This section describes how securiCAD can be used to analyze your Azure environments. In short, securiCAD can analyze your Azure environment by collecting data from the environment which is then used to perform attack simulations in the securiCAD Enterprise software.
To collect the Azure infrastructure configuration needed for creating a securiCAD model (digital twin), an Azure reader role needs to be added in the Azure subscription which then is used using the SDK for fetching the configuration. You can do that using Azure app registration.
The extractor program needs to assume the identity of a security principal assigned a Reader role on a subscription level to be able to extract your environment. We suggest you either register a new application under App registrations in the Azure Active Directory to create a new Service Principal, or by assigning a system wide Managed Identity for an azure virtual machine (possibly the same machine running securiCAD Enterprise) and give the security principal this permission. The first option is required if you are running locally.
- In the Azure console, create a new App Registration and give it a suitable name, e.g.
- Support account types should be Accounts in this organizational directory only.
- Collect the individual keys for the fetcher to be able to access the Azure API's. The image below shows the different keys you need. You also need to create a Client Secret.
- Creatinging the Client Secret
First go into client credentials shown here:
New client secret as shown here:
The keys generated should then be stored in a secure place for further use.
It's ideal to allow the collector to read Active Directory Group members of the groups that have an IAM assignment within the Azure cloud. This will allow the model to connect the security principals that belong to the group within the model. To do this click on API permissions on the App Registration dashboard and grant it the GroupMember.Read.All permission by clicking Add a permission > Microsoft.Graph > Application Permissions > GroupMember.Read.All . Note that an Active Directory Admin will have to approve this permission for it to be granted.
Next, collect all the keys in one place and keep them safe since you now can extract the information on your Azure environment with them.
The keys needed for extraction are Subscription ID, Directory (Tenant) ID, Application Registration Client ID and Secret.
They will then be prepared in a bash script file like this:
export AZURE_SUBSCRIPTION_ID='xxx' export AZURE_TENANT_ID='xxx' export AZURE_CLIENT_ID='xxx' export AZURE_CLIENT_SECRET='xxx'
The SecuriCAD Azure collector collects environment information from the Azure APIs, and stores the result in a JSON file. To gain access to the Azure APIs, the securiCAD Azure Collector needs to be configured with the credentials of the reader App Registration described above.
Install the securiCAD-azure-collector using git:
$ git clone https://github.com/foreseeti/securicad-azure-collector
Install the securicad-azure-collector with pip:
$ pip install securicad-azure-collector
Below are a few examples of how to run the securiCAD Azure Collector. The script stores the collected data in a file named
active_directory.json. Find more examples and options here.
Updated about 1 month ago