Hardening Azure Wiz Outpost

In this Wiz outpost blog post, we will explain the process of hardening Azure Wiz outpost and follow best practices.

Hardening Azure Wiz Outpost

Azure Wiz outposts allow organisations an extra layer of security by retaining Wiz’s scanning information inside a dedicated Azure subscription compared to sending the data to Wiz.

This post outlines industry best practices and recommends applying them to the Azure subscription your Azure outpost runs from.

Use a Dedicated Subscription

Wiz recommends running the Wiz Azure outpost under a dedicated Azure subscription. You should also run Azure commands from Azure Cloud Shell, not from a management machine.

Enable Microsoft Defender for Cloud

With Microsoft Defender for Cloud, Azure can scan and protect all the resources within the subscription, including the AKS cluster and containers that form the outpost. This will also reduce some of the alerts Wiz generates.

Enable auto-provisioning of Microsoft Monitoring Agent

If you enable auto-provisioning, Azure Monitoring Agent (MMA), Azure will install it automatically on every new VM provisioned inside the environment. The MMA scans for vulnerabilities, security events, and more.

Create Activity Log Alerts

Azure Monitoring is capable of generating alerts based on specific activities. Make sure you create a resource group dedicated to saving activity log alerts and configure the following alerts:

Condition Name	Alert Name
Create or Update Network Security Group (networkSecurityGroups)	Activity Log for creating or updating Network Security Groups
Delete Network Security Group (networkSecurityGroups)	Activity Log for deleting Network Security Groups
Create or Update Security Rule (networkSecurityGroups/securityRules)	Activity Log for creating or updating Network Security Group Rules
Delete Security Rule (networkSecurityGroups/securityRules)	Activity Log for deleting Network Security Group Rules
Create or Update Security Solutions (securitySolutions)	Activity Log for creating or updating Security Solutions
Update security policy (policies)	Activity Log for updating security policies
Delete Security Solutions (securitySolutions)	Activity Log for deleting Security Solutions
Create policy assignment (policyAssignments)	Activity Log for creating policy assignments
Delete policy assignment (policyAssignments)	Activity Log for deleting policy assignments
Create or Update Public Ip Address (publicIPAddresses)	Activity Log for creating or updating Public IP addresses
Delete Public Ip Address (publicIPAddresses)	Activity Log for deleting Public IP addresses
Create/Update server firewall rule (servers/firewallRules)	Activity Log for creating or updating server firewall rules
Delete server firewall rule (servers/firewallRules)	Activity Log for deleting server firewall rules

Once you create the alert, make sure they are integrated with Azure monitoring

Related Articles

• Maximizing Security: When to Use Wiz Outpost with Azure
• How to Deploy a Wiz Outpost to Microsoft Azure
• Wiz Security Deployment Services
• How to Use Microsoft Graph Security API
• Recover Deleted or Lost Exchange Online Emails to PST