Azure workload discovery


Twigs supports cloud-native discovery for Azure i.e. twigs can ingest asset inventory gathered by Azure in your Log Analytics Workspace.


Setting up a Azure Monitor in your Azure subscription requires some steps, you can refer to the documentation below:


After you have configured Azure Monitor to collect Azure VMs data in a Log Analytics Workspace, you can run twigs to ingest this collected inventory into your ThreatWorx instance by following the below mentioned steps:

  • Open a new shell / terminal
  • Check that twigs is installed and running properly by running below command:

twigs azure -h

  • You need the following information to run twigs command:
  • Azure Tenant Identifier (AZURE_TENANT_ID)
  • Azure Application Identifier (AZURE_APPLICATION_ID)
  • Azure Application Key (AZURE_APPLICATION_KEY)
  • Azure Subscription (AZURE_SUBSCRIPTION)
  • Azure Resource Group (AZURE_RESOURCE_GROUP)
  • Azure Log Analytics Workspace (AZURE_WORKSPACE)
  • You can get these details from Azure Portal.
  • If you do not know values for (AZURE_SUBSCRIPTION, AZURE_RESOURCE_GROUP, AZURE_WORKSPACE), then simply run twigs with no values for those and twigs will list out possible values (as shown below) by querying your Azure subscription. You can then select the right value.

twigs azure --azure_tenant_id “MY_TENANT_ID” --azure_application_id “MY_APPLICATION_ID” --azure_application_key “MY_APPLICATION_KEY”

Output will be as follows:

INFO Getting access token...

Missing details for subscription/resource group/workspace....

Available subscriptions with resource group and workspace details as below:

Subscription: MY_SUBSCRIPTION **

Resource group: MY_RESOURCE_GROUP1 **

Resource group: MY_RESOURCE_GROUP2 **

Resource group: MY_RESOURCE_GROUP3 **


Please re-run twigs with appropriate values for subscription, resource group and workspace.

  • Run the command as shown below:

twigs azure --azure_tenant_id AZURE_TENANT_ID --azure_application_id AZURE_APPLICATION_ID --azure_application_key AZURE_APPLICATION_KEY --azure_subscription AZURE_SUBSCRIPTION --azure_resource_group AZURE_RESOURCE_GROUP --azure_workspace AZURE_WORKSPACE [—enable_tracking_tags]

  • It is suggested that you enable_tracking_tags, which allows you to easily identify Azure cloud instances in ThreatWorx.
  • Note Azure cloud discovery may require some time depending on the number of VM instances in your Azure cloud setup.
  • After discovery is complete, you can login into ThreatWorx Console to view the newly discovered assets.