Skip to content

What the Azure script does

The script sets up Sophos Cloud Optix so that it can receive data from your Microsoft Azure environment.

It enables Sophos Cloud Optix to receive data for your Azure subscriptions, users, groups, and policies in Microsoft Entra ID, as well as flow log data. The script does as follows:

  1. Creates a Microsoft Entra ID application, then creates a Microsoft Azure service principal with it. It then assigns a Reader role to the service principal for all subscriptions (or individual subscriptions if you specify them when running the script). The service principal is a built-in role provided by Microsoft Azure and takes the following attributes:

    Attribute Description
    Microsoft Entra ID application name: AvidSecure Monitor App 999x9
    Service principal: A security identity used by applications or services to access specific Microsoft Azure resources. This acts as a user identity (username and password or certificate) for an application.
    Role details:

    Role name: Reader

    Description: The Reader role allows the Microsoft Entra ID application to read data in your company or school directory, such as users, groups, policies, and apps. This role doesn't have permissions to make any changes.

    Permission:

    • Directory.Read.All
    • Policy.Read.All

    When the script is completed, it requests admin consent for these permissions.

  2. Assigns permissions to the Microsoft Entra ID application (AvidSecure Monitor App 999x9) for each Microsoft Azure subscription. This enables Sophos Cloud Optix to read the FlowLogs Enabled status for all Network Security Groups (NSGs). The following attributes are used:

    Attribute Description
    Role name: AvidFlowLogsReader + <first 8 characters of subscription id without '-'>
    Permission: Microsoft.Network/networkWatchers/queryFlowLogStatus/action

  3. Enables Microsoft.Insights to enable flow logs.

  4. For each Microsoft Azure subscription, the script then does as follows:

    1. Creates a Network Watcher custom role, which is assigned to a Microsoft Azure Function that Sophos Cloud Optix creates. This enables the export of flow logs for current NSGs and new NSGs that are created in selected regions. The setup includes enabling flow logs in Network Watcher, and creating Storage Accounts and a Microsoft Azure Function App, to export flow logs to Sophos Cloud Optix.

      Note

      The Microsoft Azure Function that uses the AvidNetWatcher role with these permissions is within your Microsoft Azure environment. Once created, Sophos does not own or control it.

      The attributes used to create the role are as follows:

      Attribute Description
      Role name: AvidNetWatcher + <First 8 characters of subscription id without '-'>
      Description:

      This role can configure flow logs, list storage and NSG resources, create or delete storage accounts, list keys, and create or delete Microsoft Azure Functions.

      These permissions are required to automatically create and remove the resources needed to export flow logs to Sophos Cloud Optix, when new NSGs are created and removed in your environment.
      Permissions: Microsoft.Authorization/*/Read; Microsoft.Storage/storageAccounts/listServiceSas/Action; Microsoft.Storage/storageAccounts/*/Write; Microsoft.Compute/virtualMachines/Read; Microsoft.Compute/virtualMachines/Write; Microsoft.Compute/virtualMachines/Delete; Microsoft.Compute/virtualMachines/extensions/Read; Microsoft.Compute/virtualMachines/extensions/Write; Microsoft.Compute/virtualMachines/extensions/Delete; Microsoft.Compute/virtualMachineScaleSets/Read; Microsoft.Compute/virtualMachineScaleSets/Write; Microsoft.Compute/virtualMachineScaleSets/Delete; Microsoft.Compute/virtualMachineScaleSets/extensions/Read; Microsoft.Compute/virtualMachineScaleSets/extensions/Write; Microsoft.Compute/virtualMachineScaleSets/extensions/Delete; Microsoft.Insights/alertRules/*; Microsoft.Support/*; Microsoft.Network/*/read; Microsoft.Storage/*/read; Microsoft.Storage/storageAccounts/write; Microsoft.Storage/storageAccounts/Delete; Microsoft.Resources/deployments/*; Microsoft.Web/sites/functions/*; Microsoft.Storage/storageAccounts/listkeys/action; Microsoft.Resources/subscriptions/resourceGroups/*; Microsoft.Resources/deployments/operations/*; Microsoft.Web/serverfarms/write; Microsoft.Web/serverfarms/delete; Microsoft.Web/sites/write; Microsoft.Web/sites/delete; Microsoft.Web/*/read; Microsoft.Web/sites/sourcecontrols/write; Microsoft.Web/sites/sourcecontrols/delete; Microsoft.Network/*/action; Microsoft.Network/*/write; Microsoft.Compute/*/action; Microsoft.Compute/*/delete; Microsoft.Compute/*/write

    2. Creates a Function Trigger custom role. This allows Sophos Cloud Optix to synchronize the triggers of the Activity and Flow log functions. The following attributes are used:

      Attribute Description
      Name: AvidFunctionTrigger + <first 8 characters of subscription id without '-'>
      Permission: microsoft.web/sites/syncfunctiontriggers/action
      Scope: subscriptions/<SubscriptionId>/resourceGroups/avidflowlogsgroup

    3. Creates a resource group for the subscription with the following attributes:

      Attribute Description
      Name: avidflowlogsgroup
      Description: The Sophos Cloud Optix script creates all the necessary resources, for example storage accounts or function apps, under this resource group, for ease of management and removal, if required.

    4. Creates a storage account to export activity logs for the subscription as follows:

      Attribute Description
      Name: avidact + <first 8 characters of SubscriptionId without '-'> + <first 8 characters of CustomerId without '-'>
      Attributes: A one-day retention policy is assigned to the storage account.

    5. Turns on a Microsoft Azure Network Watcher for each region to enable flow logs for all network security groups in that region. The region list is obtained from Microsoft Azure APIs or the regions selected by the customer.

    6. Creates an Activity Log monitor with the following attributes:

      Attribute Description
      Name: AvidActivityLogCollector
      Description: Azure Log Monitor archives Activity Logs to a Microsoft Azure storage account.

    7. Creates a function app to send Activity Logs from the Microsoft Azure storage account mentioned above to Sophos Cloud Optix. A function app is created to send flow logs of each selected region with the following attributes:

      Attribute Description
      Name: AvidActivityLogs + <first 8 characters of SubscriptionId without '-'> + <first 8 characters of CustomerId without '-'>
      Description:

      This checks every 5 minutes for the resources required to export flow logs. It enables the resources if necessary. It checks whether NSGs have flow logs enabled and checks for the presence of the required storage account. If required, the following attributes are used to create these resources:

      Function names use the format: AvidFlowLogs + <first 8 characters of SubscriptionId without '-'\> + <first 8 characters of CustomerId without '-'\> + 4 character region code

      Storage Account names use the format: avi + <first 8 characters of SubscriptionId without '-'\> + <first 8 characters of CustomerId without ‘-’\> + 4 character region code

    8. Creates a managed identity for the Activity Log function app. A managed identity enables Microsoft Azure resources to authenticate to cloud services without storing credentials in code.

    9. Assigns the Network Watcher role described earlier in this document to the Activity Log function app.

  5. Adds all Microsoft Azure AKS clusters to Sophos Cloud Optix, if this option is selected in Sophos Cloud Optix. For each AKS cluster, the script creates a service account called avid-service-account in the default namespace. The script creates a custom ClusterRole and ClusterRoleBinding, assigns the role to the service account, and sends the service account credentials to Sophos Cloud Optix.

  6. Sends the subscription name, the subscription ID, the tenant ID, and the encrypted key for the AD application, to ClusterRole and ClusterRoleBinding. This adds the environment to the service.

When the script has finished, a URL is provided in the format: https://login.microsoftonline.com/(tenantId)/adminConsent?client_id=(appId).

Visit this URL to authorize read-only access for Sophos Cloud Optix so that AD user and group information can be included in your inventory.

The script then sends an installation log file to Sophos Cloud Optix.