Integrating with Azure

A short step-by-step guide for integrating Azure into securiCAD

This section describes how securiCAD can be used to analyze your Azure environments. In short, securiCAD can analyze your Azure environment by collecting data from the environment which is then used to perform attack simulations in the securiCAD Enterprise software.

Azure Reader App Registration

To collect the Azure infrastructure configuration needed for creating a securiCAD model (digital twin), an Azure reader role needs to be added in the Azure subscription which then is used using the SDK for fetching the configuration. You can do that using Azure app registration.

  1. In the Azure console, create a new App Registration and give it a suitable name, e.g. securicad-data-extractor.
  1. Support account types should be Accounts in this organizational directory only.
  1. Collect the individual keys for the fetcher to be able to access the Azure API's. The image below shows the different keys you need. You also need to create a Client Secret.
  1. Creatinging the Client Secret

First go into client credentials shown here:

Then, create New client secret as shown here:

The keys generated should then be stored in a secure place for further use.

Collecting the Azure environment configuration

Next, collect all the keys in one place and keep them safe since you now can extract the information on your Azure environment with them.

The keys needed for extraction are Subscription ID, Directory (Tenant) ID, Application Registration Client ID and Secret.

They will then be prepared in a bash script file like this:

export AZURE_SUBSCRIPTION_ID='xxx'
export AZURE_TENANT_ID='xxx'
export AZURE_CLIENT_ID='xxx'
export AZURE_CLIENT_SECRET='xxx'

Generating (downloading) the Azure configuration data

The SecuriCAD Azure collector collects environment information from the Azure APIs, and stores the result in a JSON file. To gain access to the Azure APIs, the securiCAD Azure Collector needs to be configured with the credentials of the reader App Registration described above.

Install the securiCAD-azure-collector using git:

$ git clone https://github.com/foreseeti/securicad-azure-collector

Install the securicad-azure-collector with pip:

$ pip install securicad-azure-collector

Below are a few examples of how to run the securiCAD Azure Collector. The script stores the collected data in a file named active_directory.json. Find more examples and options here.

securiCAD Enterprise

The resulting JSON file can be uploaded directly into securiCAD Enterprise or by using the securiCAD Enterprise SDK.