Get started with CSPM for Azure
Start monitoring the security posture of your Azure cloud assets.
Overview
This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature.
Requirements
- CSPM only works in the
Default
Kibana space. Installing the CSPM integration on a different Kibana space will not work. - CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported (request support).
- To view posture data, you need
read
privileges for the following Elasticsearch indices:logs-cloud_security_posture.findings_latest-*
logs-cloud_security_posture.scores-*
logs-cloud_security_posture.findings
- The user who gives the CSPM integration permissions in Azure must be an Azure subscription
admin
.
Set up CSPM for Azure
You can set up CSPM for Azure by by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, first add the CSPM integration, then enable cloud account access.
Add your CSPM integration
- From the Elastic Security Get started page, click Add integrations.
- Search for
CSPM
, then click on the result. - Click Add Cloud Security Posture Management (CSPM).
- Under Configure integration, select Azure, then select either Azure Organization or Single Subscription, depending on which resources you want to monitor.
- Give your integration a name that matches the purpose or team of the Azure resources you want to monitor, for example,
azure-CSPM-dev-1
.
Set up cloud account access
To set up CSPM for an Azure organization or subscription, you will need admin privileges for that organization or subscription.
For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below.
ARM template setup (recommended)
-
Under Setup Access, select ARM Template.
-
Under Where to add this integration:
- Select New Hosts.
- Name the Elastic Agent policy. Use a name that matches the resources you want to monitor, for example,
azure-dev-policy
. Click Save and continue. The ARM Template deployment window appears. - In a new tab, log in to the Azure portal, then return to Kibana and click Launch ARM Template. This will open the ARM template in Azure.
- If you are deploying to an Azure organization, select the management group you want to monitor from the drop-down menu. Next, enter the subscription ID of the subscription where you want to deploy the VM that will scan your resources.
- Copy the
Fleet URL
andEnrollment Token
that appear in Kibana to the corresponding fields in the ARM Template, then click Review + create. - (Optional) Change the
Resource Group Name
parameter. Otherwise, the name of the resource group defaults to a timestamp prefixed withcloudbeat-
.
-
Return to Kibana and wait for the confirmation of data received from your new integration. Then you can click View Assets to see your data.
Manual setup
For manual setup, multiple authentication methods are available:
- Managed identity (recommended)
- Service principal with client secret
- Service principal with client certificate
Option 1: Managed identity (recommended)
This method involves creating an Azure VM (or using an existing one), giving it read access to the resources you want to monitor with CSPM, and installing Elastic Agent on it.
- Go to the Azure portal to create a new Azure VM.
- Follow the setup process, and make sure you enable System assigned managed identity under the Management tab.
- Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM.
- Go to Access control (IAM), and select Add Role Assignment.
- Select the
Reader
role, assign access to Managed Identity, then select your VM.
After assigning the role:
- Return to the Add CSPM page in Kibana.
- Under Configure integration, select Azure. Under Setup access, select Manual.
- Under Where to add this integration, select New hosts.
- Click Save and continue, then follow the instructions to install Elastic Agent on your Azure VM.
Wait for the confirmation that Kibana received data from your new integration. Then you can click View Assets to see your data.
Option 2: Service principal with client secret
Before using this method, you must have set up a Microsoft Entra application and service principal that can access resources.
- On the Add Cloud Security Posture Management (CSPM) integration page, scroll to the Setup access section, then select Manual.
- Under Preferred manual method, select Service principal with Client Secret.
- Go to the Registered apps section of Microsoft Entra ID.
- Click on New Registration, name your app and click Register.
- Copy your new app's
Directory (tenant) ID
andApplication (client) ID
. Paste them into the corresponding fields in Kibana. - Return to the Azure portal. Select Certificates & secrets, then go to the Client secrets tab. Click New client secret.
- Copy the new secret. Paste it into the corresponding field in Kibana.
- Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM.
- Go to Access control (IAM) and select Add Role Assignment.
- Select the
Reader
function role, assign access to User, group, or service principal, and select your new app. - Return to the Add CSPM page in Kibana.
- Under Where to add this integration, select New hosts.
- Click Save and continue, then follow the instructions to install Elastic Agent on your selected host.
Wait for the confirmation that Kibana received data from your new integration. Then you can click View Assets to see your data.
Option 3: Service principal with client certificate
Before using this method, you must have set up a Microsoft Entra application and service principal that can access resources.
- On the Add Cloud Security Posture Management (CSPM) integration page, under Setup access, select Manual.
- Under Preferred manual method, select Service principal with client certificate.
- Go to the Registered apps section of Microsoft Entra ID.
- Click on New Registration, name your app and click Register.
- Copy your new app's
Directory (tenant) ID
andApplication (client) ID
. Paste them into the corresponding fields in Kibana. - Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM.
- Go to Access control (IAM) and select Add Role Assignment.
- Select the
Reader
function role, assign access to User, group, or service principal, and select your new app.
Next, create a certificate. If you intend to use a password-protected certificate, you must use a pkcs12 certificate. Otherwise, you must use a pem certificate.
Create a pkcs12 certificate, for example:
# Create PEM file
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
# Create pkcs12 bundle using legacy flag (CLI will ask for export password)
openssl pkcs12 -legacy -export -out bundle.p12 -inkey key.pem -in cert.pem
Create a PEM certificate, for example:
# Generate certificate signing request (csr) and key
openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr
# Generate PEM and self-sign with key
openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out signed.pem
# Create bundle
cat cert.key > bundle.pem
cat signed.pem >> bundle.pem
- Return to Azure.
- Navigate to the Certificates & secrets menu. Select the Certificates tab.
- Click Upload certificate.
- If you're using a PEM certificate that was created using the example commands above, upload
signed.pem
. - If you're using a pkcs12 certificate that was created using the example commands above, upload
cert.pem
.
- If you're using a PEM certificate that was created using the example commands above, upload
- Upload the certificate bundle to the VM where you will deploy Elastic Agent.
- If you're using a PEM certificate that was created using the example commands above, upload
bundle.pem
. - If you're using a pkcs12 certificate that was created using the example commands above, upload
bundle.p12
.
- If you're using a PEM certificate that was created using the example commands above, upload
- Return to the Add CSPM page in Kibana.
- For Client Certificate Path, enter the full path to the certificate that you uploaded to the host where you will install Elastic Agent.
- If you used a pkcs12 certificate, enter its password under Client Certificate Password.
- Under Where to add this integration, select New hosts.
- Click Save and continue, then follow the instructions to install Elastic Agent on your selected host.
Wait for the confirmation that Kibana received data from your new integration. Then you can click View Assets to see your data.