Configuring Real-Time Threats for Azure

The steps explained in this user guide are for setting up real-time threat configuration for Azure. Users must perform the following steps in the Azure portal if they have Read permissions and no Write permissions.

1. Create a policy assignment using the following code.
   Refer to this link to learn more about the detailed steps: Quickstart: Create policy assignment using Azure portal - Azure Policy | Microsoft Learn

   {
     "name": "SecurityCenterBuiltIn",
     "properties": {
       "displayName": "Enable Monitoring in Azure Security Center",
       "description": "Policy Assignment to enable security center",
       "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
       "parameters": {},
       "metadata": {
         "assignedBy": "Security_Center",
         "corestack-system-manage": "true",
         "corestack-system-category": "enable_azure_security_center"
       }
     }
   }
   

2. Enable Security Pricing Tier Standard.
3. Perform Auto Provisioning Configuration through the Microsoft Defender settings. This step ensures that the automatic provisioning of the monitoring agent is enabled. Refer to this link for more details: https://learn.microsoft.com/en-us/azure/defender-for-cloud/working-with-log-analytics-agent
4. Create an Action Group.

   {
     "location": "Global",
     "tags": {
       "corestack-system-manage": "true"
     },
     "properties": {
       "groupShortName": ,
       "enabled": True,
       "webhookReceivers": [
         {
           "name": "security_webhook",
           "serviceUri": <contact customer support to get this value>
         } 
       ] 
     } 
   }
   

5. Create a Security Alert with the name: CS-Security-security-Alert-<service_account_id>

   {
     "location": "global",
     "tags": {
       "corestack-system-manage": "true"
     },
     "properties": {
       "scopes": [
         "/subscriptions/<azure_subscription_id>"
       ],
       "enabled": True,
       "condition": {
         "allOf": [
           {
             "field": "category",
             "equals": SECURITY
           },
           {
             "field": "resourceType",
             "equals": "Microsoft.Security/locations/alerts"
           }
         ]
       },
       "actions": {
         "actionGroups": [
           {
             "actionGroupId": <<the one that was created above>>
           }
         ]
       },
       "description": "This alert rule is created to trigger security threats in this subscription"
     }
   }
   

   📘

   Note:

   Please reach out to your Customer Success representative to get the <<SERVICE_ACCOUNT_ID>>.

6. Login to the platform and go to the Cloud Account Governance settings page.
   a. To configure Threat Real Time Sync, click Configure. A dialog box displays.
   b. In the Select Region list, click to select the region where the configuration needs to be made, and then click Ok.
   c. Click Validate. If there are no errors, then go to next step, otherwise click Re-Validate. Select/enter the relevant details and validate. Upon successful validation, the configuration can be saved.
   d. Click Save & Exit.