoleId": "df021288-bdef-4463-88db-98f22de89214"
}'

Check the permission (token):

curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://graph.microsoft.com'   -H Metadata:true | jq -r '.access_token'

Deployment Steps

1. Pull the Docker image:

   docker pull coralogixrepo/snowbit-cspm
   

2. Set up Automated Execution via Crontab:

   sudo crontab -e
   

3. Insert the following command:

Ensure the environment variables below are set with your chosen values.

CORALOGIX_ENDPOINT_HOST - The endpoint for your region.

COMPANY_ID - Your Coralogix company ID.

API_KEY - Your Coralogix Send-Your-Data key.

*/10 * * * * docker run --name snowbit-cspm --rm \
  -e PYTHONUNBUFFERED=1 \
  -e CLOUD_PROVIDER="azure" \
  -e CORALOGIX_ENDPOINT_HOST="ng-api-grpc.coralogix.com" \
  -e COMPANY_ID=<your-company-id> \
  -e APPLICATION_NAME="test-cspm" \
  -e SUBSYSTEM_NAME="test-cspm" \
  -e TESTER_LIST="" \
  -e API_KEY="<your-send-data-key>" \
  -e REGION_LIST="" \
  -e ROLE_ARN_LIST="" \
  -e CORALOGIX_ALERT_API_KEY="" \
  --network host \
  coralogixrepo/snowbit-cspm:latest

1. Save the crontab.

5. Installing as a Kubernetes CronJob (AKS) - [Beta]

Prerequisites

• Azure Kubernetes Service (AKS) cluster
• kubectl and Azure CLI installed
• Azure RBAC Role assigned to a Kubernetes Service Account

Deployment Steps

1. Configure AKS Cluster Credentials:

   az aks get-credentials --resource-group <RESOURCE_GROUP> --name <AKS_CLUSTER>
   

2. Deploy the CronJob YAML:

   apiVersion: batch/v1
   kind: CronJob
   metadata:
     name: snowbit-cspm-cronjob
   spec:
     schedule: "*/10 * * * *"
     jobTemplate:
       spec:
         template:
           spec:
             serviceAccountName: snowbit-sa
             containers:
             - name: snowbit-cspm
               image: coralogixrepo/snowbit-cspm
               command: ["python3"]
               args: ["lambda_function.py"]
               env:
               - name: API_KEY
                 value: "send_your_data_api_key"
               - name: CORALOGIX_ENDPOINT_HOST
                 value: "coralogix_endpoint"
               - name: CLOUD_PROVIDER
                 value: "azure"
               - name: APPLICATION_NAME
                 value: "application_name"
               - name: SUBSYSTEM_NAME
                 value: "subsystem_name"
               - name: COMPANY_ID
                 value: "<coralogix_company_ID>"
               - name: TENANT_ID
                 value: "<azure_tenant_id>"
               - name: SUBSCRIPTION_ID
                 value: "<azure_subscription_id>"
               - name: RESOURCE_GROUP
                 value: "<resource_group_name>"
               - name: REGION_LIST
                 value: ""
               restartPolicy: OnFailure
   

3. Apply the Kubernetes CronJob:

   kubectl apply -f snowbit-cronjob.yaml
   

6. Configuring Scan Settings

1. In Coralogix Security Tab, click "Scan Now" to trigger an immediate scan.
2. Schedule scans at custom intervals (default: every 24 hours).

7. Limitations

• Scans will only include subscriptions where CSPM has permissions.
• Some security tests require Microsoft Defender for Cloud.

Next Steps

1. Configure & Schedule Scans using Coralogix Security Tab.

1. Enable Multi-Subscription Support if needed.

For further assistance, refer to the official Coralogix CSPM documentation or reach out to support.

Support

Need help?

Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.

Feel free to reach out to us via our in-app chat or by sending us an email at support@coralogix.com.