Azure CSPM helps mitigate security risks, enforce compliance, and assess security posture using automated checks and best practices. This guide outlines the installation, configuration, and multi-subscription scanning setup for Azure CSPM. ## 1. API keys & permissions To use Azure CSPM, you need the following API keys: - **[Send-Your-Data API Key](https://coralogix.com/docs/user-guides/account-management/api-keys/send-your-data-api-key/index.md)** (Authentication for Coralogix CSPM) ### Required Azure role-based access control (RBAC) role You need to create a custom **Azure Role** with the following permission from GitHub by navigating to [AZURE-CSPM-Role](https://github.com/coralogix/snowbit-cspm-policies/tree/master/AZURE). Grant this role to the service principal used by CSPM. ## 2. Installation methods Azure CSPM supports deployment using: 1. **Docker on an Azure Virtual Machine (VM)** 1. **Kubernetes CronJob on Azure Kubernetes Service (AKS)** ## 3. Environment variables Configure the following environment variables during installation: | Environment Variable | Description | | ------------------------- | ---------------------------------------------------- | | `API_KEY` | Send-Your-Data API Key | | `APPLICATION_NAME` | Set the application name | | `SUBSYSTEM_NAME` | Set the subsystem name | | `COMPANY_ID` | The Coralogix Company ID | | `CORALOGIX_ENDPOINT_HOST` | Coralogix gRPC endpoint | | `CLOUD_PROVIDER` | "azure" | | `TENANT_ID` | Azure Tenant ID | | `SUBSCRIPTION_ID` | Azure Subscription ID (comma-separated for multiple) | | `RESOURCE_GROUP` | Azure Resource Group to scan | | `REGION_LIST` | Comma-separated Azure regions to scan | | `CORALOGIX_ALERT_API_KEY` | (Optional) API key for failed resource alerts | ## 4. Installing as a Docker container ### Prerequisites - **Azure VM with Ubuntu/Debian OS** - **Azure Service Principal** with necessary permissions - **Docker Installed** ### Setup Azure environment Install Azure CLI: ```jsx curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash ``` Get principal ID: ```jsx az vm show --name --resource-group --query identity.principalId --output tsv ``` Get resource ID: ```jsx az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].id" -o tsv ``` Set graph permissions: ```jsx az rest --method post \ --uri "https://graph.microsoft.com/v1.0/servicePrincipals//appRoleAssignments[eAssignments](https://graph.microsoft.com/v1.0/servicePrincipals/5ab4d10c-8329-465c-85d6-3ba6ab0007e8/appRoleAssignments)" \ --headers "Content-Type=application/json" \ --body '{ "principalId": "", "resourceId": "", "appRoleId": "df021288-bdef-4463-88db-98f22de89214" }' ``` Check the permission (token): ```jsx curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://graph.microsoft.com'   -H Metadata:true | jq -r '.access_token' ``` ### Deployment steps 1. **Pull the Docker image:** ```text docker pull coralogixrepo/snowbit-cspm ``` 1. **Set up Automated Execution via Crontab:** ```text sudo crontab -e ``` 1. **Insert the following command:** Ensure the environment variables below are set with your chosen values. `CORALOGIX_ENDPOINT_HOST` - The endpoint for your region. `COMPANY_ID` - Your Coralogix company ID. `API_KEY` - Your Coralogix [Send-Your-Data key](https://coralogix.com/docs/user-guides/account-management/api-keys/send-your-data-api-key/index.md). ```text */10 * * * * docker run --name snowbit-cspm --rm \ -e PYTHONUNBUFFERED=1 \ -e CLOUD_PROVIDER="azure" \ -e CORALOGIX_ENDPOINT_HOST="api.[[DOMAIN_VALUE]]" \ -e COMPANY_ID= \ -e APPLICATION_NAME="test-cspm" \ -e SUBSYSTEM_NAME="test-cspm" \ -e TESTER_LIST="" \ -e API_KEY="" \ -e REGION_LIST="" \ -e ROLE_ARN_LIST="" \ -e CORALOGIX_ALERT_API_KEY="" \ --network host \ coralogixrepo/snowbit-cspm:latest ``` 1. Save the crontab. ## 5. Installing as a Kubernetes CronJob (AKS) - [Beta] ### Prerequisites - Azure Kubernetes Service (AKS) cluster - kubectl and Azure CLI installed - Azure RBAC Role assigned to a Kubernetes Service Account ### Deployment steps 1. **Configure AKS Cluster Credentials:** ```text az aks get-credentials --resource-group --name ``` 1. **Deploy the CronJob YAML:** ```text apiVersion: batch/v1 kind: CronJob metadata: name: snowbit-cspm-cronjob spec: schedule: "*/10 * * * *" jobTemplate: spec: template: spec: serviceAccountName: snowbit-sa containers: - name: snowbit-cspm image: coralogixrepo/snowbit-cspm command: ["python3"] args: ["lambda_function.py"] env: - name: API_KEY value: "send_your_data_api_key" - name: CORALOGIX_ENDPOINT_HOST value: "coralogix_endpoint" - name: CLOUD_PROVIDER value: "azure" - name: APPLICATION_NAME value: "application_name" - name: SUBSYSTEM_NAME value: "subsystem_name" - name: COMPANY_ID value: "" - name: TENANT_ID value: "" - name: SUBSCRIPTION_ID value: "" - name: RESOURCE_GROUP value: "" - name: REGION_LIST value: "" restartPolicy: OnFailure ``` 1. **Apply the Kubernetes CronJob:** ```text kubectl apply -f snowbit-cronjob.yaml ``` ## 6. Configuring scan settings 1. **In Coralogix Security Tab**, click **"Scan Now"** to trigger an immediate scan. 1. **Schedule scans** at custom intervals (default: every 24 hours). ## 7. Limitations - Scans will only include subscriptions where CSPM has permissions. - Some security tests require Microsoft Defender for Cloud. ## Next steps 1. **Configure & Schedule Scans** using Coralogix Security Tab. 1. **Enable Multi-Subscription Support** if needed. For further assistance, refer to the official Coralogix CSPM documentation or reach out to support. ## Support **Need help?** Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up. Feel free to reach out to us **via our in-app chat** or by sending us an email at [support@coralogix.com](mailto:support@coralogix.com).