What does the Sophos Cloud Optix script for Azure do?

The script sets up Sophos Cloud Optix so that it can receive data from your Azure AD environment.

It enables Sophos Cloud Optix to receive data for your Azure subscriptions, users and groups in Azure AD, as well as flow log data. The script does as follows:

  1. Creates an Azure Active Directory application, then creates an Azure service principal with it. It then assigns a Reader role to the service principal for all subscriptions (or individual subscriptions if you specify them when running the script). The service principal is a built-in role provided by Azure and takes the following attributes:

    Attribute

    Description

    Active Directory application name:

    AvidSecure Monitor App 999x9

    Service principal:

    A security identity used by applications or services to access specific Azure resources. This acts as a user identity (username and password or certificate) for an application.

    Role details:

    Role name: Reader

    Description: The Reader role allows the Active Directory application to read data in your company or school directory, such as users, groups, and apps. This role does not have permissions to make any changes.

    Permission: Directory.Read.All (admin consent for this is requested when the script completes).

  2. Assigns permissions to the Active Directory application (AvidSecure Monitor App 999x9) for each Azure subscription. This enables Sophos Cloud Optix to read the FlowLogs Enabled status for all Network Security Groups (NSGs). The following attributes are used:

    Attribute

    Description

    Role name:

    AvidFlowLogsReader + <first 8 characters of subscription id without '-'>

    Permission:

    Microsoft.Network/networkWatchers/queryFlowLogStatus/action

  3. Enables Microsoft.Insights to enable flow logs.
  4. For each Azure subscription, the script then does as follows:
    1. Creates a Network Watcher custom role, which is assigned to an Azure Function that Sophos Cloud Optix creates. This enables the export of flow logs for current NSGs and new NSGs that are created. The setup includes enabling flow logs in Network Watcher, and creating Storage Accounts and an Azure Function App, to export flow logs to Sophos Cloud Optix.
      Note The Azure Function that uses the AvidNetWatcher role with these permissions is within your Azure environment. Once created, Sophos does not own or control it.
      The attributes used to create the role are as follows:

      Attribute

      Description

      Role name:

      This role can configure flow logs, list storage and NSG resources, create/delete storage accounts, list keys, and create/delete Azure Functions.

      These permissions are required to automatically create and remove the resources needed to export flow logs to Sophos Cloud Optix, when new NSGs are created and removed in your environment.

      Description:

      AvidNetWatcher + <First 8 characters of subscription id without '-'>

      Permissions:

      Microsoft.Authorization/*/Read;
      Microsoft.Storage/storageAccounts/listServiceSas/Action;
      Microsoft.Storage/storageAccounts/*/Write; 
      Microsoft.Compute/virtualMachines/Read;
      Microsoft.Compute/virtualMachines/Write; 
      Microsoft.Compute/virtualMachines/Delete;
      Microsoft.Compute/virtualMachines/extensions/Read;
      Microsoft.Compute/virtualMachines/extensions/Write;
      Microsoft.Compute/virtualMachines/extensions/Delete;
      Microsoft.Compute/virtualMachineScaleSets/Read;
      Microsoft.Compute/virtualMachineScaleSets/Write;
      Microsoft.Compute/virtualMachineScaleSets/Delete;
      Microsoft.Compute/virtualMachineScaleSets/extensions/Read;
      Microsoft.Compute/virtualMachineScaleSets/extensions/Write;
      Microsoft.Compute/virtualMachineScaleSets/extensions/Delete;
      Microsoft.Insights/alertRules/*; 
      Microsoft.Support/*;
      Microsoft.Network/*/read;
      Microsoft.Storage/*/read; Microsoft.Storage/storageAccounts/write;
      Microsoft.Storage/storageAccounts/Delete; 
      Microsoft.Resources/deployments/*;
      Microsoft.Web/sites/functions/*; 
      Microsoft.Storage/storageAccounts/listkeys/action;
      Microsoft.Resources/subscriptions/resourceGroups/*;
      Microsoft.Resources/deployments/operations/*; 
      Microsoft.Web/serverfarms/write;
      Microsoft.Web/serverfarms/delete; 
      Microsoft.Web/sites/write;  Microsoft.Web/sites/delete;
      Microsoft.Web/*/read; Microsoft.Web/sites/sourcecontrols/write;
      Microsoft.Web/sites/sourcecontrols/delete; 
      Microsoft.Network/*/action; Microsoft.Network/*/write; 
      Microsoft.Compute/*/action; Microsoft.Compute/*/delete; Microsoft.Compute/*/write
    2. Creates a resource group for the subscription with the following attributes:

      Attribute

      Description

      Name:

      avidflowlogsgroup

      Description:

      The Sophos Cloud Optix script creates all the necessary resources, for example storage accounts or function apps, under this resource group, for ease of management and removal, if required.

    3. Creates a storage account to export activity logs for the subscription as follows:

      Attribute

      Description

      Name:

      avidact + <first 8 characters of SubscriptionId without '-'> + <first 8 characters of CustomerId without '-'>

      Attributes:

      A one-day retention policy is assigned to the storage account.

    4. Enables Azure Network Watcher for each region to enable flow logs for all network security groups in that region. The region list is obtained from Azure APIs.
    5. Creates an Activity Log monitor with the following attributes:

      Attribute

      Description

      Name:

      AvidActivityLogCollector

      Description:

      Azure Log Monitor archives Activity Logs to an Azure storage account.

    6. Creates a function app to send Activity Logs from the Azure storage account mentioned above to Sophos Cloud Optix. A function app is created in each region with the following attributes:

      Attribute

      Description

      Name:

      AvidActivityLogs + <first 8 characters of SubscriptionId without '-'> + <first 8 characters of CustomerId without '-'>

      Description:

      This function also runs every 5 minutes to check for the resources required to export flow logs and enables them if necessary. It checks whether NSGs have flow logs enabled and checks for the presence of the required storage account. If required, the following attributes are used to create these resources:

      Function names use the format: AvidFlowLogs + <first 8 characters of SubscriptionId without '-'> + <first 8 characters of CustomerId without '-'> + 4 character region code

      Storage Account names use the format: avi + <first 8 characters of SubscriptionId without '-'> + <first 8 characters of CustomerId without ‘-’> + 4 character region code

    7. Creates a managed identity for the Activity Log function app. A managed identity enables Azure resources to authenticate to cloud services without storing credentials in code.
    8. Assigns the Network Watcher role described earlier in this document to the Activity Log function app.
  5. Adds all Azure AKS clusters to Sophos Cloud Optix, if this option is selected in Sophos Cloud Optix. For each AKS cluster, the script creates a service account called avid-service-account in the default namespace. The script creates a custom ClusterRole and ClusterRoleBinding, assigns the role to the service account, and sends the service account credentials to Sophos Cloud Optix.
  6. Sends the subscription name, the subscription ID, the tenant ID, and the encrypted key for the AD application, to ClusterRole and ClusterRoleBinding. This adds the environment to the service.

When the script has finished, a URL is provided in the format: "https://login.microsoftonline.com/(tenantId)/adminConsent?client_id=(appId)".

Visit this URL to authorize read-only access for Sophos Cloud Optix so that AD user and group information can be included in your inventory.

The script then sends an installation log file to Sophos Cloud Optix.