Select Page

In this Wiz outpost blog post, we will explain the process of hardening Azure Wiz outpost and follow best practices.

Hardening Azure Wiz Outpost

Azure Wiz outposts allow organisations an extra layer of security by retaining Wiz’s scanning information inside a dedicated Azure subscription compared to sending the data to Wiz.

This post outlines industry best practices and recommends applying them to the Azure subscription your Azure outpost runs from.

Use a Dedicated Subscription

Wiz recommends running the Wiz Azure outpost under a dedicated Azure subscription. You should also run Azure commands from Azure Cloud Shell, not from a management machine.

Enable Microsoft Defender for Cloud

With Microsoft Defender for Cloud, Azure can scan and protect all the resources within the subscription, including the AKS cluster and containers that form the outpost. This will also reduce some of the alerts Wiz generates.

Enable auto-provisioning of Microsoft Monitoring Agent

If you enable auto-provisioning, Azure Monitoring Agent (MMA), Azure will install it automatically on every new VM provisioned inside the environment. The MMA scans for vulnerabilities, security events, and more.

Create Activity Log Alerts

Azure Monitoring is capable of generating alerts based on specific activities. Make sure you create a resource group dedicated to saving activity log alerts and configure the following alerts:

Condition NameAlert Name
Create or Update Network Security Group
(networkSecurityGroups)
Activity Log for creating or updating
Network Security Groups
Delete Network Security Group
(networkSecurityGroups)
Activity Log for deleting Network
Security Groups
Create or Update Security Rule
(networkSecurityGroups/securityRules)
Activity Log for creating or updating
Network Security Group Rules
Delete Security Rule
(networkSecurityGroups/securityRules)
Activity Log for deleting Network
Security Group Rules
Create or Update Security Solutions
(securitySolutions)
Activity Log for creating or updating
Security Solutions
Update security policy (policies)Activity Log for updating security
policies
Delete Security Solutions (securitySolutions)Activity Log for deleting Security
Solutions
Create policy assignment (policyAssignments)Activity Log for creating policy
assignments
Delete policy assignment (policyAssignments)Activity Log for deleting policy
assignments
Create or Update Public Ip Address
(publicIPAddresses)
Activity Log for creating or updating
Public IP addresses
Delete Public Ip Address (publicIPAddresses)Activity Log for deleting Public IP
addresses
Create/Update server firewall rule
(servers/firewallRules)
Activity Log for creating or updating
server firewall rules
Delete server firewall rule (servers/firewallRules)Activity Log for deleting server
firewall rules

Once you create the alert, make sure they are integrated with Azure monitoring