Blue Hexagon for Azure

Owned by Arun Raman
Last updated: Jun 06, 2022
5 min read

 

AI You Can Trust™
Powered by Deep Learning

 

Azure

Getting Started

The first step to protecting your Azure cloud with Blue Hexagon Agentless Runtime Cloud Security powered by Deep Learning AI is to connect Blue Hexagon with your Azure subscription(s) by deploying a handy terraform module that automates the setup and management process.

To complete the steps below, you must have a valid Blue Hexagon SaaS license. Please contact your Blue Hexagon representative to obtain a license. You can request a free trial license here.

Deployment

You will be deploying the Blue Hexagon for Azure terraform module in your Azure environment. The module deploys:

  • An Azure AD Application with the role of Security Reader. The application provides Blue Hexagon access to scan for cloud resource and service misconfigurations, suboptimal security policies, etc.

  • An Azure Function that ingests NSG Flow Logs and Azure Activity Logs and sends them to the Blue Hexagon SaaS portal for analytics.

You must have Azure administrator or equivalent credentials for the subscriptions you wish to protect in order to complete the steps below.

Blue Hexagon for Azure Deployment Architecture
Blue Hexagon for Azure Deployment Architecture

Prerequisites

Azure Cloud Shell already has the tool prerequisites installed, and may be the preferred environment to deploy the terraform module below. You can skip to this step if you are going to use Azure Cloud Shell.

Install the following prerequisites as needed for your platform (Windows, Mac, Linux).

Terraform

https://www.terraform.io/downloads.html

Purpose: Create and manage the Blue Hexagon for Azure infrastructure.  

az cli

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli

Purpose: Deploy the infrastructure to your Azure subscription.

az func tools

https://docs.microsoft.com/en-us/azure/azure-functions/functions-run-local?tabs=windows%2Ccsharp%2Cbash#v2

Purpose: Deploy the log processor Azure Function.

python3

Purpose: Auto-register the Blue Hexagon security application created in Azure AD.

NSG Flow Logs Delivered to Storage Account Blob

Blue Hexagon ingests NSG Flow Logs from an Azure storage account blob container in the same region as where the terraform module is deployed below (see location variable in terraform.tfvars). There are a couple of different ways in which to enable Flow Logs, both of which first require that an Azure storage account be created.

  1. Create Azure storage account by following the steps here.

  2. Enable NSG Flow Logs for all your network security groups.

    1. Method 1: Enable flow logs for each individual network security group as described here.

    2. Method 2: Use the built-in Azure Policy policy to enable flow logs automatically for all network security groups as described here.

Azure Activity Logs Delivered to Storage Account Blob

Blue Hexagon ingests Azure Activity Logs from an Azure storage account blob container in the same region as where the terraform module is deployed below (see location variable in terraform.tfvars). To deliver Azure Activity Logs to a storage account:

  1. Create Azure storage account by following the steps here.

  2. Enable Activity Logs and send them to the storage account by following the steps here.

Deploy Terraform Module

The most convenient way to deploy the terraform module is via Azure Cloud Shell using a bash terminal.

Step 1: Launch Cloud Shell.
Step 2: Download the terraform module bluehexagon_azure.zip from here, and upload to Cloud Shell.

Step 3: Unzip bluehexagon_azure.zip, entering the password provided by your Blue Hexagon representative to extract the archive.

Step 4: Modify terraform.tfvars, specifically modifying the following variables:

 

  1. project and environment can be named per your enterprise application naming conventions. Note that Azure naming conventions and character limits will apply; it is recommended to keep these variables short, with only lowercase letters and numbers.

  2. location Set to the region in which you wish to deploy Blue Hexagon, e.g. westus2.

  3. bh_license Set to the Blue Hexagon for Azure SaaS license.

  4. enable_audit Set to true (default) to create the Security Audit app to uncover misconfigurations. Set to false to not create the Security Audit app.

  5. flow_logs_storage_connection_string Set to the connection string for the Azure storage account where NSG Flow Logs are delivered. See screenshot below for where you can find the connection string. Leave this blank "" if you do not wish to process flow logs.

  6. activity_logs_storage_connection_string Set to the connection string for the Azure storage account where Azure Activity Logs are delivered. See screenshot below for where you can find the connection string. Leave this blank "" if you do not wish to process activity logs.

Step 5: Run the following commands to deploy the module in each Azure subscription as needed.

terraform init terraform apply -auto-approve

Step 6: If terraform apply runs successfully, and the created application registers with Blue Hexagon, you should see the following outputs.

If enable_audit is set to true:

If enable_audit is set to false:

Next Steps

Verify and View Data in the Blue Hexagon Portal

Once deployed, Blue Hexagon will start the security audit of your Azure subscriptions and surface NSG Flow Logs records, insights, and security findings in the Blue Hexagon portal. Information will show in the portal in a few or several minutes, depending on the size of your Azure environment.

NG-NDR Add-On Pack

If you have a packet broker such as Keysight Ixia CloudLens or Azure VTAP, you can add the Blue Hexagon NG-NDR pack as described here.

Blue Hexagon Proprietary