In this Wiz outpost blog post, we will explain the process of hardening Azure Wiz outpost and follow best practices.
Table of contents
Hardening Azure Wiz Outpost
Azure Wiz outposts allow organisations an extra layer of security by retaining Wiz’s scanning information inside a dedicated Azure subscription compared to sending the data to Wiz.
This post outlines industry best practices and recommends applying them to the Azure subscription your Azure outpost runs from.
Use a Dedicated Subscription
Wiz recommends running the Wiz Azure outpost under a dedicated Azure subscription. You should also run Azure commands from Azure Cloud Shell, not from a management machine.
Enable Microsoft Defender for Cloud
With Microsoft Defender for Cloud, Azure can scan and protect all the resources within the subscription, including the AKS cluster and containers that form the outpost. This will also reduce some of the alerts Wiz generates.
Enable auto-provisioning of Microsoft Monitoring Agent
If you enable auto-provisioning, Azure Monitoring Agent (MMA), Azure will install it automatically on every new VM provisioned inside the environment. The MMA scans for vulnerabilities, security events, and more.
Create Activity Log Alerts
Azure Monitoring is capable of generating alerts based on specific activities. Make sure you create a resource group dedicated to saving activity log alerts and configure the following alerts:
Condition Name | Alert Name |
Create or Update Network Security Group (networkSecurityGroups) | Activity Log for creating or updating Network Security Groups |
Delete Network Security Group (networkSecurityGroups) | Activity Log for deleting Network Security Groups |
Create or Update Security Rule (networkSecurityGroups/securityRules) | Activity Log for creating or updating Network Security Group Rules |
Delete Security Rule (networkSecurityGroups/securityRules) | Activity Log for deleting Network Security Group Rules |
Create or Update Security Solutions (securitySolutions) | Activity Log for creating or updating Security Solutions |
Update security policy (policies) | Activity Log for updating security policies |
Delete Security Solutions (securitySolutions) | Activity Log for deleting Security Solutions |
Create policy assignment (policyAssignments) | Activity Log for creating policy assignments |
Delete policy assignment (policyAssignments) | Activity Log for deleting policy assignments |
Create or Update Public Ip Address (publicIPAddresses) | Activity Log for creating or updating Public IP addresses |
Delete Public Ip Address (publicIPAddresses) | Activity Log for deleting Public IP addresses |
Create/Update server firewall rule (servers/firewallRules) | Activity Log for creating or updating server firewall rules |
Delete server firewall rule (servers/firewallRules) | Activity Log for deleting server firewall rules |
Once you create the alert, make sure they are integrated with Azure monitoring