Documentation

ASM Azure Integration

🚧

Special privileges required

This feature is only available to ASM administrators.

ℹ️

This integration is not currently supported for Azure Government users.

With Azure, Attack Surface Management (ASM) retrieves public virtual machine (VM) instances, public DNS zones, and Blob Storage resources. For Blobs, ASM checks to see if they are publicly accessible and creates relevant issues. This gives a more through view of your inventory.

ℹ️

Only one Azure integration is allowed per Project in ASM.

Adding this integration requires three steps:

  1. Give ASM access to Azure
  2. Add role assignment for ASM in Azure
  3. Connect the integration to the appropriate Collection

Give ASM access to Azure

  1. From the Projects and Settings menu in ASM, select the appropriate Project then click Account Settings.
  2. Click Integrations.
  3. Next to Azure, click Add New.
  1. Click Connect.

The system redirects you to the Microsoft sign-in page.

  1. Authenticate using an account that has privileges to add an application to the Azure account.
    6. When authentication is complete, you see a Microsoft screen requesting permission for Mandiant ASM to access your Azure instance.
  1. Click Accept and the system redirects you back to ASM.

Add role assignment for ASM in Azure

Role assignment can be performed for specific resource groups, or all resource groups in a subscription. This includes any future resource groups that may be added to a subscription. For role assignment, sign in to the Azure Portal and perform the following actions:

ℹ️

The following screenshots depict the role assignment workflow for resource groups but the process is the same for subscriptions.

  1. Browse to Resource groups (or Subscriptions) within Microsoft Azure.
  1. For each resource group (or subscription) that you would like to allow ASM to pull data in from, perform the following actions:
    1. Click the respective resource group (or subscription). 
    2. Click Access control (IAM).
  1. Within the Access Control (IAM) menu, click Add and select Add role assignment.
  1. Select Role and choose the Reader role for view-only access. Click Next.
  1. On the Members screen, choose the following options:
    1. Assign access toUser, group, or service principal
    2. Click + Select members. When the Select members menu opens, search for and select Mandiant ASM.
    3. Click Select.
  1. Click Review + assign.
  1. Ensure that all the information in the Review + assign section is correct and click Review + assign.

Connect the integration to the appropriate Collection

Connect the integration to the appropriate Collection.

  1. Click Collections and click Collection Settings for the Collection that you want to connect the integration to.
  1. Select the Integrations tab.
  1. Select Connect Integration and Link the integration.

The integration is immediately added to the Collection.

💡

Click to remove the integration from this Collection.

  1. Click to close the Connect Integration pane. Click Scan Collection to update your Collection with the current settings and integrations. Otherwise, your newly configured integration is incorporated at your regularly scheduled scan interval.

Repeat the same steps for each resource group or subscription you would like ASM to access.

Updated 14 days ago