Onboard CDR for Azure

Connecting Qualys to your Azure account(s) is the first step to protecting your cloud with Qualys Agentless Runtime Cloud Security powered by Deep Learning AI. 

Begin your CDR journey for Azure by following the steps below.

Deployment  

You can deploy the Qualys for Azure Terraform module in your Azure environment. The module deploys:  
•    An Azure AD Application with the role of Security Reader. The application provides Qualys access to scan for cloud resource and service misconfigurations, sub-optimal security policies, etc.
•    An Azure Function that ingests NSG Flow Logs and Azure Activity Logs and sends them to the Qualys SaaS portal for analytics.

You must have Azure administrator or equivalent credentials for the subscriptions you wish to protect to complete the steps below.  

Prerequisites  

Azure Cloud Shell already has the tool prerequisites installed and maybe the preferred environment to deploy the Terraform module below. You can skip to this step if you use Azure Cloud Shell.  
Install the following prerequisites for your platform (Windows, Mac, Linux).  

Terraform  

Create and manage the Qualys for Azure infrastructure. Download link.

Azure CLI  

Deploy the infrastructure to your Azure subscription.   Download link.

Azure Function

Deploy the log processor Azure Function.  Download link.

Python

Install Python to your system.  Download link.  

NSG Flow Logs Delivered to Storage Account Blob  

Qualys ingests NSG Flow Logs from an Azure storage account blob container in the same region as where the Terraform module is deployed below (see location variable in Terraform.tfvars). There are a couple of different ways to enable Flow Logs, both of which require creating an Azure storage account.

1.    Create an Azure storage account by following the steps here. 
2.    Enable NSG Flow Logs for all your network security groups.

• Enable flow logs for each network security group as described here. Method 2: Use the built-in Azure Policy to enable flow logs automatically for all network security groups as described here.

Azure Activity Logs Delivered to Storage Account Blob  

Qualys CDR ingests Azure Activity Logs from an Azure storage account blob container in the same region as where the terraform module is deployed below (see location variable in terraform.tfvars). To deliver Azure Activity Logs to a storage account:  

1. Create Azure storage account by following the steps here. 
2. Enable Activity Logs and send them to the storage account by following the steps here.

Deploy Terraform Module  

The most convenient way to deploy the Terraform module is via Azure Cloud Shell using a bash terminal.  
Step 1: Launch Cloud Shell.  

Step 2: Log into you Azure account after running AZ login.

 Step 3: Download the Terraform module qualys_azure.zip from here, and upload it to Cloud Shell.  

 Step 4: Unzip qualys_azure.zip, and enter the password provided by your Qualys Technical Account Representative to extract the archive. 

Step 5: Modify terraform.tfvars, specifically modifying the following variables:  

• Project and Environment can be named per your enterprise application naming conventions. Note that Azure naming conventions and character limits will apply; it is recommended to keep these variables short, with only lowercase letters and numbers.  
• The 'Location' is set to the region in which you wish to deploy Qualys CDR, e.g. westus2.  
• The 'bh_license' is set to Azure SaaS license from Qualys.  
• The 'Flow_logs_storage_connection_string' is set to the connection string for the Azure storage account where NSG Flow Logs are delivered. See screenshot below for where you can find the connection string. Leave this blank "" if you do not wish to process flow logs.  

Step 6: Run the following commands to deploy the module in each Azure subscription as needed. 

terraform init  
terraform apply -auto-approve  

Step 7: If terraform apply runs successfully, and the created application registers with Qualys, you should see the following output

To destroy the module and delete the Qualys security application and log processor, run:  

terraform destroy  

Once deployed, Qualys CDR will start the security audit of your Azure subscriptions and surface NSG Flow Logs records, insights, and security findings in the Qualys CDR portal. Information will show in the portal in a few or several minutes, depending on the size of your Azure environment. 

Verify and View Data in the Qualys CDR Portal

Once deployed, Qualys CDR will start the security audit of your Azure subscriptions and surface NSG Flow Logs records, insights, and security findings in the Qualys CDR portal. Information will show in the portal in a few or several minutes, depending on the size of your Azure environment.