Azure LPA Setup

This deployment method involves upgrading your permissions with a script using Azure Cloud Shell and then deploying the infrastructure from InsightCloudSec. All infrastructure deployment and credential configuration happens automatically, asynchronously.

Automatic deployment prerequisites

Before deploying Azure LPA, you'll need the following:

• Domain Admin permissions in InsightCloudSec
• Admin access to the Azure subscription that contains the LPA data
• An Azure subscription connected to InsightCloudSec to associate with LPA

Upgraded permissions details

The following custom role is created after running the permissions upgrade script. It can be applied at the subscription or tenant level depending on the selected options during the role deployment script.

json
1
{
2
    "Name": "InsightCloudSec LPA Infrastructure Provisioning",
3
    "IsCustom": true,
4
    "Description": "Rapid7 InsightCloudSec Least Privileged Access (LPA) role for deploy/undeploy",
5
    "Actions": [
6
        "Microsoft.Authorization/roleAssignments/read",
7
        "Microsoft.Authorization/roleAssignments/write",
8
        "Microsoft.EventGrid/EventSubscriptions/read",
9
        "Microsoft.EventGrid/EventSubscriptions/write",
10
        "Microsoft.EventGrid/SystemTopics/EventSubscriptions/delete",
11
        "Microsoft.EventGrid/SystemTopics/EventSubscriptions/read",
12
        "Microsoft.EventGrid/SystemTopics/EventSubscriptions/write",
13
        "Microsoft.EventGrid/SystemTopics/read",
14
        "Microsoft.EventGrid/SystemTopics/write",
15
        "Microsoft.EventHub/Namespaces/EventHubs/ConsumerGroups/write",
16
        "Microsoft.EventHub/Namespaces/EventHubs/read",
17
        "Microsoft.EventHub/Namespaces/EventHubs/write",
18
        "Microsoft.EventHub/Namespaces/*/action",
19
        "Microsoft.EventHub/Namespaces/NetworkRuleSets/write",
20
        "Microsoft.EventHub/Namespaces/read",
21
        "Microsoft.EventHub/Namespaces/VirtualNetworkRules/write",
22
        "Microsoft.EventHub/Namespaces/write",
23
        "Microsoft.Kusto/Clusters/Databases/dataConnections/read",
24
        "Microsoft.Kusto/Clusters/Databases/dataConnections/write",
25
        "Microsoft.Kusto/Clusters/Databases/read",
26
        "Microsoft.Kusto/Clusters/Databases/Scripts/*",
27
        "Microsoft.Kusto/Clusters/Databases/write",
28
        "Microsoft.Kusto/Clusters/read",
29
        "Microsoft.Kusto/Clusters/write",
30
        "Microsoft.Kusto/Clusters/ManagedPrivateEndpoints/write",
31
        "Microsoft.Logic/Workflows/Enable/action",
32
        "Microsoft.Logic/Workflows/read",
33
        "Microsoft.Logic/Workflows/write",
34
        "Microsoft.Network/NetworkSecurityGroups/Join/action",
35
        "Microsoft.Network/NetworkSecurityGroups/read",
36
        "Microsoft.Network/NetworkSecurityGroups/SecurityRules/delete",
37
        "Microsoft.Network/NetworkSecurityGroups/SecurityRules/read",
38
        "Microsoft.Network/NetworkSecurityGroups/SecurityRules/write",
39
        "Microsoft.Network/NetworkSecurityGroups/write",
40
        "Microsoft.Network/PublicIPAddresses/Join/action",
41
        "Microsoft.Network/PublicIPAddresses/read",
42
        "Microsoft.Network/PublicIPAddresses/write",
43
        "Microsoft.Network/RouteTables/Join/action",
44
        "Microsoft.Network/RouteTables/read",
45
        "Microsoft.Network/RouteTables/write",
46
        "Microsoft.Network/VirtualNetworks/read",
47
        "Microsoft.Network/VirtualNetworks/Subnets/Join/action",
48
        "Microsoft.Network/VirtualNetworks/Subnets/read",
49
        "Microsoft.Network/VirtualNetworks/Subnets/write",
50
        "Microsoft.Network/VirtualNetworks/write",
51
        "Microsoft.Resources/Deployments/OperationStatuses/read",
52
        "Microsoft.Resources/Deployments/read",
53
        "Microsoft.Resources/Deployments/Validate/action",
54
        "Microsoft.Resources/Deployments/write",
55
        "Microsoft.Resources/Subscriptions/Locations/read",
56
        "Microsoft.Resources/Subscriptions/ResourceGroups/delete",
57
        "Microsoft.Resources/Subscriptions/ResourceGroups/read",
58
        "Microsoft.Resources/Subscriptions/ResourceGroups/write",
59
        "Microsoft.Storage/StorageAccounts/BlobServices/Containers/write",
60
        "Microsoft.Storage/StorageAccounts/BlobServices/write",
61
        "Microsoft.Storage/StorageAccounts/ListKeys/action",
62
        "Microsoft.Storage/StorageAccounts/ManagementPolicies/write",
63
        "Microsoft.Storage/StorageAccounts/write",
64
        "Microsoft.Web/Connections/Join/action",
65
        "Microsoft.Web/Connections/read",
66
        "Microsoft.Web/Connections/write"
67
    ],
68
    "NotActions": [],
69
    "DataActions": [],
70
    "NotDataActions": [],
71
    "AssignableScopes": [
72
      "/subscriptions/{subscription_id}"
73
    ]
74
}

Task 1: Download and execute the permissions upgrade script using the Azure Cloud Shell

From InsightCloudSec:

1. Log in to InsightCloudSec.
2. Go to Settings > IAM Settings.
3. Click the menu icon (three dots) next to the subscription you want to deploy infrastructure for.
4. Click Automatic LPA Setup. A window appears.
5. Click Generate and Download Script. The script downloads to your local filesystem.

From Azure:

1. Log in to the Azure console in a separate browser window.
2. Click Cloud Shell.
3. Click Manage Files > Upload.
4. Find and select the script you downloaded in InsightCloudSec. The script uploads to your /home/<username> directory.
5. Execute the script: python3 azure_permission_upgrade_script.py
6. Answer the prompts as they appear. The script creates a role that will be used to deploy the Azure LPA infrastructure.
7. After the script is finished, return to InsightCloudSec.

Task 2: Deploy infrastructure and subscribe to the LPA events

From InsightCloudSec:

1. Click 2. Deploy.
2. For an additional cost, you can optionally select Yes to deploy a more secure infrastructure inside a Virtual Network.
3. Select a deployment Location.
4. Click Deploy New Event Hub. An event hub is deployed to the subscription, which can then be used to send LPA events to InsightCloudSec.
5. Click Subscribe.
6. Select the Event Hub that was just deployed for the subscription.
7. Click Subscribe to existing Event Hub.

Deployments can take anywhere from 30 minutes to 120 minutes. The status on IAM Settings will update to Collecting Data after it is ready.

This deployment method involves the following:

• Task 1: Download and setup the repository, then deploy the Azure LPA infrastructure.
• Task 2: Setup Azure LPA data collection within InsightCloudSec and begin receiving data.

Manual deployment prerequisites

Before deploying Azure LPA, you'll need the following:

• Domain Admin permissions in InsightCloudSec
• MacOS or Linux local environment
• Admin access to the Azure subscription that contains the LPA data
• An Azure subscription connected to InsightCloudSec to associate with LPA
• Logged in to the associated Azure subscription via the Azure CLI with appropriate Admin permissions

Task 1: Download and Setup the Repository

The repository is publicly available in an S3 bucket.

To download the repository:

1. Download the repository using the following link: https://s3.amazonaws.com/get.divvycloud.com/prodserv/ics-azure-lpa/ics-azure-lpa-latest.zip
2. Extract the repository's contents to the desired location.

Upon extracting the repository, you should examine its contents for basic understanding. Below is an outline of the sections of this repository:

• README.md -- Extensive documentation for the Azure LPA Python Library.
• roles -- Azure role definitions for the roles to be deployed to your subscription.
• src/ics_azure_lpa/automation -- Azure deployment automation framework. Automation entails the creation of the Azure LPA infrastructure, addition/removal of subscriptions, and destruction of the Azure LPA infrastructure.
• src/ics_azure_lpa/client -- Azure client interaction. Client interaction relates to either direct interactions with the Kusto/Azure Data Explorer (ADX) cluster or Azure Storage (to receive the final data products).
• arm_templates -- Azure ARM templates.
• bicep_templates -- Azure Bicep templates.
• tests/integration -- Integration tests (long-running tests that manipulate actual resources).
• tests/regression -- Regression tests (short-running tests that ensure code consistency).

Azure LPA deployment is best done via the Python deployment script that uses Bicep, the Azure CLI, and the Kusto client. Setting up a Python virtual environment specifically (for example, pyenv virtualenv ...) for the Azure LPA deployment is recommended. Read more about setting up a Python virtual environment: https://github.com/pyenv/pyenv#usage

To set up the library:

1. From a terminal, navigate to the repository.
   • Before continuing, we highly recommend you review the README.
2. Install dependencies: make deps-py-dev (development dependencies) or make deps-py (build dependencies)
3. Create or refresh the Azure ARM templates: make arm-templates
4. Deploy the infrastructure: deployLpa. Additional information about this command can be viewed by running the following: deployLpa --help
5. Answer the interactive prompts to ensure proper deployment location and options. Note that deployment of the entire Azure LPA infrastructure can take anywhere from 40 to 60 minutes.

An example run of the deployment script is included below:

text
1
(divvycloud-azure-lpa) admin@my-macbook divvycloud-azure-lpa % deployLpa
2
Deployment location (Central US, East US, East US 2, US Gov Iowa, US Gov Virginia, North Central US, South Central US, West US, North Europe, West Europe, East Asia, Southeast Asia, Japan East, Japan West, Brazil South, Australia East, Australia Southeast, Central India, South India, West India) [East US]:
3
With virtual network [y/N]: y
4

5
Starting LPA deployment for Resource Group: "my-resource-group"!
6

7
2022-05-31 13:35:11,052 - divvy_azure_lpa.automation.accounts - INFO - Subscription: "Azure Alpha" [23456a7b-234b-2345-a23b-a23456b7c89d] Tenant [12345a6b-123b-1234-a12b-a12345b6c78d] (accounts.py:48)
8
2022-05-31 13:35:11,055 - divvy_azure_lpa.automation.accounts - INFO - Subscription: "qa-testbed" [34567a8b-3451-3456-a34b-a34567b8c90d] Tenant [12345a6b-123b-1234-a12b-a12345b6c78d] (accounts.py:48)
9
2022-05-31 13:35:11,055 - divvy_azure_lpa.automation.accounts - INFO - Default subscription: "qa-testbed" [34567a8b-3451-3456-a34b-a34567b8c90d] Tenant [12345a6b-123b-1234-a12b-a12345b6c78d] (accounts.py:61)
10
2022-05-31 13:35:11,914 - divvy_azure_lpa.automation.lpa - INFO - Looking for Azure Event Grid System Topic: "Microsoft.Resources.Subscriptions" within subscription [34567a8b-3451-3456-a34b-a34567b8c90d]... (lpa.py:1012)
11
2022-05-31 13:35:13,212 - divvy_azure_lpa.automation.lpa - INFO - Utilizing Azure Event Grid System Topic: "Microsoft.Resources.Subscriptions" (Name: "subscription-resource-events" RG: "r7-ics-lpa" Sub: [34567a8b-3451-3456-a34b-a34567b8c90d]) (lpa.py:396)
12
2022-05-31 13:35:13,213 - divvy_azure_lpa.automation.lpa - INFO - Target LPA RG: "my-resource-group" Sub: [34567a8b-3451-3456-a34b-a34567b8c90d] Tenant: [12345a6b-123b-1234-a12b-a12345b6c78d] (lpa.py:404)
13
2022-05-31 13:35:14,262 - divvy_azure_lpa.automation.lpa - INFO - Deployment configuration chosen: Virtual Network (lpa.py:219)
14
2022-05-31 13:35:14,262 - divvy_azure_lpa.automation.lpa - INFO - Attempting to deploy/update deployment associated with: "templates/vn/overallLPA.bicep"... (lpa.py:230)
15
2022-05-31 13:35:14,263 - divvy_azure_lpa.automation.lpa - WARNING - Deployment can take around 60 minutes. (lpa.py:234)
16
2022-05-31 14:03:55,929 - divvy_azure_lpa.automation.bicep - INFO - Provisioning state: Succeeded (bicep.py:90)
17
2022-05-31 14:03:55,929 - divvy_azure_lpa.automation.network_security_group - INFO - Attempting to deploy/update deployment associated with: "templates/vn/SecurityGroupAllowlist.bicep"... (network_security_group.py:151)
18
2022-05-31 14:04:32,305 - divvy_azure_lpa.automation.bicep - INFO - Provisioning state: Succeeded (bicep.py:90)
19
2022-05-31 14:04:32,466 - divvy_azure_lpa.automation.lpa - INFO - Opening Virtual Network up to local access (temporarily...) (lpa.py:579)
20
2022-05-31 14:04:44,393 - divvy_azure_lpa.automation.lpa - INFO - Updating Kusto cluster to allow client access for principal "bc9bf403-9b66-4be5-8a4d-c6ff399440f5"... (lpa.py:591)
21
2022-05-31 14:04:46,067 - divvy_azure_lpa.automation.lpa - INFO - Kusto cluster access updated. (lpa.py:602)
22
2022-05-31 14:04:46,067 - divvy_azure_lpa.automation.lpa - INFO - Closing Virtual Network to local access. (lpa.py:608)
23
2022-05-31 14:04:57,976 - divvy_azure_lpa.automation.lpa - INFO - Enabling workflow: "workflow"... (lpa.py:617)
24
2022-05-31 14:04:59,156 - divvy_azure_lpa.automation.lpa - INFO - Workflow enabled. (lpa.py:624)
25
2022-05-31 14:04:59,156 - divvy_azure_lpa.automation.lpa - INFO - Deployment complete for Resource Group: "my-resource-group"! (lpa.py:626)
26

27
Deployment of resource group "my-resource-group" complete!
28

29
To access data via CLI, set the environment variables:
30
export AZURE_STORAGE_CONNECTION_STRING="REDACTED"
31
export AZURE_STORAGE_CONTAINER_NAME="events"
32
Invoke: downloadLpaData

If you run into deployment errors, review the troubleshooting section or reach out to the support team through the Customer Support Portal.

A successful deployment yields three crucial values for the next section:

• Resource group name
• Azure Storage connection string
• Azure Storage container name

At this point, the Azure LPA infrastructure is deployed and the data collection is beginning. Data is collected continually, but aggregation of the LPA action statistics happens at midnight.

Task 2: InsightCloudSec Configuration

Now that the Azure LPA infrastructure has been deployed, it's time to enable data collection within InsightCloudSec.

1. Log in to InsightCloudSec.

2. Go to Settings > IAM Settings > Azure LPA Settings. The LPA Settings page will appear with a list of Azure Subscriptions that have been added to InsightCloudSec.

3. Next to the proper subscription, click the vertical three dots to open the menu.

4. Click Enable LPA.

5. Provide the values for harvesting the LPA data.

   • Provide the resource group name where the Azure LPA infrastructure is deployed (created in step 1)
   • Provide the connection string for the Azure Storage resource that hosts the Azure LPA data (created in step 1)
   • Provide the container name inside the Azure Storage resource that contains the Azure LPA data (created in step 1)

6. Click OK. You'll be returned to the LPA Settings page with the Status column updated to reflect LPA's current state. The status will typically be Enabled, but relatively recent deployments may reflect that the data is still awaiting aggregation. Review LPA States for more information.

Once LPA is successfully enabled and data has been collected, review Azure LPA Usage for information on viewing your data.

Additional manual deployment script options

After downloading the repository and installing up any dependencies, the Azure LPA configuration library is available for use. While deploying the LPA infrastructure is its main function, there are some other important functions available.

Download data

After you have successfully deployed the Azure LPA infrastructure, you may want to manually download the data being collected.

1. Open a terminal locally and set the following environment variables (or pass them in via the command line):
   • AZURE_STORAGE_CONNECTION_STRING
   • AZURE_STORAGE_CONTAINER_NAME
2. Run the following command and look in the set download path for the data: downloadLpaData

Add subscription

You have the option of using the same Azure LPA deployment infrastructure against multiple subscriptions within the same Azure tenant. Using the subscribeLpa command links other subscriptions to existing Azure LPA infrastructure. Invoking the command will result in an interactive dialog that allows registering another subscription.

Upon completion of this subscription addition process within the Azure LPA library, you can reuse the same resource group name, connection string, and container name with the InsightCloudSec configuration process for each of these existing, linked accounts.

Remove subscription

If you'd like to remove a subscription from Azure LPA harvesting, you can use the unsubscribeLpa command.

Undeploy infrastructure

If you'd like to remove the infrastructure associated with the Azure LPA feature from your Azure subscription, you can use the undeployLpa command.

Manual deployment troubleshooting

Permissions

During deployment, the current Azure command line interface (CLI) user may not have the necessary permissions to create the Azure LPA infrastructure. Alternatively, you may want to create a specialized deployment user that is relatively de-privileged to execute the deployment commands. The Azure LPA infrastructure library provides the command createLpaDeploymentRole that allows for the creation of a custom role that can be used to perform the Azure LPA infrastructure deployment.

User Loses Connection Information

Ideally, you would retain the three key values (resource group name, connection string, container name) listed in the terminal after the deployment completes. If you forget to copy these values or need them in the future, you can obtain them from the Azure console:

• To find the resource group name: search through your resource groups with the Feature tag set to LPA. Review the Azure documentation for more information on finding and using resource groups: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal
• To find the connection string and container name: search for the Azure Storage account name (found in the LPA resource group) in the Azure Storage Explorer. Review the Azure documentation for more information on using the Azure Storage Explorer: https://learn.microsoft.com/en-us/azure/storage/storage-explorer/vs-azure-tools-storage-manage-with-storage-explorer?tabs=macos