Follow the Azure onboarding wizard, and Cortex creates a custom authentication template to be executed in Azure.
Notice
This feature is included with a Cortex XSIAM Premium license. It is also included with any other Cortex XSIAM license that has the Cloud Runtime Security or Cloud Posture Security add-ons.
For Cortex XSIAM NG SIEM, Cortex XSIAM Enterprise, and Cortex XSIAM Enterprise+ licenses, see How to onboard Microsoft Azure with foundational configuration.
After completing the prerequisites, follow these instructions to onboard your Microsoft Azure environment to Cortex XSIAM.
In Cortex XSIAM, select → .
On the Data Sources & Integrations page, click + Add New.
On the Add Data Sources or Integrations page, search for Microsoft Azure, then hover over it and click Add.
In the Microsoft Azure onboarding wizard, select the type of Microsoft Azure environment:
Government: Microsoft Azure Government environments for compatibility with FedRAMP-certified tenants.
Commercial: (Default) Standard cloud deployment typically used for private and public sector organizations that do not require isolated government-specific infrastructure.
Select the scope for this cloud instance:
Tenant: (Default) A specific instance of Azure Active Directory, which can contain several subscriptions.
Management Group: A collection of Microsoft Azure subscriptions.
Subscription: A collection of Microsoft Azure resources associated with a specific Microsoft Azure tenant.
When you select Tenant, you have the option to select Onboard Microsoft Entra ID only. For more details on this option, see Onboard Microsoft Entra ID only.
This option is not available when you are onboarding Microsoft Entra ID only.
Specify the scanning infrastructure for your cloud instance by selecting one of the following scan modes:
Cloud Scan: (Recommended) Security scanning is performed in the Cortex XSIAM cloud environment.
Scan with Outpost: Security scanning is performed on infrastructure deployed to a cloud account owned by you. If you select this option, choose the outpost account to use for this instance or create a new outpost. For more information on outposts, see Outposts.
Note
Scanning with an outpost may require additional GCP permissions and may incur additional CSP costs.
Select your Azure tenant ID from the list of approved tenants. A green checkmark next to a tenant ID indicates that Cortex XSIAM is already registered as an approved application on that tenant and the approval has been verified.
If the Azure tenant you are onboarding does not appear in the list, or does not show a green checkmark, you must proceed with the following steps to grant Cortex XSIAM access.
Click Approve in Azure. Cortex XSIAM redirects you to the Microsoft Azure admin consent page in a new browser tab.
Sign in with an Azure account that has admin privileges on the target tenant.
Review the requested permissions and click Accept to grant Cortex XSIAM admin consent on the tenant. After you accept, Azure redirects you back to Cortex XSIAM, which registers the tenant approval.
Verify that a green checkmark now appears next to your Azure tenant ID in the approved tenants list, confirming that the tenant is approved and ready for onboarding.
Note
Cortex XSIAM performs a live verification of each tenant's approval status against Azure each time the list is displayed. If a previously approved tenant no longer shows a green checkmark, the Cortex XSIAM application may have been removed from the Azure tenant. Click Approve in Azure to re-authorize.
Click Show advanced settings to define the following advanced settings:
Instance Name: Enter a unique instance name or leave it empty to be automatically populated. The automatic naming convention is
Azure-or<tenantID>Azure-. Cortex XSIAM does not prevent you from reusing instance names, but it is best practice to use a unique name for every cloud instance.<subscriptionID>Scope Modifications: Use these settings to fine-tune your Microsoft Azure scope. You can modify the scope by including or excluding specific regions. If you selected a Government environment, only Microsoft Azure Government regions are displayed. Additionally, if you selected a tenant or management group as the scope, you can modify the scope by including or excluding specific subscriptions. For more details, see Apply region or account filters. Scope modifications are not available when you are onboarding Microsoft Entra ID only.
Additional Security Capabilities: Choose which security capabilities you want to benefit from. Some security capabilities are enabled by default and can be modified. Adding security capability typically requires additional cloud provider permissions. For detailed information on the permissions required, see Cloud service provider permissions. When you are onboarding Microsoft Entra ID only, only XSIAM analytics is supported as an additional security capability.
XSIAM analytics: (Enabled by default) Analyzes your endpoint data to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected.
Data security posture management: An agentless data security scanner that discovers, classifies, protects, and governs sensitive data. DSPM is not currently available in Microsoft Azure Government environments.
Registry scanning: A container registry scanner that scans registry images for vulnerabilities. malware, and secrets. For more details, see Configure registry scanning for cloud accounts
Serverless functions scanning: Implement serverless scanning to detect and remediate vulnerabilities within serverless functions during the development lifecycle. Seamless integration into CI/CD pipelines enables automated security scans for a continuously secure pre-production environment.
See ??? for the specific permissions you need to grant in your AWS account for scanning outposts and accessing logs.
Automation: Use automation to pre-configure a list of integrations and associated commands to automate security issue responses. Commands can be utilized individually or as part of custom playbooks for issue remediation.
Log Level: (Optional - for Automation only) Configure the automation integration logging level. Possible values are:
Off (Default)
Debug
Verbose
Agentless disk scanning: (Recommended) Implement agentless disk scanning to remotely detect and remediate vulnerabilities during the development lifecycle.
Cloud Tags: Define tags and tag values to be added to any new resource created by Cortex XSIAM in Microsoft Azure. Note: The
managed_by = paloaltonetworkstag is automatically added to all resources. This tag is mandatory. You cannot edit or remove this tag.Log Collection Configuration: To maximize security coverage, include the collection of audit logs using Event Hub. Select the collection method:
Automated collection: Cortex XSIAM provisions the resource group, Event Hub namespace, Event Hub, consumer group, storage account, user-assigned managed identity (UAMI), federated identity credential, diagnostic settings, and role assignment resources in your Azure environment to collect audit logs.
Tenant/management group scope: An Azure policy definition is also created to automatically deploy diagnostic settings to each subscription in the scope.
Cost considerations: Event Hub pricing is based on throughput units and ingress/egress. High-volume environments with many subscriptions can generate significant event throughput. We recommend you review your Azure Event Hubs pricing and expected event volume before enabling.
Custom (user defined): Select this option to use an existing Event Hub for storing your audit logs.
When you deploy the authentication template in ARM, you will enter the following details: Event Hub name, Event Hub namespace, Event Hub resource group name.
Cortex XSIAM creates the user-assigned managed identity (UAMI), federated identity credential, role assignments, and consumer group.
After you deploy the stack in ARM, you must ensure that your existing Event Hub has the appropriate diagnostic settings configured to stream Azure Activity Logs.
Important
It is critical to ensure that your namespace and Event Hub belong to the specific Azure subscription being onboarded. Cross-subscription or centralized logging is not currently supported.
Click Save. Cortex XSIAM generates a Terraform or ARM authentication template based on the settings you configured in the Microsoft Azure onboarding wizard. Cortex XSIAM creates an instance in the pending state. For details on pending instances, see Lifecycle and expiration.
Download the authentication template:
For onboarding Azure tenants and management groups, click one of the following:
Download Terraform to download a Terraform file and proceed to Finalize onboarding by applying the Terraform template's configuration.
To onboard all subscriptions within a management group or tenant, our authentication template uses Azure Resource Management (ARM) templates internally. The ARM templates are encoded with base64 and located inside the
template_params.tfvarsfile as thepolicy_templatevariable.Azure Resource Manager to download a
tar.gzfile and proceed to Finalize onboarding of tenants and management groups by deploying the Microsoft Azure Resource Manager (ARM) template.
For onboarding Azure subscriptions, click one of the following:
Download Terraform to download a Terraform file and proceed to Finalize onboarding by applying the Terraform template's configuration.
Azure Resource Manager to download a JSON file and proceed to Finalize onboarding of subscriptions by deploying the Microsoft Azure Resource Manager (ARM) template.
The authentication template is reusable and can be executed as many times as you want to create new cloud instances with the settings you defined in the Microsoft Azure onboarding wizard. The Terraform authentication template is valid for seven days from when it was created.
Click Close.