# Automated deployment
## Starting Data Source Connector Setup
This will be done in your Vectra UI at *Configuration → Data Sources → Microsoft Azure* and begins the process of enabling Vectra to pull logs from your Azure tenant.
* Navigate in your Vectra UI (Respond UX) to *Configuration → Data Sources > Microsoft Azure* and click the **+ Create Azure Connector** button in the top right.
* You can expand the **Resources** area below for links and a demo deployment video.
* If Microsoft Azure is not listed as an available Data Source to deploy in your UI, please contact your Vectra account team.
* Give your connector a name and then click **Create and Continue**.
* After clicking **Create and Continue** you will be in a **Configuring Azure Connector** flow that guides you through the remaining steps that are needed to complete the overall Azure Data Source Connector setup.
* If you need to complete other work before your deployment is complete, it’s ok to close this window or just open another browser tab for the other work. You can come back and complete deployment later.
## Configuring Azure Connector Overview
{% stepper %}
{% step %}
#### [Grant Vectra Access](#id-2.-granting-vectra-access-to-your-azure-tenant)
* After creating the Azure data source connector name, a link will be given to follow a consent process that creates an Enterprise application (Service Principal) in your Microsoft Azure tenant.
* When Vectra collects logs from the storage accounts, we assume this Service Principal in order to read any generated logs.
{% endstep %}
{% step %}
#### [Select Coverage](#select-coverage-1)
* In a future update, Vectra will be adding Azure Flow and DNS logs as additional coverage options for Azure. You will be able to choose the desired coverage for your connector with the choices made on this screen.
{% endstep %}
{% step %}
#### [Deploy to Azure](#id-3.-deploy-to-azure)
* Vectra creates storage accounts (with 4-day retention) to temporarily store your logs prior to ingestion.
* Vectra creates Azure policy initiatives, policies, and assignments that enforce diagnostic settings on your Azure resources to enable logging store them in the storage accounts.
{% endstep %}
{% step %}
#### [Wait 24 Hours](#id-4.-wait-24-hours)
* After step 3, Azure will initiate an automated compliance scan to determine which resources are not in compliance with the polices that were just put in place.
* There is no set amount of time required or easy way to determine if this scan has been completed.
* Vectra can an automated email notification if desired to help keep track of the time.
{% endstep %}
{% step %}
#### [Remediate Policies](#id-5.-remediate-policies)
* After waiting 24 hours for automated Azure policy compliance scans to complete, remediation tasks are run to remediate pre-existing resources so that they log properly.
{% endstep %}
{% step %}
#### [Provide Log Location](#id-6.-provide-log-location)
* After completing step 5, you will input the resource group that contains the storage locations in the Data Source Connector setup dialog to complete the initial deployment process.
* Vectra then begins to collect log data from the storage accounts.
* Any resources created after the initial deployment are automatically remediated for the supported log types and locations that were configured in the initial deployment.
* When new locations are added or Vectra adds additional supported log types, simply re-run step 3 to step 5 to enable support for the new locations or log types. Deployment is an idempotent process.
{% endstep %}
{% endstepper %}
## 1. Grant Vectra Access
In this step you will follow a consent process that allows Vectra to ingest Azure platform logs from the storage locations that will be created in the next step. This consent process creates a trust relationship between your Azure tenant and the Vectra AI Platform using Microsoft’s best practices as described in this [Microsoft Document](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app). It uses the Microsoft app registration process and creates an Enterprise Application (aka Service Principal) in your Azure tenant.
* Permissions required by the user who will perform the consent process:
* Global Administrator in Entra ID (Azure AD)
* Please see [Appendix 1 - Azure configuration notes](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/appendix-1-azure-configuration-notes) for full details about:
* The [required permissions during deployment](https://docs.vectra.ai/deployment/cdr-for-azure/appendix-1-azure-configuration-notes#required-permissions-during-deployment).
* The [permissions required post deployment](https://docs.vectra.ai/deployment/cdr-for-azure/appendix-1-azure-configuration-notes#permissions-required-post-deployment).
* What [Vectra creates in Azure and why](https://docs.vectra.ai/deployment/cdr-for-azure/appendix-1-azure-configuration-notes#what-vectra-creates-in-azure-and-why).
* Click either on **Authorize Vectra in Azure** or **Copy Authorization Link.**
* **Authorize Vectra in Azure** - Opens the link in new tab.
* **Copy Authorization** - Copies the link so you can provide it to someone else.
* This is useful when you may not have the required privileges to complete this step.
* Remember, you need Global Administrator privileges in Entra ID to accomplish this step.
* Step though the following pages, choosing an appropriate entity and logging in if required.
|  |  |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|  |  |
{% hint style="success" %}
You have completed this step when you see the checkmark with **Permission granted successfully!**
{% endhint %}
## 2. Select Coverage
As per the [configuring Azure connector](#configuring-azure-connector-steps) steps above, in a future update, Vectra will be adding Azure Flow and DNS logs as additional coverage options for Azure. You will be able to choose the desired coverage for your connector with the choices made on this screen.
If you wish to participate in this prior to it being generally available, please contact your Vectra account team.
For now, please ensure that **Azure CDR (Control Plane)** is selected and then move on.
## 3. Deploy to Azure
A Vectra provided ARM template will execute the main deployment which includes:
* Creating Resource Group
* Creating Storage Accounts
* Creating User Assigned Managed Identity
* Creating Policy Definitions and Assignments
For additional details please see [what Vectra creates in Azure and why](https://docs.vectra.ai/deployment/cdr-for-azure/appendix-1-azure-configuration-notes#what-vectra-creates-in-azure-and-why) in [Appendix 1](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/appendix-1-azure-configuration-notes).
### Prerequisites
Prior to running the automated deployment template there are several prerequisites that need to be completed. Gather the following parameters that will later be input as parameters for the ARM template deployments in step 3 (this step) and step 5 (remediating policies).
**Management Group** – This is the scope of coverage you desire for your tenant.
* Vectra will configure all subscriptions and locations (that have any resources deployed in them) that are included in the selected management group for Vectra CDR for Azure.
* Please see [Unsupported Azure Locations](https://docs.vectra.ai/deployment/cdr-for-azure/appendix-1-azure-configuration-notes#unsupported-azure-locations) for details on unsupported locations.
{% hint style="info" %}
Vectra’s automated deployment relies on management group functionality. If you do not use management groups, please get in touch with your account team to discuss options.
{% endhint %}
* Existing management groups can be used, and per [Microsoft Guidance](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups), it is suggested to use an Intermediate Root Management Group that is located directly under the Tenant Root Group to ensure full coverage of all resources in your Azure Tenant. Our example deployment uses the Tenant Root Group. This is supported but is not a best practice.
* Management groups can be retrieved from [*https://portal.azure.com*](https://portal.azure.com/) *> Management groups.*
* Copy the **ID** of the management group you wish to use for deployment.
{% hint style="danger" %}
**DO NOT** use a subscription ID from this page. Use only a management group. Be careful as both ID types are in the same column.
{% endhint %}
**Region** – Default region for the deployment.
* It is recommended to choose where you typically deploy the majority of your resources.
* Please see [Unsupported Azure Locations](https://docs.vectra.ai/deployment/cdr-for-azure/appendix-1-azure-configuration-notes#unsupported-azure-locations) for details on unsupported locations.
* As an example, the storage account used for global Azure activity logs will be created here.
**Target Logging Subscription ID** – Which subscription you want the Vectra resources deployed to.
* This should be a pre-existing subscription and is where Vectra will create a resource group.
* Example: `01234567-0123-4567-89ab-0123456789ab`
* Look in [*https://portal.azure.com*](https://portal.azure.com/) *> Subscriptions* or *Management groups.*
{% hint style="danger" %}
**DO NOT** use a management group ID from this page. Use only a subscription ID. Be careful as both ID types are in the same column.
{% endhint %}
**Enterprise App Object ID** - This should be the Service Principal Object ID of the Enterprise Application created in [1. Grant Vectra Access](#id-1.-grant-vectra-access). If you have not completed this step, you will not find the app.
* This can be found in [https://portal.azure.com](https://portal.azure.com/) *> Microsoft Entra ID > Enterprise applications*. Search for **Vectra AI – CDR for Azure** and copy the **Object ID** field for later use.
**Optional Target Logging Locations** – Optional array of Azure locations to configure logging for.
* The standard process is to leave this at the default of `[]` which is an empty set.
* Vectra’s ARM template will determine the locations that are being used in all subscriptions in the selected management group and configure logging for them.
{% hint style="warning" %}
**Please Note:**
Some customer Azure architectures can interfere with the automated location discovery process used by the ARM template deployment.
* If after [executing the main deployment](#executing-main-deployment), the **Outputs** tab of the deployment shows an `installLocations` of `[]` then you must execute the main deployment again.
* For the subsequent deployment, the Optional Target Logging Locations array should be configured with an array of desired locations for the deployment.
{% endhint %}
* Example format: `["ukwest", "westeurope", "westus"]`
* As an example, the following command at the Azure CLI showed locations that were active in our test deployment:
```
$ az resource list --query "[].location" --output tsv | sort | uniq
australiaeast
centralus
eastus
eastus2
francecentral
germanywestcentral
global
japaneast
koreacentral
northeurope
southcentralus
southeastasia
switzerlandnorth
uaenorth
uksouth
westeurope
westus
westus2
```
{% hint style="info" %}
One option to easily produce the required format is a site such as:
*
* Simply paste the desired list of locations in the left box, choose a delimiter of a comma, use an item prefix and suffix of a double quote, a list prefix of a left bracket, and list suffix of a right bracket.
{% endhint %}
Ensure you have the following permissions in Azure before executing the deployment template:
* **Global Administrator**
* **Resource Policy Contributor** – at the management group level you will be deploying at.
* **User Access Administrator** – at the management group level you will be deploying at.
* This can be a temporary elevation.
* If you are unsure if you have the proper permissions or need to elevate some of your permissions to do the deployment, please see [Appendix 1 - Azure configuration notes](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/appendix-1-azure-configuration-notes).
### Executing Main Deployment
* As per the [Prerequisites](#prerequisites) section, please ensure you have gathered all the required information. You will also need to have the required permissions before continuing.
* Click either on **Open Deployment Template in Azure** or **Copy Deployment Template Link.**
* **Open Deployment Template in Azure** - Opens the link in new tab.
* **Copy Deployment Template Link** - Copies the link so you can provide it to someone else.
* This is useful when you may not have the required privileges to complete this step.
* This will open a **Deploy a custom template** (also known as **Custom deployment**) page in your Azure portal where you can fill in the information that you collected from the [Prerequisites](#prerequisites) section earlier.
* Fill in the required information and proceed through the template deployment.
{% hint style="info" %}
**Please Note!**
If you require configuration of private access for the storage accounts created that will be created during this step, please see [Configuring Private Access for Azure Storage Accounts](https://docs.vectra.ai/deployment/cdr-for-azure/appendix-1-azure-configuration-notes#configuring-private-access-for-azure-storage-accounts) for details.
{% endhint %}
|  |  |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
* The template deployment will proceed with progress updates being provided with Azure. In our test environment, it took around 10 minutes to deploy. Deployment time will vary based on the size of your deployment.
|  |  |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
* Once the deployment is complete, navigate to the **Outputs** page (green arrow in the right screenshot above) and copy the `resourceGroupId` (see screenshot below)for later use in the Vectra Data Source Connector setup dialog.
* Do **NOT** complete the Data Source Connector setup until completing **Remediate Policies**.
* It is ok to close the Data Source Connector setup dialog and come back to complete it later.
{% hint style="warning" %}
If after the ARM template deployment completes and the `installLocations` shows `[]` (an empty set], as per the [Prerequisites](#prerequisites), you must do this deployment again but supply locations as an array in the **Optional Target Logging Locations** input.
{% endhint %}
{% hint style="info" %}
You may want to also copy the `installLocations` to keep a record of which locations were covered during the template deployment. This is not needed to complete deployment now, but if you add additional locations in the future, it may be useful to know which locations are already covered by Vectra CDR for Azure.
* See [Appendix 2 - Adding additional locations or resources](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/appendix-2-adding-additional-locations-or-resources) for more details.
{% endhint %}
{% hint style="success" %}
Once you see **Your deployment is complete**, and your are happy wit the `installLocations` ,and you have made note of the `resourceGroupId` for later completion of the data source connector setup, you have completed this step.
{% endhint %}
## 4. Wait 24 Hours
After completing the prior step (Executing the main deployment (Deploy to Azure)), Azure will initiate an automated compliance scan to determine which resources are not in compliance with the polices that were just put in place.
* There is no set amount of time required or easy way to determine if this scan has been completed.
* Vectra recommends **waiting for 24 hours** before continuing with this step to ensure that the scan has completed. If you run the remediation ARM before the automated compliance scan has completed, Azure will not know which resources need to be remediated, and pre-existing resources will not be remediated
{% hint style="info" %}
If you wish to be reminded via email when 24 hours has elapsed, please enter an email address and submit it as per the screenshot above.
{% endhint %}
**Example Reminder Email:**
## 5. Remediate Policies
**General Remediation Guidance**
Existing resources in your environment need to be remediated to be compliant with the policies for logging that Vectra created in the step 3. Any new resources (of the types supported by Vectra) that are deployed (in the `installLocations` ) after you have completed your Vectra CDR for Azure deployment will automatically be made compliant by Azure with the polices that Vectra put in place and will not need remediation.
Vectra CDR for Azure supports the following Azure platform logs:
* Global Azure subscription activity Logs
* Resource logs for the following resource types: Automation Account, Key Vault, and Storage Accounts.
{% hint style="info" %}
As Vectra continually does security research, additional log types may be supported in the future. Running the ARM template deployment process is an idempotent process. The same steps can be run again in the future, and nothing will change with resources that Vectra has already deployed.
If you add any new Azure regions/locations to your deployment or if Vectra adds additional supported resource types, simply re-run steps 3 to 5.
{% endhint %}
**Remediating Policies**
* Click either on **Open Remediation Template in Azure** or **Copy Remediation Template Link.**
* **Open Remediation Template in Azure** - Opens the link in new tab.
* **Copy Remediation Template Link** - Copies the link so you can provide it to someone else.
* This is useful when you may not have the required privileges to complete this step.
* This will open a **Deploy a custom template** (also known as **Custom deployment**) page in your Azure portal where you can fill in some of the information that you collected from the [Prerequisites](#prerequisites) section earlier.
* Fill in the required information and proceed through the template deployment.
{% hint style="info" %}
* If your initial execution of [executing the main deployment](#executing-main-deployment) worked without having to do the do a subsequent run where you supplied Optional Target Logging Locations, then you can leave that field blank here.
* If you had to supply Optional Target Logging Locations previously, you should supply the same location array as before.
{% endhint %}
|  |  |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
* The template deployment will proceed with progress updates being provided with Azure. In our test environment, it took around 10 minutes to deploy. Deployment time will vary based on the size of your deployment.
|  |  |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
{% hint style="success" %}
Once you see **Your deployment is complete**, all resources that required remediation, in all the deployed locations, have been remediated. Said simply, diagnostics settings have been applied to them that direct logs to be stored in the appropriate storage accounts for retrieval by Vectra.
{% endhint %}
## 6. Provide Log Location
Now that the Azure side of the deployment is completed, we need to complete the setup of the Vectra Azure Data Source connector that we began earlier.
* You should have already copied the `resourceGroupId` during the Executing the main deployment (Deploy to Azure) step but if misplaced, you can easily retrieve it:
* Navigate to [*https://portal.azure.com*](https://portal.azure.com/) *> Resource Groups.*
* Search for or scroll to the `rg-vectra-cdr` resource group and click into it.
* Click the **JSON View** link in the top right.
* Click the copy button in the Resource ID field.
* To complete the deployment in the Vectra UI, paste the resourceGroupId you copied earlier into the **Azure Log Location** field and click **Save and Complete Setup**.
* You should see a **Setup complete, awaiting first logs** message and then a **Logs flowing** message once Vectra begins processing your logs.
{% hint style="success" %}
Congratulations, you have completed the automated deployment process. Additional detail can be seen by expanding the connection name or hovering over the status message.
{% endhint %}
