1-1-updates (#1032)

* 1-1-updates * new perm queries * iz feedback * iz comment
hlxsites · Jan 17, 2025 · d0809ab · d0809ab
1 parent 0a18249
commit d0809ab
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 2 deletions.
diff --git a/...ion/configure-iam-security/context-used-to-calculate-effective-permissions.adoc b/...ion/configure-iam-security/context-used-to-calculate-effective-permissions.adoc
@@ -288,6 +288,7 @@ See xref:what-is-prisma-cloud-iam-security.adoc[What is Prisma Cloud IAM Securit
 
 The following Azure permission levels are supported:
 
+* Entra ID
 * Management Group
 * Subscription
 * Resources
@@ -301,17 +302,27 @@ When you define permissions there are several IAM concepts that you can specify.
 
 Prisma Cloud requires additional permissions to display the above-mentioned permission levels. If you are new to Prisma Cloud and used a Terraform template for xref:../connect/connect-cloud-accounts/connect-azure-account.adoc[Azure account onboarding] no additional action is required, since the template includes these permissions. If you have already associated Prisma Cloud with your Azure account, you have the option to rerun the Terraform template or manually add the required permissions.  
 
+==== Enable Access Management for Azure Entra ID
+
+If your Azure deployment uses Azure Entra ID, follow the steps below to enable access:
+
+. Sign in to the Azure portal as a Global Administrator in Azure AD.
+. Open Microsoft Entra ID (formerly Azure Active Drectory).
+. Select *Manage > Properties*
+. Under *Access management for Azure resources*, set the toggle to Yes.
+. Click *Save*.
+
 ==== Manually add permissions for Azure Management Groups
 
-If your Azure deployment uses management groups, follow the steps below to manually add the screen:[Microsoft.Management/managementGroups/descendants/read] permission:
+If your Azure deployment uses management groups, follow the steps below to manually add the `Microsoft.Management/managementGroups/descendants/read` permission:
 
 . On your Azure account portal, navigate to the Management group.
 . Select the *Tenant/Root Management Group > Access Control (IAM)*.
 . Assign the above-mentioned permission to your Prisma Account.
 
 ==== Manually add permissions for Azure Management Groups
 
-If your Azure deployment uses subscriptions, follow the steps below to manually add the screen:[Microsoft.Resources/subscriptions/read] permission:
+If your Azure deployment uses subscriptions, follow the steps below to manually add the `Microsoft.Resources/subscriptions/read` permission:
 
 . On your Azure account portal, navigate to the Subscription group.
 . Select the Subscription for which you wish to ingest tags.

diff --git a/...ns/search-and-investigate/permissions-queries/permissions-query-attributes.adoc b/...ns/search-and-investigate/permissions-queries/permissions-query-attributes.adoc
@@ -55,6 +55,46 @@ Lists permissions of all Azure virtual machine instances in any of your Azure su
 config from iam where source.cloud.accountgroup = 'All my Azure accounts' AND source.cloud.service.name = 'Microsoft.Compute' AND source.cloud.resource.type = 'virtualMachines'
 ----
 
+* *source.cloud.azure.user.isAppRegistrationOwner*
++
+Identifies user accounts that owns an Entra ID service account with the permission to add members to a group with admin privileges at the subscription/management group level:
++
+----
+config from iam where source.cloud.type = 'AZURE' AND source.cloud.azure.user.isAppRegistrationOwner = true AND grantedby.cloud.entity.type = 'Service Principal' AND dest.cloud.azure.group.isadministrative.grantedby.level.type in (('AppRoleAssignment.ReadWrite.AllRole', 'Management.ReadWrite.Directory'), ('Azure Management Group', 'Azure Subscription' ) )
+----
+
+* *source.cloud.azure.user.isAppRegistrationAdmin*
++
+Identifies user accounts Entra ID service account administration privileges including permission to add members to a group with admin privileges at the subscription/management group level:
++
+----
+config from iam where source.cloud.type = 'AZURE' AND source.cloud.azure.user.isAppRegistrationAdmin = true AND grantedby.cloud.entity.type = 'Service Principal' AND dest.cloud.azure.group.isadministrative.grantedby.level.type in (('AppRoleAssignment.ReadWrite.AllRole', 'Management.ReadWrite.Directory'), ('Azure Management Group', 'Azure Subscription' ) )
+----
+
+* *source.cloud.azure.user.canImpersonateAppReg*
++
+Identifies Entra ID users that can impersonate an Entra ID application with the permission to add members to a group with admin privileges at the subscription/management group level:
++
+----
+config from iam where source.cloud.type = 'AZURE' AND source.cloud.azure.user.canImpersonateAppReg = true AND grantedby.cloud.entity.type = 'Service Principal' AND dest.cloud.azure.group.isadministrative.grantedby.level.type in (('AppRoleAssignment.ReadWrite.AllRole', 'Management.ReadWrite.Directory'), ('Azure Management Group', 'Azure Subscription' ) )
+----
+
+* *source.cloud.azure.servicePrincipal.has.machineAttached*
++
+Identifies Virtual Machines assigned with `System Managed Identity` or `User Managed Identity` and Azure Active Directory permissions:
++
+----
+config from iam where source.cloud.type = 'AZURE' AND source.cloud.service.name = 'Microsoft.Compute' and source.cloud.resource.type ='virtualMachines' AND action.name IN ('GroupMember.ReadWrite.All', 'RoleManagement.ReadWrite.Directory', 'AppRoleAssignment.ReadWrite.All', 'RoleManagement.ReadWrite.Directory', 'RoleManagement.ReadWrite.Directory') 
+----
+
+* *source.cloud.azure.servicePrincipal.isGraphAdmin*
++
+Identifies user/system managed identities connected to a Virtual Machine or any other Compute resource with the permission to create credentials for a registered application with Microsoft Graph API permissions:
++
+----
+config from iam where source.cloud.type = 'AZURE' AND source.cloud.service.name = 'Microsoft.Compute' and source.cloud.resource.type ='virtualMachines' and grantedby.cloud.entity.type = 'AppRegistration' and grantedby.cloud.policy.type = 'Microsoft Graph' and action.name in ('Files.Read.All', 'Files.ReadWrite.All','Sites.Read.All','Sites.ReadWrite.All','Sites.FullControl.All','Sites.Selected','Mail.ReadWrite','Mail.Read')
+----
+
 * *source.cloud.type*
 +
 Narrows down your search option to specific clouds. The following example lists all effective permissions where the sources are in your AWS cloud accounts:
@@ -441,6 +481,14 @@ Queries permissions to a specific cloud service such as AWS Lambda function, AWS
 ----
 config from iam where dest.cloud.service.name = 'lambda' AND dest.cloud.resource.type = 'function' AND dest.cloud.resource.name = 'my-function'
 ----
+//added for RLP-153639 on hold as of 12/19
+//* *dest.cloud.resource.grantedbylevel*
+//+
+//Queries `grantedbyLevel` for groups as a destination resource to help identify groups with permissions on Management/Subscription levels:
+//+
+//----
+//config from iam where source.cloud.type = 'AZURE' AND source.cloud.azure.user.isAppRegistrationOwner = true AND grantedby.cloud.entity.type = 'Service Principal' AND dest.cloud.azure.group.isadministrative.grantedby.level.type in (('AppRoleAssignment.ReadWrite.AllRole', 'Management.ReadWrite.Directory'), ('Azure Management Group', 'Azure Subscription' ) )
+//----
 
 * *dest.cloud.resource.id*
 +