Azure

Visualize and map Azure cloud resources, and monitor changes through queries and alerts.

Installation guide

Installation

To install this integration, you will need to configure settings both within Azure and on JupiterOne. Before enabling in JupiterOne, ensure that you have completed the setup within your Azure.

Azure configuration

To set up this integration, you will need to authorize access by creating a Service Principal (App Registration) in Azure and provide the credentials to JupiterOne.

The integration is triggered by an event containing the information for a specific integration instance. Users configure the integration by providing API credentials obtained through the Azure portal.

Azure Active Directory is authenticated and accessed through the Microsoft Graph API. Azure Resource Manager is authenticated and accessed through Resource Manager APIs.

Creating the App Registration in Azure

The first step will be to create your App registration in Azure. From your Azure portal, navigate to Azure Active Directory > App registrations and continue through the following steps:

1. Create a new App registration, using the Name {{productName}}, selecting Accounts in this organizational directory only, with no "Redirect URI".
2. With the app created, navigate to the new app's Overview page.
3. Copy both the Application (client) ID and the Directory (tenant) ID.
4. Navigate to the Certificates & secrets section.
5. Create a new client secret.
6. Save and copy the generated secret Value (not the Secret ID).

With the App created, and the values saved, you will next need to configure the API permissions within Azure Active Directory.

API Permissions

To grant permissions for reading the Microsoft Graph information:

1. Navigate to API permissions, select Microsoft Graph > Application Permissions
2. Grant the following permission to the application:

• Directory.Read.All
• Policy.Read.All
• AuditLog.Read.All

3. Grant admin consent for this directory for the permissions above.

IAM Roles (Azure Management Groups / Subscriptions)

The next step within Azure is granting the JupiterOne Reader RBAC subscription role to read Azure Resource Manager information.

To grant the role:

1. Navigate to the correct scope for your integration.

• RECOMMENDED If configuring all subscription for a tenant: Navigate to Management Groups > the Tenant Root Group.

  If it is not possible to select the Tenant Root Group first navigate to Azure Active Directory > Properties and select Yes on Access management for Azure resources. See this elevating access article for more information.

note

If using this feature, in JupiterOne on your integration instance, enable the following flags:

• Ingest Active Directory
• Configure Subscription Instances
  • Auto-Delete Removed Subscriptions

    If configuring a single Azure Subscription: Navigate to Subscriptions and choose the subscription from which you want to ingest resources. Please fill the Subscription ID field in your integration instance. In Azure, to get the Subscription ID navigate to Subscriptions and Copy the ID of the one to be ingested.

2. Create the custom role "JupiterOne Reader"

3. Navigate to Access control (IAM) > Add > Add custom role.

4. Input JupiterOne Reader for the Name.

5. Navigate to the JSON tab, select Edit, and input the following actions:

   Actions to be added

   "Microsoft.Advisor/recommendations/read",
   "Microsoft.ApiManagement/service/apis/read",
   "Microsoft.ApiManagement/service/read",
   "Microsoft.Authorization/classicAdministrators/read",
   "Microsoft.Authorization/locks/read",
   "Microsoft.Authorization/policyAssignments/read",
   "Microsoft.Authorization/policyDefinitions/read",
   "Microsoft.Authorization/policySetDefinitions/read",
   "Microsoft.Authorization/roleAssignments/read",
   "Microsoft.Authorization/roleDefinitions/read",
   "Microsoft.Batch/batchAccounts/applications/read",
   "Microsoft.Batch/batchAccounts/certificates/read",
   "Microsoft.Batch/batchAccounts/pools/read",
   "Microsoft.Batch/batchAccounts/read",
   "Microsoft.Cache/redis/firewallRules/read",
   "Microsoft.Cache/redis/linkedServers/read",
   "Microsoft.Cache/redis/read",
   "Microsoft.Cdn/profiles/endpoints/read",
   "Microsoft.Cdn/profiles/read",
   "Microsoft.Compute/disks/read",
   "Microsoft.Compute/galleries/images/read",
   "Microsoft.Compute/galleries/images/versions/read",
   "Microsoft.Compute/galleries/read",
   "Microsoft.Compute/images/read",
   "Microsoft.Compute/virtualMachines/extensions/read",
   "Microsoft.Compute/virtualMachines/read",
   "Microsoft.ContainerInstance/containerGroups/read",
   "Microsoft.ContainerRegistry/registries/read",
   "Microsoft.ContainerRegistry/registries/webhooks/read",
   "Microsoft.ContainerService/managedClusters/read",
   "Microsoft.DBforMariaDB/servers/databases/read",
   "Microsoft.DBforMariaDB/servers/read",
   "Microsoft.DBforMySQL/servers/databases/read",
   "Microsoft.DBforMySQL/servers/read",
   "Microsoft.DBforPostgreSQL/servers/databases/read",
   "Microsoft.DBforPostgreSQL/servers/firewallRules/read",
   "Microsoft.DBforPostgreSQL/servers/read",
   "Microsoft.DocumentDB/databaseAccounts/read",
   "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read",
   "Microsoft.EventGrid/domains/read",
   "Microsoft.EventGrid/domains/topics/eventSubscriptions/read",
   "Microsoft.EventGrid/domains/topics/read",
   "Microsoft.EventGrid/topics/eventSubscriptions/read",
   "Microsoft.EventGrid/topics/read",
   "Microsoft.Insights/ActivityLogAlerts/Read",
   "Microsoft.Insights/DiagnosticSettings/Read",
   "Microsoft.Insights/LogProfiles/Read",
   "Microsoft.KeyVault/vaults/keys/read",
   "Microsoft.KeyVault/vaults/read",
   "Microsoft.KeyVault/vaults/secrets/read",
   "Microsoft.Management/managementGroups/read",
   "Microsoft.Network/azurefirewalls/read",
   "Microsoft.Network/dnszones/read",
   "Microsoft.Network/dnszones/recordsets/read",
   "Microsoft.Network/frontDoors/read",
   "Microsoft.Network/loadBalancers/read",
   "Microsoft.Network/networkInterfaces/read",
   "Microsoft.Network/networkSecurityGroups/read",
   "Microsoft.Network/networkWatchers/flowLogs/read",
   "Microsoft.Network/networkWatchers/read",
   "Microsoft.Network/privateDnsZones/read",
   "Microsoft.Network/privateDnsZones/recordsets/read",
   "Microsoft.Network/privateEndpoints/read",
   "Microsoft.Network/publicIPAddresses/read",
   "Microsoft.Network/virtualNetworks/read",
   "Microsoft.PolicyInsights/policyStates/queryResults/read",
   "Microsoft.Resources/subscriptions/locations/read",
   "Microsoft.Resources/subscriptions/read",
   "Microsoft.Resources/subscriptions/resourceGroups/read",
   "Microsoft.Security/assessments/read",
   "Microsoft.Security/autoProvisioningSettings/read",
   "Microsoft.Security/pricings/read",
   "Microsoft.Security/securityContacts/read",
   "Microsoft.Security/settings/read",
   "Microsoft.ServiceBus/namespaces/queues/read",
   "Microsoft.ServiceBus/namespaces/read",
   "Microsoft.ServiceBus/namespaces/topics/read",
   "Microsoft.ServiceBus/namespaces/topics/subscriptions/read",
   "Microsoft.Sql/servers/administrators/read",
   "Microsoft.Sql/servers/databases/read",
   "Microsoft.Sql/servers/firewallRules/read",
   "Microsoft.Sql/servers/read",
   "Microsoft.Storage/storageAccounts/blobServices/containers/read",
   "Microsoft.Storage/storageAccounts/blobServices/read",
   "Microsoft.Storage/storageAccounts/fileServices/shares/read",
   "Microsoft.Storage/storageAccounts/queueServices/read",
   "Microsoft.Storage/storageAccounts/read",
   "Microsoft.Storage/storageAccounts/tableServices/read",
   "Microsoft.Storage/storageAccounts/tableServices/tables/read",
   "Microsoft.Web/serverfarms/Read",
   "Microsoft.Web/sites/config/list/action",
   "Microsoft.Web/sites/config/Read",
   "Microsoft.Web/sites/Read",
   "Microsoft.KeyVault/vaults/providers/Microsoft.Insights/diagnosticSettings/Read",
   "Microsoft.Management/managementGroups/subscriptions/read"

6. Click Save > Review + Create > Create.

7. Assign Roles to the "JupiterOne" App:

   1. Navigate to Access control (IAM) > Add > Add role assignment
   2. Assign the JupiterOne Reader role to the JupiterOne member.
   3. Navigate to the Memeber tab. Click on + Select Members, search for the JupiterOne App, click it, and then press Select.
   4. Navigate to the Review + assign tab and click Review + assign.

Key Vault Access Policy

The final step in Azure will be granting JupiterOne permissions for the vault keys and secrets (rm-keyvault-keys and rm-keyvault-secrets).

note

You are required to grant the permissions to the JupiterOne security principal for each key vault in your account. Learn more on Azure for assigning a key vault access policy

To grant the permissions:

1. Navigate to Key Vaults and select the one you wish to ingest.
2. Click Access policies, then + Create
3. On the Permissions tab, under Key permissions and Secret Permissions, select the permissions.

• Key Permissions
  • Key Management Operations
    • List
• Secret Permissions
  • Key Management Operations
    • List

4. On the Principal tab, assign them to the JupiterOne App.
5. Navigate to the Review + Create tab and click Create.

That concludes the setup from within Azure. The last thing to do is initiate the integration from within JupiterOne!

Configuration in JupiterOne

To add the Azure integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Azure. Click New Instance to begin configuring your integration.

Creating a configuration requires the following:

• The Account Name used to identify the Azure account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

• Description to assist in identifying the integration instance, if desired.

• Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

• Your Azure Directory (tenant) ID of the Active Directory to target the Azure API requests.

• The Application (client) ID created for JupiterOne and used to authenticate with Azure.

• Enable Ingest Active Directory to ingest Directory information.

  note

  The Ingest Active Directory flag enables the ingestion of azure_user, azure_user_group, and azure_service_principal entities.

  This should only be enabled for one integration instance per directory.

• Configure the Subscription Instances for your integration:

  • RECOMMENDED If configuring all subscriptions for a tenant: Select the option Configure Subscription Instances to automatically provision new JupiterOne integration instances for each Azure Subscription in this tenant that does not have a "JupiterOne" tag set to SKIP. It is recommended that you use this feature when Ingest Active Directory selected.
  • If configuring a single Azure Subscription: Enter the Subscription ID for the subscription you wish to ingest data from. In Azure, to get the Subscription ID, navigate to Subscriptions and copy the desired Subscription ID.

With Configure Subscription Instances enabled, you can opt to Auto-delete Removed Subscriptions within JupiterOne and Ingest disabled subscriptons to ingest subscriptions in a disabled state.

Once all values have been provided, click Create to finalize the integration.

Troubleshooting authentication

If the Azure integration job does not complete, and you encounter a message such as: [validation_failure] Error occurred while validating integration configuration in your job log, check the following common configuration errors:

• Verify the Application (client) ID and Application (client) Secret: Make sure that you've verified the proper value for client ID and client secret. The client secret has both a Value property and a Secret ID property. The Secret ID is unused: make sure you haven't accidentally used the Secret ID as the Client ID.

• Verify that you've enabled the proper API permissions: Make sure the required API permissions (described above) are enabled for the application.

• Verify that the API permissions have been granted as "Application" and not "Delegated": The integration requires API Permissions of type Application. Permissions of type Delegated will cause issues in your integration.

• Verify that your permissions have been "Grant(ed) admin consent for Directory": If you have added API Permissions to the application, but have not granted Admin Consent, the permissions are not yet active.

Azure data model

Data Model

Entities

The following entities are created:

Resources	Entity _type	Entity _class
FrontDoor	azure_frontdoor	Service
FrontDoor Backend Pool	azure_frontdoor_backend_pool	Configuration
FrontDoor Frontend Endpoint	azure_frontdoor_frontend_endpoint	Gateway
FrontDoor Routing Rule	azure_frontdoor_routing_rule	Rule
FrontDoor Rules Engine	azure_frontdoor_rules_engine	Ruleset
[AD] Account	azure_account	Account
[AD] Device	azure_device	Device
[AD] Group	azure_user_group	UserGroup
[AD] Group Member	azure_group_member	User
[AD] Role Definition	azure_ad_role_definition	AccessRole
[AD] Service Principal	azure_service_principal	Service
[AD] User	azure_user	User
[RM] API Management API	azure_api_management_api	ApplicationEndpoint
[RM] API Management Service	azure_api_management_service	Gateway
[RM] Advisor Recommendation	azure_advisor_recommendation	Finding
[RM] App Service Plan	azure_app_service_plan	Configuration
[RM] Azure Kubernetes Cluster	azure_kubernetes_cluster	Cluster
[RM] Azure Managed Disk	azure_managed_disk	DataStore, Disk
[RM] Batch Account	azure_batch_account	Service
[RM] Batch Application	azure_batch_application	Process
[RM] Batch Certificate	azure_batch_certificate	Certificate
[RM] Batch Pool	azure_batch_pool	Cluster
[RM] CDN Endpoint	azure_cdn_endpoint	Gateway
[RM] CDN Profile	azure_cdn_profile	Service
[RM] Classic Admin	azure_classic_admin_group	UserGroup
[RM] Container	azure_container	Container
[RM] Container Group	azure_container_group	Group
[RM] Container Registry	azure_container_registry	DataStore
[RM] Container Registry Webhook	azure_container_registry_webhook	ApplicationEndpoint
[RM] Container Volume	azure_container_volume	Disk
[RM] Cosmos DB Account	azure_cosmosdb_account	Account, Service
[RM] Cosmos DB Database	azure_cosmosdb_sql_database	Database, DataStore
[RM] DNS Record Set	azure_dns_record_set	DomainRecord
[RM] DNS Zone	azure_dns_zone	DomainZone
[RM] Event Grid Domain	azure_event_grid_domain	Service
[RM] Event Grid Domain Topic	azure_event_grid_domain_topic	Queue
[RM] Event Grid Topic	azure_event_grid_topic	Queue
[RM] Event Grid Topic Subscription	azure_event_grid_topic_subscription	Subscription
[RM] Firewall Policy	azure_network_firewall_policy	Policy
[RM] Function App	azure_function_app	Function
[RM] Gallery	azure_gallery	Repository
[RM] Image	azure_image	Image
[RM] Key Vault	azure_keyvault_service	Service
[RM] Key Vault Key	azure_keyvault_key	Key
[RM] Key Vault Secret	azure_keyvault_secret	Secret
[RM] Load Balancer	azure_lb	Gateway
[RM] Management Group	azure_management_group	Group
[RM] MariaDB Database	azure_mariadb_database	Database, DataStore
[RM] MariaDB Server	azure_mariadb_server	Database, DataStore, Host
[RM] Monitor Activity Log Alert	azure_monitor_activity_log_alert	Rule
[RM] Monitor Diagnostic Settings Resource	azure_diagnostic_setting	Configuration
[RM] Monitor Log Profile	azure_monitor_log_profile	Configuration
[RM] MySQL Database	azure_mysql_database	Database, DataStore
[RM] MySQL Server	azure_mysql_server	Database, DataStore, Host
[RM] Network Firewall	azure_network_firewall	Firewall
[RM] Network Interface	azure_nic	NetworkInterface
[RM] Network Watcher	azure_network_watcher	Resource
[RM] Policy Assignment	azure_policy_assignment	ControlPolicy
[RM] Policy Definition	azure_policy_definition	Rule
[RM] Policy Set Definition	azure_policy_set_definition	Ruleset
[RM] Policy State	azure_policy_state	Review
[RM] PostgreSQL Database	azure_postgresql_database	Database, DataStore
[RM] PostgreSQL Server	azure_postgresql_server	Database, DataStore, Host
[RM] PostgreSQL Server Firewall Rule	azure_postgresql_server_firewall_rule	Firewall
[RM] Private DNS Record Set	azure_private_dns_record_set	DomainRecord
[RM] Private DNS Zone	azure_private_dns_zone	DomainZone
[RM] Private Endpoint	azure_private_endpoint	NetworkEndpoint
[RM] Public IP Address	azure_public_ip	IpAddress
[RM] Redis Cache	azure_redis_cache	Database, DataStore, Cluster
[RM] Redis Firewall Rule	azure_firewall_rule	Firewall
[RM] Resource Group	azure_resource_group	Group
[RM] Resource Lock	azure_resource_lock	Rule
[RM] Role Assignment	azure_role_assignment	AccessPolicy
[RM] Role Definition	azure_role_definition	AccessRole
[RM] SQL Database	azure_sql_database	Database, DataStore
[RM] SQL Server	azure_sql_server	Database, DataStore, Host
[RM] SQL Server Active Directory Admin	azure_sql_server_active_directory_admin	AccessRole
[RM] SQL Server Firewall Rule	azure_sql_server_firewall_rule	Firewall
[RM] Security Assessment	azure_security_assessment	Assessment
[RM] Security Center Auto Provisioning Setting	azure_security_center_auto_provisioning_setting	Configuration
[RM] Security Center Setting	azure_security_center_setting	Configuration
[RM] Security Center Subscription Pricing	azure_security_center_subscription_pricing	Configuration
[RM] Security Contact	azure_security_center_contact	Resource
[RM] Security Group	azure_security_group	Firewall
[RM] Security Group Flow Logs	azure_security_group_flow_logs	Logs
[RM] Service Bus Namespace	azure_service_bus_namespace	Service
[RM] Service Bus Queue	azure_service_bus_queue	Queue
[RM] Service Bus Subscription	azure_service_bus_subscription	Subscription
[RM] Service Bus Topic	azure_service_bus_topic	Queue
[RM] Shared Image	azure_shared_image	Image
[RM] Shared Image Version	azure_shared_image_version	Image
[RM] Storage Account	azure_storage_account	Service
[RM] Storage Container	azure_storage_container	DataStore
[RM] Storage File Share	azure_storage_file_share	DataStore
[RM] Storage Queue	azure_storage_queue	Queue
[RM] Storage Table	azure_storage_table	DataStore, Database
[RM] Subnet	azure_subnet	Network
[RM] Subscription	azure_subscription	Account
[RM] Usage Details	azure_usage_details	Site
[RM] Virtual Machine	azure_vm	Host
[RM] Virtual Machine Extension	azure_vm_extension	Application
[RM] Virtual Machine Scale Set	azure_vm_scale_set	Deployment, Group
[RM] Virtual Network	azure_vnet	Network
[RM] Web App	azure_web_app	Application

Relationships

The following relationships are created:

Source Entity _type	Relationship _class	Target Entity _type
azure_account	HAS	azure_user_group
azure_account	HAS	azure_keyvault_service
azure_account	HAS	azure_management_group
azure_account	HAS	azure_user
azure_api_management_service	HAS	azure_api_management_api
azure_security_assessment	IDENTIFIED	azure_advisor_recommendation
azure_batch_account	HAS	azure_batch_application
azure_batch_account	HAS	azure_batch_certificate
azure_batch_account	HAS	azure_batch_pool
azure_cdn_profile	HAS	azure_cdn_endpoint
azure_classic_admin_group	HAS	azure_user
azure_container_group	HAS	azure_container
azure_container_group	HAS	azure_container_volume
azure_container_registry	HAS	azure_container_registry_webhook
azure_container	USES	azure_container_volume
azure_container_volume	USES	azure_storage_file_share
azure_cosmosdb_account	HAS	azure_cosmosdb_sql_database
azure_diagnostic_setting	USES	azure_storage_account
azure_dns_zone	HAS	azure_dns_record_set
azure_event_grid_domain	HAS	azure_event_grid_domain_topic
azure_event_grid_domain_topic	HAS	azure_event_grid_topic_subscription
azure_event_grid_topic	HAS	azure_event_grid_topic_subscription
azure_frontdoor	HAS	azure_frontdoor_backend_pool
azure_frontdoor	HAS	azure_frontdoor_frontend_endpoint
azure_frontdoor	HAS	azure_frontdoor_routing_rule
azure_frontdoor	HAS	azure_frontdoor_rules_engine
azure_function_app	USES	azure_app_service_plan
azure_gallery	CONTAINS	azure_shared_image
azure_user_group	HAS	azure_user_group
azure_user_group	HAS	azure_group_member
azure_user_group	HAS	azure_user
azure_keyvault_service	ALLOWS	ANY_PRINCIPAL
azure_keyvault_service	CONTAINS	azure_keyvault_key
azure_keyvault_service	CONTAINS	azure_keyvault_secret
azure_lb	CONNECTS	azure_nic
azure_management_group	CONTAINS	azure_management_group
azure_mariadb_server	HAS	azure_mariadb_database
azure_monitor_activity_log_alert	MONITORS	ANY_SCOPE
azure_monitor_log_profile	USES	azure_storage_account
azure_mysql_server	HAS	azure_mysql_database
azure_network_firewall	HAS	azure_network_firewall_policy
azure_network_firewall_policy	EXTENDS	azure_network_firewall_policy
azure_network_watcher	HAS	azure_security_group_flow_logs
azure_policy_assignment	HAS	azure_policy_state
azure_policy_assignment	USES	azure_policy_definition
azure_policy_assignment	USES	azure_policy_set_definition
azure_policy_definition	DEFINES	azure_policy_state
azure_policy_set_definition	CONTAINS	azure_policy_definition
azure_postgresql_server	HAS	azure_postgresql_database
azure_postgresql_server	HAS	azure_postgresql_server_firewall_rule
azure_private_dns_zone	HAS	azure_private_dns_record_set
azure_private_endpoint	CONNECTS	ANY_RESOURCE
azure_private_endpoint	USES	azure_nic
azure_redis_cache	CONNECTS	azure_redis_cache
azure_redis_cache	HAS	azure_firewall_rule
azure_resource_group	HAS	azure_api_management_service
azure_resource_group	HAS	azure_app_service_plan
azure_resource_group	HAS	azure_batch_account
azure_resource_group	HAS	azure_cdn_profile
azure_resource_group	HAS	azure_container_group
azure_resource_group	HAS	azure_container_registry
azure_resource_group	HAS	azure_cosmosdb_account
azure_resource_group	HAS	azure_dns_zone
azure_resource_group	HAS	azure_event_grid_domain
azure_resource_group	HAS	azure_event_grid_topic
azure_resource_group	HAS	azure_frontdoor
azure_resource_group	HAS	azure_function_app
azure_resource_group	HAS	azure_gallery
azure_resource_group	HAS	azure_image
azure_resource_group	HAS	azure_keyvault_service
azure_resource_group	HAS	azure_kubernetes_cluster
azure_resource_group	HAS	azure_lb
azure_resource_group	HAS	azure_managed_disk
azure_resource_group	HAS	azure_mariadb_server
azure_resource_group	HAS	azure_monitor_activity_log_alert
azure_resource_group	HAS	azure_mysql_server
azure_resource_group	HAS	azure_network_firewall
azure_resource_group	HAS	azure_network_watcher
azure_resource_group	HAS	azure_nic
azure_resource_group	HAS	azure_postgresql_server
azure_resource_group	HAS	azure_private_dns_zone
azure_resource_group	HAS	azure_private_endpoint
azure_resource_group	HAS	azure_public_ip
azure_resource_group	HAS	azure_redis_cache
azure_resource_group	HAS	azure_security_group
azure_resource_group	HAS	azure_service_bus_namespace
azure_resource_group	HAS	azure_sql_server
azure_resource_group	HAS	azure_storage_account
azure_resource_group	HAS	azure_vm
azure_resource_group	HAS	azure_vm_scale_set
azure_resource_group	HAS	azure_vnet
azure_resource_group	HAS	azure_web_app
ANY_SCOPE	HAS	azure_diagnostic_setting
ANY_SCOPE	HAS	azure_advisor_recommendation
ANY_SCOPE	HAS	azure_policy_assignment
ANY_RESOURCE	HAS	azure_policy_state
azure_resource_lock	HAS	ANY_SCOPE
azure_role_assignment	ALLOWS	ANY_SCOPE
azure_role_assignment	ASSIGNED	azure_application
azure_role_assignment	ASSIGNED	azure_directory
azure_role_assignment	ASSIGNED	azure_directory_role_template
azure_role_assignment	ASSIGNED	azure_everyone
azure_role_assignment	ASSIGNED	azure_foreign_group
azure_role_assignment	ASSIGNED	azure_msi
azure_role_assignment	ASSIGNED	azure_service_principal
azure_role_assignment	ASSIGNED	azure_unknown
azure_role_assignment	ASSIGNED	azure_unknown_principal_type
azure_role_assignment	ASSIGNED	azure_user
azure_role_assignment	ASSIGNED	azure_user_group
azure_role_assignment	USES	azure_role_definition
azure_security_group_flow_logs	USES	azure_storage_account
azure_security_group	HAS	azure_security_group_flow_logs
azure_security_group	PROTECTS	azure_nic
azure_security_group	PROTECTS	azure_subnet
azure_security_group	ALLOWS	azure_subnet
azure_subnet	ALLOWS	azure_security_group
azure_security_group	DENIES	azure_subnet
azure_subnet	DENIES	azure_security_group
azure_service_bus_namespace	HAS	azure_service_bus_queue
azure_service_bus_namespace	HAS	azure_service_bus_topic
azure_service_bus_topic	HAS	azure_service_bus_subscription
azure_service_principal	HAS	ad-role-definitions
azure_shared_image	HAS	azure_shared_image_version
azure_sql_server	HAS	azure_sql_server_active_directory_admin
azure_sql_server	HAS	azure_sql_database
azure_sql_server	HAS	azure_sql_server_firewall_rule
azure_storage_account	HAS	azure_storage_container
azure_storage_account	HAS	azure_storage_file_share
azure_storage_account	HAS	azure_storage_queue
azure_storage_account	HAS	azure_storage_table
azure_storage_account	USES	azure_keyvault_service
azure_subnet	HAS	azure_private_endpoint
azure_subnet	HAS	azure_vm
azure_subscription	CONTAINS	azure_role_definition
azure_subscription	HAS	azure_monitor_log_profile
azure_subscription	HAS	azure_resource_group
azure_subscription	HAS	azure_security_center_auto_provisioning_setting
azure_subscription	HAS	azure_security_center_contact
azure_subscription	HAS	azure_security_center_setting
azure_subscription	HAS	azure_security_center_subscription_pricing
azure_subscription	PERFORMED	azure_security_assessment
azure_subscription	HAS	azure_usage_details
azure_user	HAS	ad-role-definitions
azure_user	HAS	azure_device
azure_vm	GENERATED	azure_shared_image_version
azure_vm_scale_set	USES	azure_shared_image
azure_vm_scale_set	USES	azure_shared_image
azure_vm	USES	azure_image
azure_vm	USES	azure_managed_disk
azure_vm	USES	azure_service_principal
azure_vm	USES	azure_nic
azure_vm	USES	azure_public_ip
azure_vm	USES	azure_vm_scale_set
azure_vm	USES	azure_shared_image
azure_vm	USES	azure_shared_image_version
azure_vm	USES	azure_storage_account
azure_vnet	CONTAINS	azure_subnet
azure_web_app	USES	azure_app_service_plan

Mapped Relationships

The following mapped relationships are created:

Source Entity _type	Relationship _class	Target Entity _type	Direction
azure_network_watcher	HAS	*azure_location*	REVERSE
azure_management_group	HAS	*azure_subscription*	FORWARD
azure_network_firewall	ALLOWS	*internet*	FORWARD
azure_network_firewall	ALLOWS	*internet*	REVERSE
azure_network_firewall	DENIES	*internet*	FORWARD
azure_network_firewall	DENIES	*internet*	REVERSE
azure_subscription	USES	*azure_location*	FORWARD