Microsoft Azure Cloud Security Posture Management (CSPM) with WatchGuard MDR

Deployment Overview

You can use WatchGuard MDR with Microsoft Azure Cloud Security Posture Management (CSPM) to combine threat detection and cloud security optimization for you environment.

This document describes the steps to integrate WatchGuard MDR with Microsoft Azure CSPM.

Contents

Before You Begin

Before you complete the procedures in this document, make sure that:

  • You have a Microsoft Azure user with a Global Administrator role or sufficient permissions to register an application in Microsoft Entra ID, create a client secret, and assign the required Microsoft Graph API permissions and Azure role-based access control (RBAC) roles to the application and subscription.
  • You have a WatchGuard Total MDR license allocated in WatchGuard Cloud.

Configure Microsoft Azure

To integrate WatchGuard MDR with Microsoft Azure CSPM, you must prepare the Azure subscription for CSPM scanning. You can use a script to automatically configure the Azure subscription or you can manually configure the Azure subscription.

To download and run the appregistration.ps1 script, go to Use a PowerShell script to prepare Microsoft Azure CSPM for integration with WatchGuard MDR in the WatchGuard Knowledge Base and run the script in your Microsoft Azure environment.

To manually configure Microsoft Azure, follow these steps:

  1. Create an App Registration and Client Secret
  2. Add API Permissions and Consent
  3. Add Role Assignments
  4. Encrypt Credentials with Keybase

Create an App Registration and Client Secret

To create the app registration and client secret:

  1. Log in to the Microsoft Azure portal with the user identified in the prerequisites.
  2. From the navigation menu, select All Services > Identity.
  3. In the Identity Management section, select App Registrations.
    The App Registrations page opens.

Screenshot of the Azure app registrations page

  1. Click New Registration.
    The Register an Application page opens.

Screenshot of the Azure register an application page

  1. In the Name text box, type a name for the application. For example, type cspm-scan.
  2. In the Supported Account Types section, select Accounts in This Organizational Directory Only.
  3. For Redirect URI, keep the default setting.
  4. Click Register.
    The app is registered.

Screenshot of the Azure app registration page

  1. Copy the Application (Client) ID and Directory (Tenant) ID values and save them to add to the onboarding form later.

Screenshot of the Azure app registration page

  1. From the left navigation menu, select Certificates and Secrets.
    The Certificates and Secrets page opens.
  2. Click New Client Secret.
    The Add a Client Secret page opens.

Screenshot of the Azure new client secret page

  1. In the Description text box, type the client secret. For example, type cspm-scan-secret.
  2. From the Expires drop-down list, select 730 Days (24 Months).
  3. Click Add.
  4. From the new client secret, copy the contents of the Value column and save them to add to the onboarding form later.

Add API Permissions and Consent

You must add Microsoft Graph API permissions to the app registration with admin consent.

To add API permissions in Microsoft Azure:

  1. From the navigation menu, select Manage > API Permissions.
  2. Click Add a Permission.
    The Select an API page opens.

Screenshot of the Azure select and API page

  1. On the Microsoft APIs page, click Microsoft Graph.
    The Request API Permissions page opens.

Screenshot of the Azure request API permissions page

  1. Click Application Permissions.
  2. In the search box, search for and select Directory.Read.All.
  3. In the search box, search for and select Policy.Read.All.
  4. Click Add Permissions.
    The Configured Permissions page opens.

Screenshot of the Azure configured permissions page

  1. Click Grant Admin Consent for Directory Name.
    A confirmation dialog box opens.
  2. Click Yes.
    A green checkmark shows in the Status column.

Screenshot of the Azure configured permissions page

Add Role Assignments

You must add Security Reader and Reader role-ased aAccess control (RBAC) roles in the Azure subscription.

To add the required RBAC roles in Microsoft Azure:

  1. In the Microsoft Azure search box, search for and select Subscriptions.
    The Subscriptions page opens.
  2. Select your subscription.

Screenshot of the Azure subscription details page

  1. From the navigation menu, select Access Control (IAM).
  2. To add the Security Reader role, complete these steps:
    1. Select Add > Add Role Assignment.
      The Add Role Assignment page opens.

      Screenshot of the Azure subscription details page

    1. In the search box, search for and select Security Reader. Click Next.
      The Members tab opens.

      Screenshot of the Azure subscription details page

    1. Select User, Group or Service Principal.
    2. Click Select Members.
      The Select Members page opens.

      Screenshot of the Azure subscription details page

    3. In the search box, search for and select the registered application name you used in Create an App Registration and Client Secret. For example, cspm-scan.
    4. Click Select.
      The registered application shows in the Members list.
    5. Click Next.
    6. Review the changes and click Review + Assign.
  1. To add the Reader role, complete these steps:
    1. Select Add > Add Role Assignment.
      The Add Role Assignment page opens.
    1. In the search box, search for and select Reader. Click Next.
      The Members tab opens.
    1. Select User, Group or Service Principal.
    2. Click Select Members.
      The Select Members page opens.
    3. In the search box, find and select the registered application name you used in Create an App Registration and Client Secret. For example, cspm-scan.
    4. Click Select.
      The registered application shows in the Members list.
    5. Click Next.
    6. Review the changes and click Review + Assign.

Encrypt Credentials with Keybase

To securely share the required Microsoft Azure credentials with WatchGuard in the CSPM Onboarding Form, encrypt the Application (Client) ID, Directory (Tenant) ID, and client secret values with Keybase.

To encrypt the values:

  1. Go to https://keybase.io/encrypt.

Screenshot of the Keybase encryption page

  1. In the Recipient text box, enter actzerocre.
  2. In the Message to Encrypt text box, paste the values copied from the previous steps.
  3. Click Encrypt.
  4. From the The Secret Message text box, copy the encrypted contents of the message and save them to add to the onboarding form.

Make sure to erase the copies of the sensitive information in your local environment after you add them to the onboarding form.

Complete the Onboarding Form

After you configure your Microsoft Azure environment, to finish the integration with WatchGuard MDR, complete the CSPM Onboarding Form. To complete the form, you must have the encrypted Azure credentials.

You also need this information:

  • Customer Company Name — The company name of the customer account for this connector.
  • Partner Company Name — The company name of the Partner.
  • WatchGuard Partner ID — The Partner ID format is: ACC-XXXXXXX.
  • Partner Contact Email Address — The Partner contact email address the deployment team can use if they have questions.
  • Customer/Subscriber WatchGuard Account ID — The Account ID format is: ACC-XXXXXXX or WGC-X-XXXXXXXXXXXXXXXXXXXX.