# Manual deployment
Vectra highly recommends the [Automated deployment](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/automated-deployment) method for most customers.
If you have an existing Azure logging setup that you wish to utilize to provide the required logs to Vectra, then the manual deployment method may be desirable. Other customers may have a desire to manually configure the required logging and not use the Vectra provided ARM templates to automate the process.
Please keep in mind the following if you are interested in the manual deployment method:
{% hint style="info" %}
The ARM templates used in the [automated deployment](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/automated-deployment) process are readable before deploying them. You can look at what will be done before executing the deployment if you have any concerns about the content of the templates.
{% endhint %}
{% hint style="info" %}
When using the [automated deployment](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/automated-deployment), any new resources (of the types supported by Vectra) that are deployed after you have completed your automated deployment will automatically be made compliant by Azure with the polices that Vectra put in place and will not need remediation.
* This means that they will automatically be set to log to the storage account for the location/region the resource resides in.
{% endhint %}
{% hint style="warning" %}
If manual deployment is used, it is up to the customer to configure logging to point to the storage accounts.
* This applies to any existing subscription or resource at initial deployment, and for any subscription or resource added after initial deployment.
{% endhint %}
{% hint style="info" %}
For customers who are wondering if Vectra can retrieve the required logs from Azure Log Analytics if they are already being stored there:
* No, this is not possible as the required information is not available when logging is done in this manner.
{% endhint %}
## Requirements
For manual deployment, please ensure the [General Requirements](https://docs.vectra.ai/deployment/cdr-for-azure/introduction-architecture-and-requirements#general-requirements) specified earlier have been satisfied.
The requirements below are specific to manual deployment and describe what will need to be created in Azure:
* **Resource Group**
* A resource group to contain the storage accounts that will be used to temporarily hold the logs prior to Vectra ingesting them.
* **Storage Accounts**
* Vectra recommends that customers configure 4-day retention for all storage accounts.
* When using Vectra's [automated deployment](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/automated-deployment) this is set automatically.
* One storage account that can be used for all subscription activity logs.
* A storage account for each location/region that has supported resources deployed in it.
* When writing logs to a storage account, Azure requires that the storage account be in the region that the resource resides in.
* Supported resource types are Automation Accounts, Key Vaults, and Storage Accounts.
* **Vectra AI - CDR for Azure**
* This enterprise application / service principal is still required in the manual deployment method.
* It requires a role assigned to it that allows it to read from the resource group that was created to contain the storage accounts.
* See [permissions required post deployment](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/appendix-1-azure-configuration-notes) for more details on specific role requirements.
* **Diagnostic Settings**
* Need to be applied to each subscription and supported resource:
* Any subscription you desire to be monitored by Vectra CDR for Azure should have its platform activity logs sent to the same storage account you created for this purpose.
* For subscription logs - include all log categories.
* Any supported resource you desire to be monitored by CDR for Azure should have its logs sent to the storage account you setup for the region/location the resource is deployed in.
* For Automation Accounts - only the **AuditEvent** log type is required.
* For Key Vaults - include **Audit Logs** and **Azure Policy Evaluation Details**.
* For Storage Accounts - only the **Audit** category group is required.
* This includes **Storage Read**, **Storage Write**, and **Storage Delete** categories.
## Starting Data Source Connector Setup
This will be done in your Vectra UI at *Configuration → Data Sources → Microsoft Azure* and begins the process of enabling Vectra to pull logs from your Azure tenant.
* Navigate in your Vectra UI (Respond UX) to *Configuration → Data Sources > Microsoft Azure* and click the **+ Create Azure Connector** button in the top right.
* You can expand the **Resources** area below for links and a demo deployment video.
* If Microsoft Azure is not listed as an available Data Source to deploy in your UI, please contact your Vectra account team.
* Give your connector a name and then click **Create and Continue**.
* After clicking **Create and Continue** you will be in a **Configuring Azure Connector** flow that guides you through the remaining steps that are needed to complete the overall Azure Data Source Connector setup.
* If you need to complete other work before your deployment is complete, it’s ok to close this window or just open another browser tab for the other work. You can come back and complete deployment later.
## Configuring Azure Connector Overview
{% hint style="warning" %}
When doing a CDR for Azure manual deployment, the same **Configuring Azure Connector** flow that appears for the automated deployment is shown when adding a CDR for Azure data source connector.
Take care to only complete the steps as described below. Some of the steps are skipped for manual deployment and are described separately.
{% endhint %}
{% stepper %}
{% step %}
#### [Grant Vectra Access](#id-2.-granting-vectra-access-to-your-azure-tenant)
* This is the same step as in the [automated deployment](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/automated-deployment).
* After creating the Azure data source connector name, a link will be given to follow a consent process that creates an Enterprise application (Service Principal) in your Microsoft Azure tenant.
* When Vectra collects logs from the storage accounts, we assume this Service Principal in order to read any generated logs.
{% endstep %}
{% step %}
#### [Select Coverage](#select-coverage-1)
* In a future update, Vectra will be adding Azure Flow and DNS logs as additional coverage options for Azure. You will be able to choose the desired coverage for your connector with the choices made on this screen.
{% endstep %}
{% step %}
#### [Deploy to Azure](#id-3.-deploy-to-azure)
{% hint style="warning" %}
Please ignore this step in the UI for manual deployment. Vectra's main ARM template is linked here and this will not be used when manually deploying CDR for Azure.
Follow the steps outlined in Deploy to Azure below and NOT the instructions in step 3 in your Vectra UI.
{% endhint %}
**For Manual Deployment:**
* Create resource groups and storage accounts.
* Create an assign role to the **Vectra AI - CDR for Azure** enterprise application.
* Setup logging.
{% endstep %}
{% step %}
#### [Wait 24 Hours](#id-4.-wait-24-hours)
Even though Vectra's [automated deployment](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/automated-deployment) is not being used when deploying CDR for Azure manually, if your manual deployment uses Azure policy to set diagnostic resources, the same concepts still apply.
* When a new policy is put in place, Azure will initiate an automated compliance scan to determine which resources are not in compliance with the polices that were just put in place.
* There is no set amount of time required or easy way to determine if this scan has been completed.
{% endstep %}
{% step %}
#### Remediate Policies
{% hint style="warning" %}
Please ignore this step entirely in the UI for manual deployment. Vectra's remediation ARM template is linked here and this will not be used when manually deploying CDR for Azure.
Customers should still remediate any resources that aren't compliant if they use Azure policy for their manual deployment, but due to the nature of manual deployment, Vectra does not provide instructions for this.
{% endhint %}
{% endstep %}
{% step %}
#### [Provide Log Location](#id-6.-provide-log-location)
* The resource group that contains the storage locations for you Azure logs needs to entered in the Data Source Connector setup dialog to complete the initial deployment process.
* Vectra then begins to collect log data from the storage accounts.
{% hint style="warning" %}
* Any subscriptions or supported resources created after your initial deployment will need to have their diagnostic settings updated manually or via customer provided Azure policy to write logs to the appropriate storage accounts.
* Similarly, if any new locations are added or Vectra adds any new supported resource types, the customer is responsible fully for updating their configuration to collect the new logs in storage accounts in the resource group that was configured previously.
{% endhint %}
{% endstep %}
{% endstepper %}
## 1. Grant Vectra Access
In this step you will follow a consent process that allows Vectra to ingest Azure platform logs from the storage locations that will be created in the next step. This consent process creates a trust relationship between your Azure tenant and the Vectra AI Platform using Microsoft’s best practices as described in this [Microsoft Document](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app). It uses the Microsoft app registration process and creates an Enterprise Application (aka Service Principal) in your Azure tenant.
* Permissions required by the user who will perform the consent process:
* Global Administrator in Entra ID (Azure AD)
* Please see [Appendix 1 - Azure configuration notes](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/appendix-1-azure-configuration-notes) for full details about:
* The [required permissions during deployment](https://docs.vectra.ai/deployment/cdr-for-azure/appendix-1-azure-configuration-notes#required-permissions-during-deployment).
* The [permissions required post deployment](https://docs.vectra.ai/deployment/cdr-for-azure/appendix-1-azure-configuration-notes#permissions-required-post-deployment).
* What [Vectra creates in Azure and why](https://docs.vectra.ai/deployment/cdr-for-azure/appendix-1-azure-configuration-notes#what-vectra-creates-in-azure-and-why).
* Click either on **Authorize Vectra in Azure** or **Copy Authorization Link.**
* **Authorize Vectra in Azure** - Opens the link in new tab.
* **Copy Authorization** - Copies the link so you can provide it to someone else.
* This is useful when you may not have the required privileges to complete this step.
* Remember, you need Global Administrator privileges in Entra ID to accomplish this step.
* Step though the following pages, choosing an appropriate entity and logging in if required.
|  |  |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|  |  |
{% hint style="success" %}
You have completed this step when you see the checkmark with **Permission granted successfully!**
{% endhint %}
## 2. Select Coverage
As per the [configuring Azure connector](#configuring-azure-connector-steps) steps above, in a future update, Vectra will be adding Azure Flow and DNS logs as additional coverage options for Azure. You will be able to choose the desired coverage for your connector with the choices made on this screen.
If you wish to participate in this prior to it being generally available, please contact your Vectra account team.
For now, please ensure that **Azure CDR (Control Plane)** is selected and then move on.
## 3. Deploy to Azure
### Create Resource Group and Storage Accounts
Use any method you desire (Azure CLI / Cloud Shell, Azure Portal, custom tooling, etc) to create the required resource group and storage accounts that were specified in the manual deployment requirements. Please note the following:
* The naming convention you choose for the resource group and storage accounts does not matter to Vectra. Vectra will read all logs from any storage account in the resource group.
* The `resourceGroupId` will be required later to complete the Vectra Data Source Connector setup that you began in step 1. See below for the format to use (this is just an example):
* `/subscriptions/b3fobfus-cate-dfor-securityeb01ff43e/resourceGroups/rg-vectra-cdr`
* If you require configuration of private access for the storage accounts created, please see [Configuring Private Access for Azure Storage Accounts](https://docs.vectra.ai/deployment/cdr-for-azure/appendix-1-azure-configuration-notes#configuring-private-access-for-azure-storage-accounts) for details.
### Create and Assign Role for Vectra Enterprise App
The **Vectra AI - CDR for Azure** Enterprise application needs a role with specific permissions assigned to it so that it can read from the storage accounts that you created to temporarily hold the logs to be ingested by CDR for Azure.
Use any method you desire (Azure CLI / Cloud Shell, Azure Portal, custom tooling, etc) to create the required role and assign it to the **Vectra AI - CDR for Azure** Enterprise application.
The [permissions required post deployment](https://docs.vectra.ai/deployment/cdr-for-azure/appendix-1-azure-configuration-notes#permissions-required-post-deployment) are what need to be assigned to the role. If you have permissions issues, full guidance is available in [Appendix 1](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/appendix-1-azure-configuration-notes).
### Set up Logging
Use any method you desire (Azure CLI / Cloud Shell, Azure Portal, custom tooling, etc) to create the required diagnostic settings for the Azure platform logs you wish Vectra to analyze.
As per the manual deployment requirements all subscription activity logs for any subscription you want Vectra to monitor should go to the same storage account in the resource group.
Also, remember that Azure will require each supported resource to log to a storage account that is in the same location/region that the resource is deployed in.
The log types required for subscriptions and for supported resources is in the table below:
| **Subscription or Resource Type** | **Log Categories Required** | **Example** |
| --------------------------------- | ---------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Subscription | All |  |
| Automation Account | AuditEvent |  |
| Key Vault | Audit Logs Azure Policy Evaluation Details |  |
| Storage Accounts | “audit” category gives Read/Write/Delete (all required) for storage accounts |  |
## 4. Wait 24 Hours
Even though Vectra's [automated deployment](https://docs.vectra.ai/deployment/cdr-for-azure/deployment/automated-deployment) is not being used when deploying CDR for Azure manually, if your manual deployment uses Azure policy to set diagnostic resources, the same concepts could still apply.
* When a new policy is put in place, Azure will initiate an automated compliance scan to determine which resources are not in compliance with the polices that were just put in place.
* There is no set amount of time required or easy way to determine if this scan has been completed.
* Vectra recommends **waiting for 24 hours** before continuing with this step to ensure that the scan has completed if you will be using remediation policies in your manual deployment to remediate and resources that are not compliant with policy.
{% hint style="info" %}
If you wish to be reminded via email when 24 hours has elapsed, please enter an email address and submit it as per the screenshot above.
{% endhint %}
**Example Reminder Email:**
## 5. Remediate Policies
{% hint style="warning" %}
Please ignore this step entirely in the UI for manual deployment. Vectra's remediation ARM template is NOT used when a customer chooses manual deployment.
Customers should still remediate any resources that aren't compliant if they use Azure policy for their manual deployment, but due to the nature of manual deployment, Vectra does not provide instructions for this.
{% endhint %}
## 6. Provide Log Location
* To complete the deployment in the Vectra UI, paste the `resourceGroupId` from [step 3](#id-3.-deploy-to-azure) earlier in the **Azure Log Location** field and click **Save and Complete Setup**.
* You should see a **Setup complete, awaiting first logs** message and then a **Logs flowing** message once Vectra begins processing your logs.
{% hint style="success" %}
Congratulations, you have completed the manual deployment process. Additional detail can be seen by expanding the connection name or hovering over the status message.
{% endhint %}
