Azure workload discovery

Overview

Twigs supports cloud-native discovery for Azure i.e. twigs can ingest asset inventory gathered by Azure in your Log Analytics Workspace.

Pre-requisites

This is the Azure datastore which will be used to collect inventory information for Azure VMs. You can create a single log analytics workspace to collect inventory information from several Azure subscriptions as long as those subscriptions are part of the same Azure tenant.

This app is meant to be used by ThreatWorx discovery as the identity to pull inventory information from Azure. Associate the following permissions to this app:

  1. Read Log Analytics Data
  2. User Impersonation

The client secret for this App will not be shared or stored with the ThreatWorx console and will be used locally only by the ThreatWorx discovery script or app.

  • Grant the Active Directory App permissions to the Log Analytics Workspace

In the “Access Control (IAM)” section of the Log Analytics Workspace, add the Active Directory App with “Reader” or “Contributor” role

  • Ensure that the Active Directory App is also added to your subscription

Select the “Access Control (IAM)” section of the subscription, add the Active Directory App with “Reader” role

Refer to the steps described in the Azure documentation above to enable Change Tracking and inventory. This method supersedes all previous ways of collecting VM inventory for Azure which are deprecated as of January 2025. If you have configured inventory collection using Automation Account, you will need to migrate to AMA Change Tracking and Inventory.

This can be done for a manually from the Azure console for a single VM or multiple VMs at a time or for all current and future VMs using a policy.

We recommend using the policy based approach for best results.

Once this is enabled, VM inventory information will start to appear in the log analytics workspace. This may take a few minutes to even hours depending on how often the agent sync happens. Once you are see inventory information in the log analytics workspace, you are ready to move to the actual discovery steps after installing Azure CLI (if required).

  • Install Azure CLI (if running discovery using the twigs discovery cli)

Azure CLI is required, please install it by following the steps mentioned here for your Operating System.

Two extensions of Azure CLI are required as follows: account, log-analytics.

Steps

After you have configured Azure Change Tracking and Inventory to collect Azure VMs inventory in a Log Analytics Workspace, you can run twigs to ingest this collected inventory into your ThreatWorx instance by following the below mentioned steps:

  • Open a new shell / terminal
  • Sign in into your Azure instance using Azure CLI as described here on the host where you will be running twigs.
  • Check that twigs is installed and running properly by running below command:

twigs azure -h

  • You need the Azure Log Analytics Workspace ID (which holds the native inventory) to run twigs command. You can get it from Azure Portal.

Please run twigs by specifying the Log Anaytics Workspace ID.

  • Run the command as shown below:

twigs azure --azure_workspace AZURE_WORKSPACE [—-enable_tracking_tags]

  • It is suggested that you enable_tracking_tags, which allows you to easily identify Azure cloud instances in ThreatWorx.
  • Note Azure cloud discovery may require some time depending on the number of VM instances in your Azure cloud setup.
  • After discovery is complete, you can login into ThreatWorx Console to view the newly discovered assets.

Example

$ twigs azure --azure_workspace "00123...475" --enable_tracking_tags

Discover your Azure workload by specifying the Log Analytics Workspace ID where inventory is collected. Note: You need to login into Azure CLI first.