THIS SCRIPT IS PROVIDED TO YOU "AS IS." TO THE EXTENT PERMITTED BY LAW, QUALYS HEREBY DISCLAIMS ALL WARRANTIES AND LIABILITY FOR THE PROVISION OR USE OF THIS SCRIPT. IN NO EVENT SHALL THESE SCRIPTS BE DEEMED TO BE CLOUD SERVICES AS PROVIDED BY QUALYS
The aim of this repository is to build a solution which will help you onboard multiple subscriptions within Management Groups or all subscriptions within a AD to Qualys CloudView. We have built a powershell program which will perform this solution.
This repository contains ==>
-
All subscriptions under a Tenant or AD : To onboard all the subscriptions under a Tenent or AD
- Input
"all"in the subscriptions field of configuration file
- Input
-
All subscriptions within a Management Group : To onboard all subscriptions within a management group
- Input
"ManagementGroupId"in the subscriptions field of configuration file
- Input
-
Multiple subscriptions listed in a CSV : To onboard selected subscriptions
- Input the complete path of CSV file containing the list of subscriptions to be onboarded in the subscriptions field of configuration file
Prerequisites:(an Azure AD application and service principal that can read resources) (An example)
1. Create application in Azure Active Directory: * Log on to the Microsoft Azure console.Goto Azure Active Directory -> App Regisrations . * Click New application registration and provide "Name" (A name for the application (e.g. My_Azure_Connector)), "Application Type" (Select Web app/API), "Sign-on URL" (Enter any valid URL (e.g. https://localhost/azure_con)) * Click Create. The newly created app appears in the list of applications. Copy the Application ID and Directory ID for config file. 2. Provide permission to the new application to access the Windows Azure Service Management API and create a secret key: * Navigate to Azure Active Directory -> App Regisrations and select the application that you created and go to API permissions under Manage Section. * Click Add a permission > Azure Service Management API and click Select. * Click Delegated Permissions, and select user_impersonation and then click Add Permissions. * Select the application that you created and go to Certificates & secrets and click on New client secret under Client secrets. * Add a description and expiry duration for the key and click Save. * The value of the key appears in the Value field. Copy the key value at this time. You won’t be able to retrieve it later. Paste the key value as Authentication Key into the connector details. 3. Attach role (Reader Role) to the application created in step1: * Navigate to Management Groups * Select the group you want to add permissions to. * Click on Details, next to the name of the management group * Navigate to Access Control(IAM) and Clickon ADD -> Add role assignment * Type in Reader in "Role" field and assign it to your application.
-
Making the choice of deployment mode
All subscriptions in AD or All subscriptions in Management Group or Multiple subscriptions in AD -
Preparing the configuration file (An example)
- username: "Qualys username to call CloudView API"
- password: "Qualys password to call CloudView API"
- baseurl: "Qualys baseurl for CloudView API"
- subscriptions: "Either the CSV containing list of projectIds or all or ManagementGroupName"
- directoryId: "an unique identifier of your Azure Active Directory"
- applicationId: "an unique identifier of the Application you created for Qualys"
- authenticationKey: "Authentication key associated with the Application created above"
- debug: true/false
-
Preparing the csv file if deployment mode is not all the subscriptions Within AD or Management Group (An example)
subscriptionId subscription1 subscription2 -
Run the main powershell program