From d0809ab5dc709686ea13cf6f81cde34703d497d1 Mon Sep 17 00:00:00 2001 From: jenjoe22 <110043374+jenjoe22@users.noreply.github.com> Date: Fri, 17 Jan 2025 13:25:43 -0600 Subject: [PATCH] 1-1-updates (#1032) * 1-1-updates * new perm queries * iz feedback * iz comment --- ...ed-to-calculate-effective-permissions.adoc | 15 +++++- .../permissions-query-attributes.adoc | 48 +++++++++++++++++++ 2 files changed, 61 insertions(+), 2 deletions(-) diff --git a/docs/en/enterprise-edition/content-collections/administration/configure-iam-security/context-used-to-calculate-effective-permissions.adoc b/docs/en/enterprise-edition/content-collections/administration/configure-iam-security/context-used-to-calculate-effective-permissions.adoc index 1a46ec52ed..1a2e79ee7b 100644 --- a/docs/en/enterprise-edition/content-collections/administration/configure-iam-security/context-used-to-calculate-effective-permissions.adoc +++ b/docs/en/enterprise-edition/content-collections/administration/configure-iam-security/context-used-to-calculate-effective-permissions.adoc @@ -288,6 +288,7 @@ See xref:what-is-prisma-cloud-iam-security.adoc[What is Prisma Cloud IAM Securit The following Azure permission levels are supported: +* Entra ID * Management Group * Subscription * Resources @@ -301,9 +302,19 @@ When you define permissions there are several IAM concepts that you can specify. Prisma Cloud requires additional permissions to display the above-mentioned permission levels. If you are new to Prisma Cloud and used a Terraform template for xref:../connect/connect-cloud-accounts/connect-azure-account.adoc[Azure account onboarding] no additional action is required, since the template includes these permissions. If you have already associated Prisma Cloud with your Azure account, you have the option to rerun the Terraform template or manually add the required permissions. +==== Enable Access Management for Azure Entra ID + +If your Azure deployment uses Azure Entra ID, follow the steps below to enable access: + +. Sign in to the Azure portal as a Global Administrator in Azure AD. +. Open Microsoft Entra ID (formerly Azure Active Drectory). +. Select *Manage > Properties* +. Under *Access management for Azure resources*, set the toggle to Yes. +. Click *Save*. + ==== Manually add permissions for Azure Management Groups -If your Azure deployment uses management groups, follow the steps below to manually add the screen:[Microsoft.Management/managementGroups/descendants/read] permission: +If your Azure deployment uses management groups, follow the steps below to manually add the `Microsoft.Management/managementGroups/descendants/read` permission: . On your Azure account portal, navigate to the Management group. . Select the *Tenant/Root Management Group > Access Control (IAM)*. @@ -311,7 +322,7 @@ If your Azure deployment uses management groups, follow the steps below to manua ==== Manually add permissions for Azure Management Groups -If your Azure deployment uses subscriptions, follow the steps below to manually add the screen:[Microsoft.Resources/subscriptions/read] permission: +If your Azure deployment uses subscriptions, follow the steps below to manually add the `Microsoft.Resources/subscriptions/read` permission: . On your Azure account portal, navigate to the Subscription group. . Select the Subscription for which you wish to ingest tags. diff --git a/docs/en/enterprise-edition/content-collections/search-and-investigate/permissions-queries/permissions-query-attributes.adoc b/docs/en/enterprise-edition/content-collections/search-and-investigate/permissions-queries/permissions-query-attributes.adoc index ea22a36623..ebfdf56dc9 100644 --- a/docs/en/enterprise-edition/content-collections/search-and-investigate/permissions-queries/permissions-query-attributes.adoc +++ b/docs/en/enterprise-edition/content-collections/search-and-investigate/permissions-queries/permissions-query-attributes.adoc @@ -55,6 +55,46 @@ Lists permissions of all Azure virtual machine instances in any of your Azure su config from iam where source.cloud.accountgroup = 'All my Azure accounts' AND source.cloud.service.name = 'Microsoft.Compute' AND source.cloud.resource.type = 'virtualMachines' ---- +* *source.cloud.azure.user.isAppRegistrationOwner* ++ +Identifies user accounts that owns an Entra ID service account with the permission to add members to a group with admin privileges at the subscription/management group level: ++ +---- +config from iam where source.cloud.type = 'AZURE' AND source.cloud.azure.user.isAppRegistrationOwner = true AND grantedby.cloud.entity.type = 'Service Principal' AND dest.cloud.azure.group.isadministrative.grantedby.level.type in (('AppRoleAssignment.ReadWrite.AllRole', 'Management.ReadWrite.Directory'), ('Azure Management Group', 'Azure Subscription' ) ) +---- + +* *source.cloud.azure.user.isAppRegistrationAdmin* ++ +Identifies user accounts Entra ID service account administration privileges including permission to add members to a group with admin privileges at the subscription/management group level: ++ +---- +config from iam where source.cloud.type = 'AZURE' AND source.cloud.azure.user.isAppRegistrationAdmin = true AND grantedby.cloud.entity.type = 'Service Principal' AND dest.cloud.azure.group.isadministrative.grantedby.level.type in (('AppRoleAssignment.ReadWrite.AllRole', 'Management.ReadWrite.Directory'), ('Azure Management Group', 'Azure Subscription' ) ) +---- + +* *source.cloud.azure.user.canImpersonateAppReg* ++ +Identifies Entra ID users that can impersonate an Entra ID application with the permission to add members to a group with admin privileges at the subscription/management group level: ++ +---- +config from iam where source.cloud.type = 'AZURE' AND source.cloud.azure.user.canImpersonateAppReg = true AND grantedby.cloud.entity.type = 'Service Principal' AND dest.cloud.azure.group.isadministrative.grantedby.level.type in (('AppRoleAssignment.ReadWrite.AllRole', 'Management.ReadWrite.Directory'), ('Azure Management Group', 'Azure Subscription' ) ) +---- + +* *source.cloud.azure.servicePrincipal.has.machineAttached* ++ +Identifies Virtual Machines assigned with `System Managed Identity` or `User Managed Identity` and Azure Active Directory permissions: ++ +---- +config from iam where source.cloud.type = 'AZURE' AND source.cloud.service.name = 'Microsoft.Compute' and source.cloud.resource.type ='virtualMachines' AND action.name IN ('GroupMember.ReadWrite.All', 'RoleManagement.ReadWrite.Directory', 'AppRoleAssignment.ReadWrite.All', 'RoleManagement.ReadWrite.Directory', 'RoleManagement.ReadWrite.Directory') +---- + +* *source.cloud.azure.servicePrincipal.isGraphAdmin* ++ +Identifies user/system managed identities connected to a Virtual Machine or any other Compute resource with the permission to create credentials for a registered application with Microsoft Graph API permissions: ++ +---- +config from iam where source.cloud.type = 'AZURE' AND source.cloud.service.name = 'Microsoft.Compute' and source.cloud.resource.type ='virtualMachines' and grantedby.cloud.entity.type = 'AppRegistration' and grantedby.cloud.policy.type = 'Microsoft Graph' and action.name in ('Files.Read.All', 'Files.ReadWrite.All','Sites.Read.All','Sites.ReadWrite.All','Sites.FullControl.All','Sites.Selected','Mail.ReadWrite','Mail.Read') +---- + * *source.cloud.type* + Narrows down your search option to specific clouds. The following example lists all effective permissions where the sources are in your AWS cloud accounts: @@ -441,6 +481,14 @@ Queries permissions to a specific cloud service such as AWS Lambda function, AWS ---- config from iam where dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function' AND dest.cloud.resource.name = 'my-function' ---- +//added for RLP-153639 on hold as of 12/19 +//* *dest.cloud.resource.grantedbylevel* +//+ +//Queries `grantedbyLevel` for groups as a destination resource to help identify groups with permissions on Management/Subscription levels: +//+ +//---- +//config from iam where source.cloud.type = 'AZURE' AND source.cloud.azure.user.isAppRegistrationOwner = true AND grantedby.cloud.entity.type = 'Service Principal' AND dest.cloud.azure.group.isadministrative.grantedby.level.type in (('AppRoleAssignment.ReadWrite.AllRole', 'Management.ReadWrite.Directory'), ('Azure Management Group', 'Azure Subscription' ) ) +//---- * *dest.cloud.resource.id* +