InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

Microsoft Azure - Custom Roles

Creating Custom Azure Roles for InsightCloudSec

Suggest Edits

❗️

Critical Azure Vulnerability

To help support our customers with their OMIGOD investigation and remediation efforts, InsightCloudSec now captures the Azure OMS extension version. As of September 18th, 2021, Microsoft released version 1.13.40 of the software agent which patches the vulnerability (CVE-2021-38647). The Insight Compute Instance Running Vulnerable Version of OMS will identify Azure Virtual Machines running a version of the OMS extension that is vulnerable to OMIGOD.

If you have questions or concerns reach out to us at [email protected].

This article details how to create or customize roles within Microsoft Azure. For most scenarios within InsightCloudSec, though, using the Azure-created roles is appropriate.

For any questions about the content provided here feel free to reach out to [email protected].

Prerequisite Roles

To access services through InsightCloudSec, we recommend using either a read-only role or a power-user role.

If you are interested in operating in a read-only fashion, which will prevent InsightCloudSec from taking actions against your Microsoft Azure resources, then we recommend using the InsightCloudSec Standard User role. This role will grant InsightCloudSec read-only permissions to supported resources, so that it can harvest data and report on it.

If you would like to use InsightCloudSec to manage your Microsoft Azure resources directly or through the use of Bots, then use the InsightCloudSec Power User role. The InsightCloudSec Power User role will grant InsightCloudSec all permissions to supported resources so it can act upon cloud resources in addition to monitoring and reporting on them.

You may wish to start with InsightCloudSec Standard User until you are more familiar with how to use InsightCloudSec and then change to InsightCloudSec Power User when you are ready to use all of the capabilities InsightCloudSec has to offer.

📘

Note

The "Microsoft.ContainerRegistry/registries/pull/read" permission is included in the power user, standard user, and reader plus roles as it needs to be explicit if not using one of the built-in Owner, Contributor, or AcrPull roles.

InsightCloudSec Standard User Role

❗️

Assignable Scopes

Note the "AssignableScopes" at the bottom of this file will need to be slightly different if you're configuring an Azure Organization.

{
    "Name": "InsightCloudSec Standard User",
    "Id": null,
    "IsCustom": true,
    "Description": "Provides read-only access to resources supported by InsightCloudSec.",
    "Actions": [
        "Microsoft.Advisor/recommendations/read",
        "Microsoft.Authorization/classicAdministrators/read", 
        "Microsoft.Authorization/locks/read",
        "Microsoft.Authorization/policyAssignments/read",
        "Microsoft.Authorization/policyDefinitions/read",
        "Microsoft.Authorization/policySetDefinitions/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read",
        "Microsoft.Batch/batchAccounts/read",
        "Microsoft.Batch/batchAccounts/pools/read",
        "Microsoft.Cache/redis/read",
        "Microsoft.Cache/redis/firewallRules/read",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/galleries/read",
        "Microsoft.Compute/galleries/images/read",
        "Microsoft.Compute/galleries/images/versions/read",
        "Microsoft.Compute/hostGroups/read",
        "Microsoft.Compute/images/read",
        "Microsoft.Compute/skus/read",
        "Microsoft.Compute/snapshots/read",
        "Microsoft.Compute/virtualMachineScaleSets/extensions/read",
        "Microsoft.Compute/virtualMachineScaleSets/instanceView/read",
        "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
        "Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read",
        "Microsoft.Compute/virtualMachineScaleSets/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read",
        "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/extensions/read",
        "Microsoft.Compute/virtualMachines/instanceView/read",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.ContainerInstance/containerGroups/read",
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/read",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.Databricks/workspaces/read",
        "Microsoft.DataFactory/factories/read",
        "Microsoft.DataLakeStore/accounts/read",
        "Microsoft.DBforMariaDB/locations/performanceTiers/read",
        "Microsoft.DBforMariaDB/performanceTiers/read",
        "Microsoft.DBforMariaDB/servers/configurations/read",
        "Microsoft.DBforMariaDB/servers/firewallRules/read",
        "Microsoft.DBforMariaDB/servers/read",
        "Microsoft.DBforMariaDB/servers/virtualNetworkRules/read",
        "Microsoft.DBforMySQL/locations/performanceTiers/read",
        "Microsoft.DBforMySQL/performanceTiers/read",
        "Microsoft.DBforMySQL/servers/administrators/read",         
        "Microsoft.DBforMySQL/servers/configurations/read",
        "Microsoft.DBforMySQL/servers/firewallRules/read",
        "Microsoft.DBforMySQL/servers/keys/read",
        "Microsoft.DBforMySQL/servers/read",
        "Microsoft.DBforMySQL/servers/virtualNetworkRules/read",     
        "Microsoft.DBforPostgreSQL/locations/performanceTiers/read",
        "Microsoft.DBforPostgreSQL/performanceTiers/read",
        "Microsoft.DBforPostgreSQL/servers/administrators/read",       
        "Microsoft.DBforPostgreSQL/servers/configurations/read",
        "Microsoft.DBforPostgreSQL/servers/firewallRules/read",
        "Microsoft.DBforPostgreSQL/servers/keys/read",
        "Microsoft.DBforPostgreSQL/servers/read",
        "Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/read",
        "Microsoft.DocumentDB/databaseAccounts/read",
        "Microsoft.DocumentDB/databaseAccounts/usages/read",
        "Microsoft.EventHub/namespaces/eventhubs/read",
        "Microsoft.EventHub/namespaces/networkruleset/read",
        "Microsoft.EventHub/namespaces/networkrulesets/read",
        "Microsoft.EventHub/namespaces/read",
        "Microsoft.HDInsight/clusters/read",
        "Microsoft.Insights/DiagnosticSettings/Read",
        "Microsoft.Insights/LogProfiles/read",
        "Microsoft.KeyVault/vaults/read",
        "Microsoft.Logic/workflows/read",
        "Microsoft.Network/applicationGateways/read",
        "Microsoft.Network/azurefirewalls/read",
        "Microsoft.Network/dnszones/A/read",
        "Microsoft.Network/dnszones/AAAA/read",
        "Microsoft.Network/dnszones/CAA/read",
        "Microsoft.Network/dnszones/CNAME/read",
        "Microsoft.Network/dnszones/MX/read",
        "Microsoft.Network/dnszones/NS/read",
        "Microsoft.Network/dnszones/PTR/read",
        "Microsoft.Network/dnszones/SOA/read",
        "Microsoft.Network/dnszones/SRV/read",
        "Microsoft.Network/dnszones/TXT/read",
        "Microsoft.Network/dnszones/read",
        "Microsoft.Network/dnszones/recordsets/read",
        "Microsoft.Network/expressRouteCircuits/read",
        "Microsoft.Network/frontDoors/read",
        "Microsoft.Network/ipGroups/read",
        "Microsoft.Network/loadBalancers/backendAddressPools/read",
        "Microsoft.Network/loadBalancers/frontendIPConfigurations/read",
        "Microsoft.Network/loadBalancers/networkInterfaces/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/locations/usages/read",
        "Microsoft.Network/natGateways/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkWatchers/configureFlowLog/action", 
        "Microsoft.Network/networkWatchers/flowLogs/read",
        "Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
        "Microsoft.Network/networkWatchers/read",
        "Microsoft.Network/privateDnsZones/A/read",
        "Microsoft.Network/privateDnsZones/AAAA/read",
        "Microsoft.Network/privateDnsZones/CNAME/read",
        "Microsoft.Network/privateDnsZones/MX/read",
        "Microsoft.Network/privateDnsZones/PTR/read",
        "Microsoft.Network/privateDnsZones/SOA/read",
        "Microsoft.Network/privateDnsZones/SRV/read",
        "Microsoft.Network/privateDnsZones/TXT/read",
        "Microsoft.Network/privateDnsZones/read",
        "Microsoft.Network/privateDnsZones/recordsets/read",
        "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
        "Microsoft.Network/privateEndpoints/read",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/routeTables/read",
        "Microsoft.Network/serviceEndpointPolicies/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
        "Microsoft.Network/virtualnetworks/read",
        "Microsoft.OperationalInsights/workspaces/read",
        "Microsoft.Resources/subscriptions/locations/read",
        "Microsoft.Resources/subscriptions/providers/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/resourcegroups/resources/read",
        "Microsoft.Search/searchServices/read",
        "Microsoft.Security/advancedThreatProtectionSettings/read",
        "Microsoft.Security/alerts/read",
        "Microsoft.Security/assessments/read",
        "Microsoft.Security/autoProvisioningSettings/read",
        "Microsoft.Security/locations/jitNetworkAccessPolicies/read",
        "Microsoft.Security/pricings/read",
        "Microsoft.Security/securityContacts/read",
        "Microsoft.Security/tasks/read",
        "Microsoft.ServiceBus/namespaces/networkRuleSets/read",
        "Microsoft.ServiceBus/namespaces/queues/read",
        "Microsoft.ServiceBus/namespaces/read",
        "Microsoft.Sql/managedInstances/administrators/read",
        "Microsoft.Sql/managedInstances/encryptionProtector/read",
        "Microsoft.Sql/managedInstances/read",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/read",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/read",
        "Microsoft.Sql/servers/administrators/read",
        "Microsoft.Sql/servers/auditingSettings/read",
        "Microsoft.Sql/servers/databases/auditingSettings/read",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
        "Microsoft.Sql/servers/databases/read",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/read",
        "Microsoft.Sql/servers/databases/skus/read",
        "Microsoft.Sql/servers/databases/transparentDataEncryption/read",
        "Microsoft.Sql/servers/extendedAuditingSettings/read",
        "Microsoft.Sql/servers/encryptionProtector/read",
        "Microsoft.Sql/servers/firewallRules/read",
        "Microsoft.Sql/servers/read",
        "Microsoft.Sql/servers/securityAlertPolicies/read",
        "Microsoft.Sql/servers/virtualNetworkRules/read",
        "Microsoft.Sql/servers/vulnerabilityAssessments/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read", 
        "Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/read",
        "Microsoft.Storage/storageAccounts/fileServices/shares/read",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Synapse/workspaces/read",
        "Microsoft.Web/serverfarms/read",
        "Microsoft.Web/sites/Read",
        "Microsoft.Web/sites/config/Read",
        "Microsoft.Web/sites/config/list/Action",
        "Microsoft.Web/sites/functions/read",
        "Microsoft.Web/sites/slots/Read",
        "Microsoft.Web/sites/slots/config/Read",
        "Microsoft.Web/sites/slots/config/list/Action",
        "Microsoft.Web/sites/slots/functions/read",
        "microsoft.web/sites/slots/virtualnetworkconnections/read",
        "microsoft.web/sites/virtualnetworkconnections/read"
    ],
    "NotActions": [],
    "AssignableScopes": [
        "/subscriptions/00000000-0000-0000-0000-000000000000",
        "/subscriptions/11111111-1111-1111-1111-111111111111"
    ]
}

❗️

Subscription Details

For the subscription section in the code snippets above (and below), replace the 000s and 111s with YOUR SUBSCRIPTION ID. If you are only setting this up for one subscription, you can remove the line with the 111s; you should also remove the comma in the line above it (the line with the 000s).

InsightCloudSec Power User Role

{
    "Name": "InsightCloudSec Power User",
    "Id": null,
    "IsCustom": true,
    "Description": "Provides full access to resources supported by InsightCloudSec.",
    "Actions": [
        "Microsoft.Advisor/*",
        "Microsoft.Authorization/*",
        "Microsoft.Batch/*",
        "Microsoft.Cache/*",
        "Microsoft.Compute/*",
        "Microsoft.ContainerInstance/*",
        "Microsoft.ContainerRegistry/*",
        "Microsoft.ContainerService/*",
        "Microsoft.Databricks/*",
        "Microsoft.DataFactory/*",
        "Microsoft.DataLakeStore/*",
        "Microsoft.DBforMariaDB/*",
        "Microsoft.DBforMySQL/*",
        "Microsoft.DBforPostgreSQL/*",
        "Microsoft.DocumentDB/*",
        "Microsoft.EventHub/*",
        "Microsoft.HDInsight/*",
        "Microsoft.Insights/*",
        "Microsoft.KeyVault/*",
        "Microsoft.Logic/*",
        "Microsoft.Network/*",
        "Microsoft.OperationalInsights/*",
        "Microsoft.Resources/*",
        "Microsoft.Search/*",
        "Microsoft.Security/*",
        "Microsoft.ServiceBus/*",
        "Microsoft.Sql/*",
        "Microsoft.Storage/*",
        "Microsoft.Synapse/*",
        "Microsoft.Web/*"
    ],
    "NotActions": [],
    "AssignableScopes": [
        "/subscriptions/00000000-0000-0000-0000-000000000000",
        "/subscriptions/11111111-1111-1111-1111-111111111111"
    ]
}

InsightCloudSec Reader Plus Role

InsightCloudSec recommends using the "Reader" role for read-only permissions to all resources. Note this role does not include the following additional permissions:

  • "Microsoft.Storage/storageAccounts/listkeys/action"

The above permission is used to provide visibility into blob storage containers that are configured to host static website content.

  • "Microsoft.Web/sites/config/list/Action",
  • "Microsoft.Web/sites/slots/config/list/Action"


For the permissions above, the config/list/action permission provides visibility to determine if Web Apps are configured to require authentication and for to Serverless Functions to determine if the function is enabled/disabled. The caveat is that those permissions also provide access to any environment variables configured for WebApps, which may contain sensitive information.

{
    "Name": "InsightCloudSec Reader Plus",
    "Id": null,
    "IsCustom": true,
    "Description": "Provides read-only access to all Azure resources plus some additional permissions not covered by the built-in Reader role.",
    "Actions": [
        "*/read",
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Web/sites/config/list/Action",
        "Microsoft.Web/sites/slots/config/list/Action"
    ],
    "NotActions": [],
    "AssignableScopes": [
        "/subscriptions/00000000-0000-0000-0000-000000000000",
        "/subscriptions/11111111-1111-1111-1111-111111111111"
    ]
}

Creating Custom Roles

To add one of these roles to your account, copy the JSON from one of the desired roles above into a file and use either PowerShell or Azure CLI from the command line to create the role.

📘

Azure CLI (Recommended)

If you don't have the Azure CLI set up, you can install it from the Microsoft Azure documentation.

PowerShell

New-AzureRmRoleDefinition -InputFile <role_definition>

Azure CLI

az role definition create --role-definition <role_definition>

Updating Custom Roles

To modify an existing custom role:

Retrieve the existing role with either PowerShell or Azure CLI.

PowerShell

Get-AzureRmRoleDefinition -Custom | ConvertTo-Json

Azure CLI

az role definition list --custom-role-only

Copy the JSON for the custom role you wish to modify into a new file and make the desired changes to the role definition. Then update the role in Azure.

PowerShell

Set-AzureRmRoleDefinition -InputFile <role_definition>

Azure CLI

az role definition update --role-definition <role_definition>

With these roles defined, return to Microsoft Azure to connect your Azure account with InsightCloudSec.

Updated 15 days ago

Microsoft Azure - Custom Roles

Creating Custom Azure Roles for InsightCloudSec

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.