Skip to content

What the Azure script does

The script sets up Sophos Cloud Optix so that it can receive data from your Microsoft Azure environment.

It enables Sophos Cloud Optix to receive data for your Azure subscriptions, users, groups, and policies in Microsoft Entra ID, as well as flow log data. The script does as follows:

  1. Creates a Microsoft Entra ID application and a Microsoft Azure service principal, and assigns the Reader role to the service principal for all subscriptions (or individual subscriptions if you specify them when running the script). The following attributes are created or assigned:

    Attribute Description
    Microsoft Entra ID application name AvidSecure Monitor App 999x9
    Service principal A security identity used by applications or services to access specific Microsoft Azure resources. This acts as a user identity (username and password or certificate) for an application.
    Role Reader
    Role permissions

    The Reader role allows the Microsoft Entra ID application to read data in your organization or school directory, including users, groups, policies, and applications. This role provides read-only access and doesn't allow any changes.

    The Reader role is also assigned at the root level for the Microsoft Entra ID (AAD) and Intune resource providers, allowing read-only access to directory and Intune configuration data.

  2. Assigns permissions to the Microsoft Entra ID application (AvidSecure Monitor App 999x9) for each Microsoft Azure subscription. This enables Sophos Cloud Optix to read the FlowLogs Enabled status for all virtual networks (VNets). The following attributes are used:

    Attribute Description
    Role name AvidFlowLogsReader + <first 8 characters of subscription id without '-'>
    Permission Microsoft.Network/networkWatchers/queryFlowLogStatus/action

  3. Enables Microsoft.Insights to enable flow logs.

  4. For each Microsoft Azure subscription, the script then does as follows:

    1. Creates a Network Watcher custom role, which is assigned to a Microsoft Azure Function that Sophos Cloud Optix creates. This enables the export of flow logs for current VNets and new VNets that are created in selected regions. The setup includes enabling flow logs in Network Watcher, and creating Storage Accounts and a Microsoft Azure Function App, to export flow logs to Sophos Cloud Optix.

      Note

      The Microsoft Azure Function that uses the AvidNetWatcher role with these permissions is within your Microsoft Azure environment. Once created, Sophos does not own or control it.

      The attributes used to create the role are as follows:

      Attribute Description
      Role name AvidNetWatcher + <First 8 characters of subscription id without '-'>
      Purpose

      This role can configure flow logs, list storage and VNet resources, create or delete storage accounts, list keys, and create or delete Microsoft Azure Functions.

      These permissions are required to automatically create and remove the resources needed to export flow logs to Sophos Cloud Optix, when new VNets are created and removed in your environment.
      Permissions Microsoft.Authorization/*/Read; Microsoft.Storage/storageAccounts/listServiceSas/Action; Microsoft.Storage/storageAccounts/*/Write; Microsoft.Compute/virtualMachines/Read; Microsoft.Compute/virtualMachines/Write; Microsoft.Compute/virtualMachines/Delete; Microsoft.Compute/virtualMachines/extensions/Read; Microsoft.Compute/virtualMachines/extensions/Write; Microsoft.Compute/virtualMachines/extensions/Delete; Microsoft.Compute/virtualMachineScaleSets/Read; Microsoft.Compute/virtualMachineScaleSets/Write; Microsoft.Compute/virtualMachineScaleSets/Delete; Microsoft.Compute/virtualMachineScaleSets/extensions/Read; Microsoft.Compute/virtualMachineScaleSets/extensions/Write; Microsoft.Compute/virtualMachineScaleSets/extensions/Delete; Microsoft.Insights/alertRules/*; Microsoft.Support/*; Microsoft.Network/*/read; Microsoft.Storage/*/read; Microsoft.Storage/storageAccounts/write; Microsoft.Storage/storageAccounts/Delete; Microsoft.Resources/deployments/*; Microsoft.Web/sites/functions/*; Microsoft.Storage/storageAccounts/listkeys/action; Microsoft.Resources/subscriptions/resourceGroups/*; Microsoft.Resources/deployments/operations/*; Microsoft.Web/serverfarms/write; Microsoft.Web/serverfarms/delete; Microsoft.Web/sites/write; Microsoft.Web/sites/delete; Microsoft.Web/*/read; Microsoft.Web/sites/sourcecontrols/write; Microsoft.Web/sites/sourcecontrols/delete; Microsoft.Network/*/action; Microsoft.Network/*/write; Microsoft.Compute/*/action; Microsoft.Compute/*/delete; Microsoft.Compute/*/write

    2. Creates a Function Trigger custom role. This allows Sophos Cloud Optix to synchronize the triggers of the Activity and Flow log functions. The following attributes are used:

      Attribute Description
      Name AvidFunctionTrigger + <first 8 characters of subscription id without '-'>
      Permission microsoft.web/sites/syncfunctiontriggers/action
      Scope subscriptions/<SubscriptionId>/resourceGroups/avidflowlogsgroup

    3. Creates a resource group for the subscription with the following attributes:

      Attribute Description
      Name avidflowlogsgroup
      Usage The Sophos Cloud Optix script creates all the necessary resources, for example storage accounts or function apps, under this resource group, for ease of management and removal, if required.

    4. Creates a storage account to export activity logs for the subscription as follows:

      Attribute Description
      Name avidact + <first 8 characters of SubscriptionId without '-'> + <first 8 characters of CustomerId without '-'>
      Retention policy A one-day retention policy is assigned to the storage account.

    5. Turns on a Microsoft Azure Network Watcher for each region to enable flow logs for all VNets in that region. The region list is obtained from Microsoft Azure APIs or the regions selected by the customer.

    6. Creates an Activity Log monitor with the following attributes:

      Attribute Description
      Name AvidActivityLogCollector
      Purpose Azure Log Monitor archives Activity Logs to a Microsoft Azure storage account.

    7. Creates a function app to send Activity Logs from the Microsoft Azure storage account mentioned above to Sophos Cloud Optix. A function app is created to send flow logs of each selected region with the following attributes:

      Attribute Description
      Name AvidActivityLogs + <first 8 characters of SubscriptionId without '-'> + <first 8 characters of CustomerId without '-'>
      Behavior

      This checks every 5 minutes for the resources required to export flow logs. It enables the resources if necessary. It checks whether VNets have flow logs enabled and checks for the presence of the required storage account. If required, the following attributes are used to create these resources:

      Function names use the format: AvidFlowLogs + <first 8 characters of SubscriptionId without '-'\> + <first 8 characters of CustomerId without '-'\> + 4 character region code

      Storage Account names use the format: avi + <first 8 characters of SubscriptionId without '-'\> + <first 8 characters of CustomerId without ‘-’\> + 4 character region code

    8. Creates a managed identity for the Activity Log function app. A managed identity enables Microsoft Azure resources to authenticate to cloud services without storing credentials in code.

    9. Assigns the Network Watcher role described earlier in this document to the Activity Log function app.

  5. Adds all Microsoft Azure AKS clusters to Sophos Cloud Optix, if this option is selected in Sophos Cloud Optix. For each AKS cluster, the script creates a service account called avid-service-account in the default namespace. The script creates a custom ClusterRole and ClusterRoleBinding, assigns the role to the service account, and sends the service account credentials to Sophos Cloud Optix.

  6. Sends the subscription name, the subscription ID, the tenant ID, and the encrypted key for the AD application, to ClusterRole and ClusterRoleBinding. This adds the environment to the service.

When the script has finished, a URL is provided in the format: https://login.microsoftonline.com/(tenantId)/adminConsent?client_id=(appId).

Visit this URL to authorize read-only access for Sophos Cloud Optix so that AD user and group information can be included in your inventory.

The script then sends an installation log file to Sophos Cloud Optix.