Azure Forensics

prerequisites these steps are specifically for the azure cost and usage integration this integration currently requires approval from shi in advance to perform the following steps, the user executing them must have application administrator role at the scope where the role assignment is being made (in this case, the root scope / ) to assign roles to the service principal (step 3) an azure cli environment; we recommend using the cloud shell available in the azure portal to run the az cli commands permissions required we request the following permissions to be assigned to our application role scope purpose cost management contributor root tenant scope cost management contributor at the root tenant scope retrieve a list of your subscriptions attached to that tenant scope schedule cost & usage reports for each subscription individually detect new subscriptions and auto configure cost & usage exports note while cost management contributor also has access to create/update/delete budgets, that is not the purpose of this application and those permissions will not be used storage account contributor designated storage account storage account contributor for a single storage account created for cost & usage data exports a storage account specifically created for cost & usage exports will be managed by our application, including configuring the storage retention policy to keep data storage costs minimal currently we use hot storage for 7 days, cold storage for 30 days, then deletion this storage account must be dedicated for our use, do not use this storage account for any other purpose, as our retention policies will apply to those files step by step instructions you will require access to both the azure portal and the azure cli to execute these commands 1\ create a storage account create a storage account inside your root tenant this will be used for the data exports copy the storage account name as you'll need it for a later step we require this to be a new storage account, as the roles required to manage the creation of data exports and create file lifecycle policy will give full access to this storage account 2\ validate your current tenant from the azure portal shell (bash), run the following command to validate you're currently active under the tenant you intend to grant access for az account list query "\[?isdefault] {tenantid tenantid, name name}" keep track of this tenantid for future steps, as well as providing this data back to us 3\ create a service principal for our application run the following command to create a service principal for our application using its application id az ad sp create id 6b2205ef 191b 4e4a b7dd 31a0059f8abe explanation this command creates a service principal associated with our application a service principal is an identity used by applications or services to access azure resources by creating this, you establish an identity for our app in your azure active directory (azure ad) application id 6b2205ef 191b 4e4a b7dd 31a0059f8abe is the application id for catalyst by shi azure cost and usage 4\ grant the service principal access to your new storage account scope=`az storage account show name \<storage account name> query "id" | xargs` echo $scope example $ scope=`az storage account show name \<storage account name> query "id" | xargs` $ echo $scope /subscriptions/xxxxxxx xxxx xxxx xxxx xxxxxxxxxxxx/resourcegroups/myresourcegroup/providers/microsoft storage/storageaccounts/mynewstorageaccount save the output provided! we'll need that information in order to configure and retrieve cost and usage data if you don't see that string, make sure your az command is surrounded by backticks (`) and not quotes now run az role assignment create assignee 6b2205ef 191b 4e4a b7dd 31a0059f8abe role 'storage account contributor' scope $scope this will assign the storage account contributor role to that specific storage account and only that storage account 5\ grant the service principal access to the cost management contributor role az role assignment create assignee 6b2205ef 191b 4e4a b7dd 31a0059f8abe role 'cost management contributor' scope / cost management contributor the purpose of this role is to allow us to create data exports for subscriptions by providing this level of access, it reduces the amount of initial setup, and removes the need for ongoing maintenance per subscription if you add a new subscription to your tenant, we will detect that subscription and start collecting cost & usage data for it 6\ provide the "scope" with storage account information back to your shi expert copy the value you saved above in step 4 /subscriptions/xxxxxxx xxxx xxxx xxxx xxxxxxxxxxxx/resourcegroups/myresourcegroup/providers/microsoft storage/storageaccounts/mynewstorageaccount and provide it back to your shi expert there are no secret values or passwords in this string, so it's safe to pass via email or other methods