Azure workload discovery

Overview

Twigs supports cloud-native discovery for Azure i.e. twigs can ingest asset inventory gathered by Azure in your Log Analytics Workspace.

Pre-requisites

Setting up a Azure Monitor in your Azure subscription requires some steps, you can refer to the documentation below:

Azure CLI is required, please install it by following the steps mentioned here for your Operating System.

Two extensions of Azure CLI are required as follows: account, log-analytics.

Steps

After you have configured Azure Monitor to collect Azure VMs data in a Log Analytics Workspace, you can run twigs to ingest this collected inventory into your ThreatWorx instance by following the below mentioned steps:

  • Open a new shell / terminal
  • Sign in into your Azure instance using Azure CLI as described here on the host where you will be running twigs.
  • Check that twigs is installed and running properly by running below command:

twigs azure -h

  • You need the Azure Log Analytics Workspace ID (which holds the native inventory) to run twigs command. You can get it from Azure Portal.

Please run twigs by specifying the Log Anaytics Workspace ID.

  • Run the command as shown below:

twigs azure --azure_workspace AZURE_WORKSPACE [—-enable_tracking_tags]

  • It is suggested that you enable_tracking_tags, which allows you to easily identify Azure cloud instances in ThreatWorx.
  • Note Azure cloud discovery may require some time depending on the number of VM instances in your Azure cloud setup.
  • After discovery is complete, you can login into ThreatWorx Console to view the newly discovered assets.

Example

$ twigs azure --azure_workspace "00123...475" -—enable_tracking_tags

Discover your Azure workload by specifying the Log Analytics Workspace ID where native inventory is collected. Note you need to login into Azure CLI first.