Summary

Use this connector to seed the Censys ASM platform with accurate, up-to-date information about Internet-addressable assets in your Azure account for monitoring and enhanced discovery.

In this guide:

• Introduction

• Install the Censys Azure Cloud Connector

  • Create Config File

  • Create Environment File

  • Build and Run the Container

• Set Up Azure Account Access

Introduction

For each Azure tenant you enable, the cloud connector will connect to the following services to extract and send relevant data to the Censys ASM platform for:

• All Public Virtual Machine Instances
• All Serverless Instances
• DNS and Domain Information

What You'll Need:

• The Azure tenant ID
• Client ID, Client secret, and subscription ID for each Azure tenant
• Your Censys ASM API key
• A server with Docker and Docker Compose installed
• The cloud-connectors.tar.gz code file (please email Censys support for access)

Install the Censys Cloud Connector

Create Config File

cp -p azure_config.yml.example azure_config.yml

- AZURE_TENANT_ID: xxx-xxx-xxx-xxx
  AZURE_CLIENT_ID: xxx-xxx-xxx-xxx
  AZURE_CLIENT_SECRET: xxx-xxx-xxx-xxx
  AZURE_SUBSCRIPTION_ID: xxx-xxx-xxx-xxx

Create Environment File

cp -p env.example env

Open the cloud-connectors/docker/env file with an editor and replace the example values with your preferences.

Example YAML for Config File

Default values are shown.

CONNECTOR_TYPE= azure
CENSYS_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

SEARCH_IPS=true
SEARCH_CONTAINERS=true
SEARCH_DATABASES=true
SEARCH_DNS=true

LOGGING_LEVEL=warning

SCAN_FREQUENCY=-1

Required Configurations

These configurations must be set.

• CONNECTOR_TYPE - The cloud connector type. Use azure
• CENSYS_API_KEY - Your Censys API key, found on the Censys Admin page.

Optional Configurations

• SEARCH_IPS - Search for public IP addresses in cloud services. Defaults to true.
• SEARCH_CONTAINERS - Search for public IP addresses in cloud container services. Defaults to true.
• SEARCH_DATABASES - Search for public IP addresses in cloud database services. Defaults to true.
• SEARCH_DNS - Search for public domain names in cloud DNS services. Defaults to true.
• LOGGING_LEVEL - Logging level with valid parameters [debug | info]. Defaults to warning when unset.
• SCAN_FREQUENCY - The period of time to wait between collection in minutes. To run the connector once and then exit, set this parameter to -1. This value can not be a positive number of less than 360 (6 hours). Defaults to -1 (run once and exit).

Build and Run the Container

To run the Censys cloud connector, navigate to the cloud-conectors root directory and execute the following command:

docker-compose up --build -d

The connector will begin collecting your cloud assets and uploading them to the Censys ASM platform as seeds.

Additional Help

In this section, we walk you through where you can find the required configuration information in your Azure tenant.

Set Up Azure Account Access

1. Visit the Active Directory page of your Azure tenant account. Copy your tenant ID.

2. Create a new user (or use an existing one) with the Global administrator role on the account(s) you would like to scan.

3. From the Active Directory page, navigate to the App registrations tab and click on the project you would like to scan. Record the Application (client) ID in the Overview tab.

4. Next, click the Certificates & secrets tab. Near the bottom of the page, create a new client secret (or use an existing one). Copy the client ID and secret.

5. Return to the Azure portal home page. In the search bar, type "subscriptions" and click on the subscriptions result with the key image. Copy the subscription ID(s) on this page.