Azure
Visualize and map Azure cloud resources, and monitor changes through queries and alerts.
- Installation guide
- Azure data model
Installation
To install this integration, you will need to configure settings both within Azure and on JupiterOne. Before enabling in JupiterOne, ensure that you have completed the setup within your Azure.
Azure configuration
To set up this integration, you will need to authorize access by creating a Service Principal (App Registration) in Azure and provide the credentials to JupiterOne.
The integration is triggered by an event containing the information for a specific integration instance. Users configure the integration by providing API credentials obtained through the Azure portal.
Microsoft Entra ID is authenticated and accessed through the Microsoft Graph API. Azure Resource Manager is authenticated and accessed through Resource Manager APIs.
Creating the App Registration in Azure
The first step will be to create your App registration in Azure. From your Azure portal, navigate to Microsoft Entra ID > Manage > App registrations and continue through the following steps:
- Create a new App registration, using the Name
JupiterOne, selecting Accounts in this organizational directory only, with no "Redirect URI". - With the app created, navigate to the new app's Overview page.
- Copy both the Application (client) ID and the Directory (tenant) ID.
- Navigate to the Certificates & secrets section.
- Create a new client secret.
- Save and copy the generated secret Value (not the Secret ID).
With the App created, and the values saved, you will next need to configure the API permissions within Microsoft Entra ID.
API Permissions
To grant permissions for reading the Microsoft Graph information:
- Navigate to API permissions, select Microsoft Graph > Application Permissions
- Grant the following permission to the application:
Directory.Read.AllPolicy.Read.AllAuditLog.Read.AllDevice.Read.AllEntitlementManagement.Read.AllPolicy.Read.ConditionalAccess
- Grant admin consent for this directory for the permissions above.
IAM Roles (Azure Management Groups / Subscriptions)
The next step within Azure is granting the JupiterOne Reader RBAC subscription role to read Azure Resource Manager information.
To grant the role:
- Navigate to the correct scope for your integration.
- RECOMMENDED If configuring all subscription for a tenant: Navigate to Management Groups > the Tenant Root Group.
If it is not possible to select the Tenant Root Group first navigate to Microsoft Entra ID > Manage > Properties and select Yes on Access management for Azure resources. See this elevating access article for more information.
note
If using this feature, in JupiterOne on your integration instance, enable the following flags:
- Ingest Microsoft Entra ID
- Configure Subscription Instances
- Auto-Delete Removed Subscriptions
If configuring a single Azure Subscription: Navigate to Subscriptions and choose the subscription from which you want to ingest resources. Please fill the Subscription ID field in your integration instance. In Azure, to get the Subscription ID navigate to Subscriptions and Copy the ID of the one to be ingested.
- Auto-Delete Removed Subscriptions
- Create the custom role "JupiterOne Reader"
- Navigate to Access control (IAM) > Add > Add custom role.
- Input
JupiterOne Readerfor the Name. - Navigate to the JSON tab, select Edit, and input the following actions:
Actions to be added
"Microsoft.Advisor/recommendations/read", "Microsoft.ApiManagement/service/apis/read", "Microsoft.ApiManagement/service/read", "Microsoft.Authorization/classicAdministrators/read", "Microsoft.Authorization/locks/read", "Microsoft.Authorization/policyAssignments/read", "Microsoft.Authorization/policyDefinitions/read", "Microsoft.Authorization/policySetDefinitions/read", "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read", "Microsoft.Batch/batchAccounts/applications/read", "Microsoft.Batch/batchAccounts/certificates/read", "Microsoft.Batch/batchAccounts/pools/read", "Microsoft.Batch/batchAccounts/read", "Microsoft.Cache/redis/firewallRules/read", "Microsoft.Cache/redis/linkedServers/read", "Microsoft.Cache/redis/read", "Microsoft.Cdn/profiles/endpoints/read", "Microsoft.Cdn/profiles/read", "Microsoft.Compute/disks/read", "Microsoft.Compute/galleries/images/read", "Microsoft.Compute/galleries/images/versions/read", "Microsoft.Compute/galleries/read", "Microsoft.Compute/images/read", "Microsoft.Compute/virtualMachines/extensions/read", "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachineScaleSets/read", "Microsoft.Consumption/usageDetails/read", "Microsoft.ContainerInstance/containerGroups/read", "Microsoft.ContainerRegistry/registries/read", "Microsoft.ContainerRegistry/registries/webhooks/read", "Microsoft.ContainerService/managedClusters/maintenanceConfigurations/read", "Microsoft.ContainerService/managedClusters/read", "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read", "Microsoft.DBforMariaDB/servers/databases/read", "Microsoft.DBforMariaDB/servers/read", "Microsoft.DBforMySQL/flexibleServers/databases/read", "Microsoft.DBforMySQL/flexibleServers/firewallRules/read", "Microsoft.DBforMySQL/flexibleServers/read", "Microsoft.DBforMySQL/servers/databases/read", "Microsoft.DBforMySQL/servers/firewallRules/read", "Microsoft.DBforMySQL/servers/read", "Microsoft.DBforPostgreSQL/flexibleServers/databases/read", "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read", "Microsoft.DBforPostgreSQL/flexibleServers/read", "Microsoft.DBforPostgreSQL/servers/databases/read", "Microsoft.DBforPostgreSQL/servers/firewallRules/read", "Microsoft.DBforPostgreSQL/servers/read", "Microsoft.DocumentDB/databaseAccounts/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read", "Microsoft.EventGrid/domains/read", "Microsoft.EventGrid/domains/topics/eventSubscriptions/read", "Microsoft.EventGrid/domains/topics/read", "Microsoft.EventGrid/topics/eventSubscriptions/read", "Microsoft.EventGrid/topics/read", "Microsoft.EventHub/clusters/read", "Microsoft.EventHub/namespaces/eventHubs/consumergroups/read", "Microsoft.EventHub/namespaces/eventhubs/read", "Microsoft.EventHub/namespaces/read", "Microsoft.Insights/ActivityLogAlerts/Read", "Microsoft.Insights/DiagnosticSettings/Read", "Microsoft.Insights/LogProfiles/Read", "Microsoft.KeyVault/vaults/keys/read", "Microsoft.KeyVault/vaults/read", "Microsoft.KeyVault/vaults/secrets/read", "Microsoft.Management/managementGroups/read", "Microsoft.Network/applicationGateways/read", "Microsoft.Network/applicationSecurityGroups/read", "Microsoft.Network/azurefirewalls/read", "Microsoft.Network/bgpServiceCommunities/read", "Microsoft.Network/ddosProtectionPlans/read", "Microsoft.Network/dnszones/read", "Microsoft.Network/dnszones/recordsets/read", "Microsoft.Network/expressRouteCircuits/peerings/connections/read", "Microsoft.Network/expressRouteCircuits/peerings/peerConnections/read", "Microsoft.Network/expressRouteCircuits/read", "Microsoft.Network/firewallPolicies/Read", "Microsoft.Network/firewallPolicies/ruleCollectionGroups/Read", "Microsoft.Network/frontDoors/read", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/networkWatchers/flowLogs/read", "Microsoft.Network/networkWatchers/read", "Microsoft.Network/privateDnsZones/read", "Microsoft.Network/privateDnsZones/recordsets/read", "Microsoft.Network/privateEndpoints/read", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.PolicyInsights/policyStates/queryResults/read", "Microsoft.Resources/subscriptions/locations/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Security/alerts/read", "Microsoft.Security/assessments/read", "Microsoft.Security/autoProvisioningSettings/read", "Microsoft.Security/pricings/read", "Microsoft.Security/securityContacts/read", "Microsoft.Security/settings/read", "Microsoft.ServiceBus/namespaces/queues/read", "Microsoft.ServiceBus/namespaces/read", "Microsoft.ServiceBus/namespaces/topics/read", "Microsoft.ServiceBus/namespaces/topics/subscriptions/read", "Microsoft.Sql/servers/administrators/read", "Microsoft.Sql/servers/databases/read", "Microsoft.Sql/servers/firewallRules/read", "Microsoft.Sql/servers/read", "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/fileServices/shares/read", "Microsoft.Storage/storageAccounts/queueServices/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/tableServices/read", "Microsoft.Storage/storageAccounts/tableServices/tables/read", "Microsoft.Synapse/workspaces/keys/read", "Microsoft.Synapse/workspaces/read", "Microsoft.Synapse/workspaces/sqlPools/dataMaskingPolicies/read", "Microsoft.Synapse/workspaces/sqlPools/dataMaskingPolicies/rules/read", "Microsoft.Synapse/workspaces/sqlPools/read", "Microsoft.Web/serverfarms/Read", "Microsoft.Web/sites/config/list/action", "Microsoft.Web/sites/config/Read", "Microsoft.Web/sites/Read",
Data Actions to be added
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
Click Save > Review + Create > Create.
Assign Roles to the "JupiterOne" App:
- Navigate to Access control (IAM) > Add > Add role assignment
- Assign the
JupiterOne Readerrole to the JupiterOne member. - Navigate to the Memeber tab. Click on + Select Members, search for the JupiterOne App, click it, and then press Select.
- Navigate to the Review + assign tab and click Review + assign.
Key Vaults
Note: Azure allows two ways of retrieving vaults.
If using Key Vault RBAC: Repeat step 5 but assing the built-in "Key Vault Reader" Role to your JupiterOne App.
If using Key Vault Access Policy:
The final step in Azure will be granting JupiterOne permissions for the vault keys and secrets (rm-keyvault-keys and rm-keyvault-secrets).
note
You are required to grant the permissions to the JupiterOne security principal for each key vault in your account. Learn more on Azure for assigning a key vault access policy
To grant the permissions:
- Navigate to Key Vaults and select the one you wish to ingest.
- Click Access policies, then + Create
- On the Permissions tab, under Key permissions and Secret Permissions, select the permissions.
- Key Permissions
- Key Management Operations
- List
- Key Management Operations
- Secret Permissions
- Key Management Operations
- List
- Key Management Operations
- On the Principal tab, assign them to the JupiterOne App.
- Navigate to the Review + Create tab and click Create.
That concludes the setup from within Azure. The last thing to do is initiate the integration from within JupiterOne!
Configuration in JupiterOne
To add the Azure integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Azure. Click New Instance to begin configuring your integration.
Creating a configuration requires the following:
The Account Name used to identify the Azure account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen theAccountNametoggle is enabled.Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLEDand manually execute the integration.Your Azure Directory (tenant) ID of the Entra ID to target the Azure API requests.
The Application (client) ID created for JupiterOne and used to authenticate with Azure.
Enable Ingest Microsoft Entra ID to ingest Directory information.
noteThe Ingest Microsoft Entra ID flag enables the ingestion of
azure_user,azure_user_group, andazure_service_principalentities.This should only be enabled for one integration instance per directory.
Configure the Subscription Instances for your integration:
- RECOMMENDED If configuring all subscriptions for a tenant: Select the option Configure Subscription Instances to automatically provision new JupiterOne integration instances for each Azure Subscription in this tenant that does not have a "JupiterOne" tag set to
SKIP. It is recommended that you use this feature when Ingest Microsoft Entra ID selected. - If configuring a single Azure Subscription: Enter the Subscription ID for the subscription you wish to ingest data from. In Azure, to get the Subscription ID, navigate to Subscriptions and copy the desired Subscription ID.
- RECOMMENDED If configuring all subscriptions for a tenant: Select the option Configure Subscription Instances to automatically provision new JupiterOne integration instances for each Azure Subscription in this tenant that does not have a "JupiterOne" tag set to
With Configure Subscription Instances enabled, you can opt to Auto-delete Removed Subscriptions within JupiterOne and Ingest disabled subscriptons to ingest subscriptions in a
disabledstate.
Once all values have been provided, click Create to finalize the integration.
Troubleshooting authentication
If the Azure integration job does not complete, and you encounter a message such as:
[validation_failure] Error occurred while validating integration configuration
in your job log, check the following common configuration errors:
Verify the Application (client) ID and Application (client) Secret: Make sure that you've verified the proper value for client ID and client secret. The client secret has both a Value property and a Secret ID property. The Secret ID is unused: make sure you haven't accidentally used the Secret ID as the Client ID.
Verify that you've enabled the proper API permissions: Make sure the required API permissions (described above) are enabled for the application.
Verify that the API permissions have been granted as "Application" and not "Delegated": The integration requires API Permissions of type Application. Permissions of type Delegated will cause issues in your integration.
Verify that your permissions have been "Grant(ed) admin consent for Directory": If you have added API Permissions to the application, but have not granted Admin Consent, the permissions are not yet active.
Data Model
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Azure Application Gateway | azure_application_gateway | Network |
| Azure Application Security Groups | azure_application_security_group | Firewall |
| Azure Synapse Analytics | azure_synapse | Service |
| Device | azure_device | Device |
| FrontDoor | azure_frontdoor | Service |
| FrontDoor Backend Pool | azure_frontdoor_backend_pool | Configuration |
| FrontDoor Frontend Endpoint | azure_frontdoor_frontend_endpoint | Gateway |
| FrontDoor Routing Rule | azure_frontdoor_routing_rule | Rule |
| FrontDoor Rules Engine | azure_frontdoor_rules_engine | Ruleset |
| [AD] Account | azure_account | Account |
| [AD] Conditional Access | azure_conditional_access_service | Service |
| [AD] Conditional Access Authorization Context | azure_conditional_access_authorization_context | Resource |
| [AD] Conditional Access Named location | azure_conditional_access_named_location | Network |
| [AD] Conditional Access Policy | azure_conditional_access_policy | AccessPolicy |
| [AD] Conditional Access Template | azure_conditional_access_template | AccessPolicy |
| [AD] Domain | azure_domain | Service |
| [AD] Group | azure_group | Group |
| [AD] Group Member | azure_group_member | User |
| [AD] Role Definition | azure_ad_role_definition | AccessRole |
| [AD] Service Principal | azure_service_principal | Service |
| [AD] User | azure_user | User |
| [RM] API Management API | azure_api_management_api | ApplicationEndpoint |
| [RM] API Management Service | azure_api_management_service | Gateway |
| [RM] Access Package | azure_access_packages_services | Service |
| [RM] Access Package Assignment | azure_access_packages_service_assignment | AccessRole |
| [RM] Access Package Assignment Approver | azure_access_packages_approver | Review |
| [RM] Access Package Assignment Policy | azure_access_packages_policy | AccessPolicy |
| [RM] Access Package Assignment Request | azure_access_packages_request | Requirement |
| [RM] Access Package Catalog | azure_access_packages_catalog | Resource |
| [RM] Access Role | azure_kube_trusted_access_role | AccessRole |
| [RM] Advisor Recommendation | azure_advisor_recommendation | Finding |
| [RM] App Service Plan | azure_app_service_plan | Configuration |
| [RM] Azure Application | azure_application | Application |
| [RM] Azure Bgp Service Communities | azure_bgp_service_communities | Network |
| [RM] Azure Consumer Group | azure_event_hub_consumer_group | Channel |
| [RM] Azure Ddos Protection Plans | azure_ddos_protection_plan | Configuration |
| [RM] Azure Event Hub | azure_event_hub | Service |
| [RM] Azure Express Route | azure_expressroute | Service |
| [RM] Azure Express Route Circuit | azure_expressroute_circuit | Network |
| [RM] Azure Express Route Circuit Connections | azure_expressroute_circuit_connection | Network |
| [RM] Azure Kubernetes Cluster | azure_kubernetes_cluster | Cluster |
| [RM] Azure Managed Disk | azure_managed_disk | DataStore, Disk |
| [RM] Azure Peer Express Route Circuit Connection | azure_peer_expressroute_circut_connection | Network |
| [RM] Batch Account | azure_batch_account | Service |
| [RM] Batch Application | azure_batch_application | Process |
| [RM] Batch Certificate | azure_batch_certificate | Certificate |
| [RM] Batch Pool | azure_batch_pool | Cluster |
| [RM] CDN Endpoint | azure_cdn_endpoint | Gateway |
| [RM] CDN Profile | azure_cdn_profile | Service |
| [RM] Classic Admin | azure_classic_admin_group | UserGroup |
| [RM] Container | azure_container | Container |
| [RM] Container Group | azure_container_group | Group |
| [RM] Container Registry | azure_container_registry | DataStore |
| [RM] Container Registry Webhook | azure_container_registry_webhook | ApplicationEndpoint |
| [RM] Container Volume | azure_container_volume | Disk |
| [RM] Cosmos DB Account | azure_cosmosdb_account | Account, Service |
| [RM] Cosmos DB Database | azure_cosmosdb_sql_database | Database, DataStore |
| [RM] DNS Record Set | azure_dns_record_set | DomainRecord |
| [RM] DNS Zone | azure_dns_zone | DomainZone |
| [RM] Data Masking Policy | azure_synapse_masking_policy | Policy |
| [RM] Data Masking Rule | azure_synapse_masking_rule | Rule |
| [RM] Defender Alert | azure_defender_alert | Vulnerability |
| [RM] Event Grid Domain | azure_event_grid_domain | Service |
| [RM] Event Grid Domain Topic | azure_event_grid_domain_topic | Queue |
| [RM] Event Grid Topic | azure_event_grid_topic | Queue |
| [RM] Event Grid Topic Subscription | azure_event_grid_topic_subscription | Subscription |
| [RM] Event Hub Cluster | azure_event_hub_cluster | Cluster |
| [RM] Event Hub Keys | azure_event_hub_key | Key |
| [RM] Event Hub Namespace | azure_event_hub_namespace | Group |
| [RM] Firewall Policy | azure_network_firewall_policy | Policy |
| [RM] Function App | azure_function_app | Function |
| [RM] Gallery | azure_gallery | Repository |
| [RM] Image | azure_image | Image |
| [RM] Key Vault | azure_keyvault_service | Service |
| [RM] Key Vault Key | azure_keyvault_key | Key |
| [RM] Key Vault Secret | azure_keyvault_secret | Secret |
| [RM] Kubernetes Service | azure_kube_service | Service |
| [RM] Load Balancer | azure_lb | Gateway |
| [RM] Managed Cluster | azure_kube_maintenance_configuration | Cluster |
| [RM] Management Group | azure_management_group | Group |
| [RM] MariaDB Database | azure_mariadb_database | Database, DataStore |
| [RM] MariaDB Server | azure_mariadb_server | Database, DataStore, Host |
| [RM] Monitor Activity Log Alert | azure_monitor_activity_log_alert | Rule |
| [RM] Monitor Diagnostic Settings Resource | azure_diagnostic_setting | Configuration |
| [RM] Monitor Log Profile | azure_monitor_log_profile | Configuration |
| [RM] MySQL Database | azure_mysql_database | Database, DataStore |
| [RM] MySQL Flexible Database | azure_mysql_flexible_database | Database, DataStore |
| [RM] MySQL Flexible Server | azure_mysql_flexible_server | Database, DataStore, Host |
| [RM] MySQL Flexible Server Firewall Rule | azure_mysql_flexible_server_firewall_rule | Firewall |
| [RM] MySQL Server | azure_mysql_server | Database, DataStore, Host |
| [RM] MySQL Server Firewall Rule | azure_mysql_server_firewall_rule | Firewall |
| [RM] Network Firewall | azure_network_firewall | Firewall |
| [RM] Network Interface | azure_nic | NetworkInterface |
| [RM] Network Watcher | azure_network_watcher | Resource |
| [RM] Policy Assignment | azure_policy_assignment | ControlPolicy |
| [RM] Policy Definition | azure_policy_definition | Rule |
| [RM] Policy Set Definition | azure_policy_set_definition | Ruleset |
| [RM] Policy State | azure_policy_state | Review |
| [RM] PostgreSQL Database | azure_postgresql_database | Database, DataStore |
| [RM] PostgreSQL Flexible Database | azure_postgresql_flexible_database | Database, DataStore |
| [RM] PostgreSQL Flexible Server | azure_postgresql_flexible_server | Database, DataStore, Host |
| [RM] PostgreSQL Flexible Server Firewall Rule | azure_postgresql_flexible_server_firewall_rule | Firewall |
| [RM] PostgreSQL Server | azure_postgresql_server | Database, DataStore, Host |
| [RM] PostgreSQL Server Firewall Rule | azure_postgresql_server_firewall_rule | Firewall |
| [RM] Private DNS Record Set | azure_private_dns_record_set | DomainRecord |
| [RM] Private DNS Zone | azure_private_dns_zone | DomainZone |
| [RM] Private Endpoint | azure_private_endpoint | NetworkEndpoint |
| [RM] Public IP Address | azure_public_ip | IpAddress |
| [RM] Redis Cache | azure_redis_cache | Database, DataStore, Cluster |
| [RM] Redis Firewall Rule | azure_firewall_rule | Firewall |
| [RM] Resource Group | azure_resource_group | Group |
| [RM] Resource Lock | azure_resource_lock | Rule |
| [RM] Role Assignment | azure_role_assignment | AccessPolicy |
| [RM] Role Binding | azure_kube_cluster_role_binding | AccessPolicy |
| [RM] Role Definition | azure_role_definition | AccessRole |
| [RM] SQL Database | azure_sql_database | Database, DataStore |
| [RM] SQL Pool | azure_synapse_sql_pool | Configuration |
| [RM] SQL Server | azure_sql_server | Database, DataStore, Host |
| [RM] SQL Server Entra ID Admin | azure_sql_server_active_directory_admin | AccessRole |
| [RM] SQL Server Firewall Rule | azure_sql_server_firewall_rule | Firewall |
| [RM] Security Assessment | azure_security_assessment | Assessment |
| [RM] Security Center Auto Provisioning Setting | azure_security_center_auto_provisioning_setting | Configuration |
| [RM] Security Center Setting | azure_security_center_setting | Configuration |
| [RM] Security Center Subscription Pricing | azure_security_center_subscription_pricing | Configuration |
| [RM] Security Contact | azure_security_center_contact | Resource |
| [RM] Security Group | azure_security_group | Firewall |
| [RM] Security Group Flow Logs | azure_security_group_flow_logs | Logs |
| [RM] Service Bus Namespace | azure_service_bus_namespace | Service |
| [RM] Service Bus Queue | azure_service_bus_queue | Queue |
| [RM] Service Bus Subscription | azure_service_bus_subscription | Subscription |
| [RM] Service Bus Topic | azure_service_bus_topic | Queue |
| [RM] Shared Image | azure_shared_image | Image |
| [RM] Shared Image Version | azure_shared_image_version | Image |
| [RM] Storage Account | azure_storage_account | Service |
| [RM] Storage Container | azure_storage_container | DataStore |
| [RM] Storage File Share | azure_storage_file_share | DataStore |
| [RM] Storage Queue | azure_storage_queue | Queue |
| [RM] Storage Table | azure_storage_table | DataStore, Database |
| [RM] Subnet | azure_subnet | Network |
| [RM] Subscription | azure_subscription | Account |
| [RM] Synapse Keys | azure_synapse_key | Key |
| [RM] Usage Details | azure_usage_details | Site |
| [RM] Virtual Machine | azure_vm | Host |
| [RM] Virtual Machine Extension | azure_vm_extension | Application |
| [RM] Virtual Machine Scale Set | azure_vm_scale_set | Deployment, Group |
| [RM] Virtual Network | azure_vnet | Network |
| [RM] Web App | azure_web_app | Application |
| [RM] Workspaces | azure_synapse_workspace | Configuration |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
ANY_RESOURCE | HAS | azure_defender_alert |
ANY_RESOURCE | HAS | azure_policy_state |
ANY_RESOURCE | GENERATED | azure_shared_image_version |
ANY_SCOPE | HAS | azure_advisor_recommendation |
ANY_SCOPE | HAS | azure_diagnostic_setting |
ANY_SCOPE | HAS | azure_policy_assignment |
azure_access_packages_approver | IS | azure_user |
azure_access_packages_catalog | ASSIGNED | azure_application |
azure_access_packages_service_assignment | CONTAINS | azure_access_packages_policy |
azure_access_packages_services | HAS | azure_access_packages_service_assignment |
azure_access_packages_services | HAS | azure_application |
azure_account | HAS | azure_domain |
azure_account | HAS | azure_group |
azure_account | HAS | azure_keyvault_service |
azure_account | HAS | azure_management_group |
azure_account | HAS | azure_user |
azure_api_management_service | HAS | azure_api_management_api |
azure_application_security_group | PROTECTS | azure_vm |
azure_batch_account | HAS | azure_batch_application |
azure_batch_account | HAS | azure_batch_certificate |
azure_batch_account | HAS | azure_batch_pool |
azure_bgp_service_communities | HAS | azure_expressroute |
azure_cdn_profile | HAS | azure_cdn_endpoint |
azure_classic_admin_group | HAS | azure_user |
azure_conditional_access_policy | CONTAINS | azure_conditional_access_named_location |
azure_conditional_access_policy | ASSIGNED | azure_group |
azure_conditional_access_policy | ASSIGNED | azure_user |
azure_conditional_access_service | HAS | azure_conditional_access_authorization_context |
azure_conditional_access_service | HAS | azure_conditional_access_policy |
azure_conditional_access_service | HAS | azure_conditional_access_template |
azure_container | USES | azure_container_volume |
azure_container_group | HAS | azure_container |
azure_container_group | HAS | azure_container_volume |
azure_container_registry | HAS | azure_container_registry_webhook |
azure_container_volume | USES | azure_storage_file_share |
azure_cosmosdb_account | HAS | azure_cosmosdb_sql_database |
azure_ddos_protection_plan | ASSIGNED | azure_public_ip |
azure_ddos_protection_plan | ASSIGNED | azure_vnet |
azure_diagnostic_setting | USES | azure_storage_account |
azure_dns_zone | HAS | azure_dns_record_set |
azure_event_grid_domain | HAS | azure_event_grid_domain_topic |
azure_event_grid_domain_topic | HAS | azure_event_grid_topic_subscription |
azure_event_grid_topic | HAS | azure_event_grid_topic_subscription |
azure_event_hub | HAS | azure_location |
azure_event_hub_cluster | ASSIGNED | azure_event_hub_namespace |
azure_event_hub_consumer_group | HAS | azure_event_hub |
azure_event_hub_key | USES | azure_keyvault_service |
azure_event_hub_namespace | HAS | azure_event_hub |
azure_event_hub_namespace | HAS | azure_event_hub_key |
azure_expressroute | HAS | azure_application_gateway |
azure_expressroute | HAS | azure_expressroute |
azure_expressroute | HAS | azure_expressroute_circuit_connection |
azure_expressroute | HAS | azure_peer_expressroute_circut_connection |
azure_expressroute_circuit | HAS | azure_expressroute_circuit_connection |
azure_expressroute_circuit | HAS | azure_peer_expressroute_circut_connection |
azure_frontdoor | HAS | azure_frontdoor_backend_pool |
azure_frontdoor | HAS | azure_frontdoor_frontend_endpoint |
azure_frontdoor | HAS | azure_frontdoor_routing_rule |
azure_frontdoor | HAS | azure_frontdoor_rules_engine |
azure_function_app | USES | azure_app_service_plan |
azure_gallery | CONTAINS | azure_shared_image |
azure_group | ASSIGNED | azure_access_packages_services |
azure_group | HAS | azure_device |
azure_group | HAS | azure_group |
azure_group | HAS | azure_group_member |
azure_group | HAS | azure_user |
azure_keyvault_service | ALLOWS | ANY_PRINCIPAL |
azure_keyvault_service | CONTAINS | azure_keyvault_key |
azure_keyvault_service | CONTAINS | azure_keyvault_secret |
azure_keyvault_service | HAS | azure_synapse_key |
azure_kube_cluster_role_binding | IS | kube_cluster_role_binding |
azure_kube_service | CONTAINS | azure_kube_trusted_access_role |
azure_kubernetes_cluster | CONTAINS | azure_kube_cluster_role_binding |
azure_kubernetes_cluster | HAS | azure_kube_maintenance_configuration |
azure_lb | CONNECTS | azure_nic |
azure_management_group | CONTAINS | azure_management_group |
azure_mariadb_server | HAS | azure_mariadb_database |
azure_monitor_activity_log_alert | MONITORS | ANY_SCOPE |
azure_monitor_log_profile | USES | azure_storage_account |
azure_mysql_flexible_server | HAS | azure_mysql_flexible_database |
azure_mysql_flexible_server | HAS | azure_mysql_server_firewall_rule |
azure_mysql_server | HAS | azure_mysql_database |
azure_mysql_server | HAS | azure_mysql_server_firewall_rule |
azure_network_firewall | HAS | azure_network_firewall_policy |
azure_network_firewall_policy | EXTENDS | azure_network_firewall_policy |
azure_network_watcher | HAS | azure_security_group_flow_logs |
azure_policy_assignment | USES | azure_policy_definition |
azure_policy_assignment | USES | azure_policy_set_definition |
azure_policy_assignment | HAS | azure_policy_state |
azure_policy_definition | DEFINES | azure_policy_state |
azure_policy_set_definition | CONTAINS | azure_policy_definition |
azure_postgresql_flexible_server | HAS | azure_postgresql_flexible_database |
azure_postgresql_flexible_server | HAS | azure_postgresql_server_firewall_rule |
azure_postgresql_server | HAS | azure_postgresql_database |
azure_postgresql_server | HAS | azure_postgresql_server_firewall_rule |
azure_private_dns_zone | HAS | azure_private_dns_record_set |
azure_private_endpoint | CONNECTS | ANY_RESOURCE |
azure_private_endpoint | USES | azure_nic |
azure_redis_cache | HAS | azure_firewall_rule |
azure_redis_cache | CONNECTS | azure_redis_cache |
azure_resource_group | HAS | azure_api_management_service |
azure_resource_group | HAS | azure_app_service_plan |
azure_resource_group | HAS | azure_batch_account |
azure_resource_group | HAS | azure_cdn_profile |
azure_resource_group | HAS | azure_container_group |
azure_resource_group | HAS | azure_container_registry |
azure_resource_group | HAS | azure_cosmosdb_account |
azure_resource_group | HAS | azure_ddos_protection_plan |
azure_resource_group | HAS | azure_dns_zone |
azure_resource_group | HAS | azure_event_grid_domain |
azure_resource_group | HAS | azure_event_grid_topic |
azure_resource_group | HAS | azure_event_hub |
azure_resource_group | HAS | azure_frontdoor |
azure_resource_group | HAS | azure_function_app |
azure_resource_group | HAS | azure_gallery |
azure_resource_group | HAS | azure_image |
azure_resource_group | HAS | azure_keyvault_service |
azure_resource_group | HAS | azure_kubernetes_cluster |
azure_resource_group | HAS | azure_lb |
azure_resource_group | HAS | azure_managed_disk |
azure_resource_group | HAS | azure_mariadb_server |
azure_resource_group | HAS | azure_monitor_activity_log_alert |
azure_resource_group | HAS | azure_mysql_flexible_server |
azure_resource_group | HAS | azure_mysql_server |
azure_resource_group | HAS | azure_network_firewall |
azure_resource_group | HAS | azure_network_watcher |
azure_resource_group | HAS | azure_nic |
azure_resource_group | HAS | azure_postgresql_flexible_server |
azure_resource_group | HAS | azure_postgresql_server |
azure_resource_group | HAS | azure_private_dns_zone |
azure_resource_group | HAS | azure_private_endpoint |
azure_resource_group | HAS | azure_public_ip |
azure_resource_group | HAS | azure_redis_cache |
azure_resource_group | HAS | azure_security_group |
azure_resource_group | HAS | azure_service_bus_namespace |
azure_resource_group | HAS | azure_sql_server |
azure_resource_group | HAS | azure_storage_account |
azure_resource_group | HAS | azure_vm |
azure_resource_group | HAS | azure_vm_scale_set |
azure_resource_group | HAS | azure_vnet |
azure_resource_group | HAS | azure_web_app |
azure_resource_lock | HAS | ANY_SCOPE |
azure_role_assignment | ALLOWS | ANY_SCOPE |
azure_role_assignment | ASSIGNED | azure_application |
azure_role_assignment | ASSIGNED | azure_directory |
azure_role_assignment | ASSIGNED | azure_directory_role_template |
azure_role_assignment | ASSIGNED | azure_everyone |
azure_role_assignment | ASSIGNED | azure_foreign_group |
azure_role_assignment | ASSIGNED | azure_group |
azure_role_assignment | ASSIGNED | azure_msi |
azure_role_assignment | USES | azure_role_definition |
azure_role_assignment | ASSIGNED | azure_service_principal |
azure_role_assignment | ASSIGNED | azure_unknown |
azure_role_assignment | ASSIGNED | azure_unknown_principal_type |
azure_role_assignment | ASSIGNED | azure_user |
azure_security_assessment | IDENTIFIED | azure_advisor_recommendation |
azure_security_group | PROTECTS | azure_nic |
azure_security_group | HAS | azure_security_group_flow_logs |
azure_security_group | ALLOWS | azure_subnet |
azure_security_group | DENIES | azure_subnet |
azure_security_group | PROTECTS | azure_subnet |
azure_security_group | PROTECTS | azure_vm_scale_set |
azure_security_group_flow_logs | USES | azure_storage_account |
azure_service_bus_namespace | HAS | azure_service_bus_queue |
azure_service_bus_namespace | HAS | azure_service_bus_topic |
azure_service_bus_topic | HAS | azure_service_bus_subscription |
azure_service_principal | HAS | ad-role-definitions |
azure_service_principal | ASSIGNED | azure_group |
azure_service_principal | ASSIGNED | azure_service_principal |
azure_service_principal | ASSIGNED | azure_user |
azure_shared_image | HAS | azure_shared_image_version |
azure_sql_server | HAS | azure_sql_database |
azure_sql_server | HAS | azure_sql_server_active_directory_admin |
azure_sql_server | HAS | azure_sql_server_firewall_rule |
azure_storage_account | USES | azure_keyvault_service |
azure_storage_account | HAS | azure_storage_container |
azure_storage_account | HAS | azure_storage_file_share |
azure_storage_account | HAS | azure_storage_queue |
azure_storage_account | HAS | azure_storage_table |
azure_subnet | HAS | azure_private_endpoint |
azure_subnet | ALLOWS | azure_security_group |
azure_subnet | DENIES | azure_security_group |
azure_subnet | HAS | azure_vm |
azure_subscription | HAS | azure_bgp_service_communities |
azure_subscription | HAS | azure_ddos_protection_plan |
azure_subscription | HAS | azure_defender_alert |
azure_subscription | HAS | azure_event_hub |
azure_subscription | HAS | azure_expressroute |
azure_subscription | HAS | azure_kube_service |
azure_subscription | HAS | azure_monitor_log_profile |
azure_subscription | HAS | azure_resource_group |
azure_subscription | CONTAINS | azure_role_definition |
azure_subscription | PERFORMED | azure_security_assessment |
azure_subscription | HAS | azure_security_center_auto_provisioning_setting |
azure_subscription | HAS | azure_security_center_contact |
azure_subscription | HAS | azure_security_center_setting |
azure_subscription | HAS | azure_security_center_subscription_pricing |
azure_subscription | HAS | azure_synapse |
azure_subscription | HAS | azure_usage_details |
azure_synapse | HAS | azure_synapse_key |
azure_synapse | HAS | azure_synapse_sql_pool |
azure_synapse | HAS | azure_synapse_workspace |
azure_synapse_sql_pool | ASSIGNED | azure_synapse_masking_policy |
azure_synapse_sql_pool | HAS | azure_synapse_masking_rule |
azure_synapse_workspace | HAS | azure_synapse_key |
azure_synapse_workspace | HAS | azure_synapse_sql_pool |
azure_user | HAS | ad-role-definitions |
azure_user | CREATED | azure_access_packages_request |
azure_user | ASSIGNED | azure_access_packages_services |
azure_user | HAS | azure_device |
azure_vm | USES | azure_image |
azure_vm | USES | azure_managed_disk |
azure_vm | USES | azure_nic |
azure_vm | USES | azure_public_ip |
azure_vm | USES | azure_service_principal |
azure_vm | USES | azure_shared_image |
azure_vm | GENERATED | azure_shared_image_version |
azure_vm | USES | azure_shared_image_version |
azure_vm | USES | azure_storage_account |
azure_vm | USES | azure_vm_extension |
azure_vm | USES | azure_vm_scale_set |
azure_vm_scale_set | USES | azure_lb |
azure_vm_scale_set | USES | azure_shared_image |
azure_vm_scale_set | USES | azure_subnet |
azure_vnet | CONTAINS | azure_subnet |
azure_web_app | USES | azure_app_service_plan |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
|---|---|---|---|
azure_kube_trusted_access_role | IS | *kube_cluster_role* | FORWARD |
azure_management_group | HAS | *azure_subscription* | FORWARD |
azure_network_firewall | ALLOWS | *internet* | FORWARD |
azure_network_firewall | ALLOWS | *internet* | REVERSE |
azure_network_firewall | DENIES | *internet* | FORWARD |
azure_network_firewall | DENIES | *internet* | REVERSE |
azure_network_watcher | HAS | *azure_location* | REVERSE |
azure_subscription | USES | *azure_location* | FORWARD |