Installation

• 1: Prerequisites
• 2: Pre-Configuration
• 3: Protect Service Installation
• 4: Snowflake Configuration
• 5: Policy Agent Installation
• 6: Audit Log Forwarder Installation
• 7:
• 8:

1 - Prerequisites

Azure Services

The following table describes the Azure services that may be part of your Protegrity installation.

All permissions in the table must be granted with the Resource group scope.

ESA Version Requirements

The Protector and Log Forwarder functions require a security policy from a compatible ESA version.

The table below shows compatibility between different Protector and ESA versions.

Prerequisites

Required Skills and Abilities

2 - Pre-Configuration

Resource Group

Identify or create a new Azure Resource Group where the Protegrity solution will be installed. It is recommended that a new Resource group is created. This can provide greater security controls and help avoid conflicts with other applications that might impact regional account limits. An individual with the Cloud Administrator role will be required for some of the subsequent installation steps.

Azure Subscription ID (AzureSubscriptionID): ____________________

Azure Resource Group ID (AzureResourceGroupID): ___________________

Region

Query the Azure region where Snowflake is running. This is the region where the product must be installed.

To determine the region:

1. Login to Snowflake

2. In the SQL console, run the following query.

   select current_region();
   

3. Record the Azure region (e.g. AZURE_EASTUS2).

   Snowflake Azure Region (AzureRegion): ___________________

Key Vault

Key Vault is required to store secrets and encrypt policy deployment package. Identify existing Key Vault or create new.

To create Key Vault:

1. From the Azure Console select Create a resource.

2. Navigate to Key Vault > Create.

3. Select a Resource group.

4. Enter a Key vault name.

5. Select a Region. For the best performance, use the same region for all resources.

6. Set the Pricing tier to Standard.

7. Under Access configuration, select Vault access policy as the Permission model.

8. Under Networking, ensure that Enable public access is selected.

9. Under Review + create, click Create.

10. Record Key Vault Name:

    Key Vault Name (PolicyKeyValue): ___________________

Function App Storage

Create Storage Account

Create a storage account to host Protegrity deployment packages provided in installation artifact bundle. Note that turning on the firewall or restricting access to selected virtual networks or IP address ranges will require additional configuration and is beyond the scope of this document.

To create Function App storage:

1. From the Azure Console select Create a resource.

2. Navigate to Storage account > Create.

3. Select the Resource group where the Protegrity solution will be deployed.

4. Enter a Storage account name.

5. Select the Region where the Protegrity solution will be deployed.

6. Set the Preferred storage type to Azure Blob Storage or Azure Data Lake Storage

7. Set the Primary workload to Cloud native

8. Setting for Performance should be set to Standard.

9. Setting for Redundancy should be set to Geo-redundant storage (GRS).

10. Continue to Advanced setup and verify Enable hierarchical namespace is unchecked

    Warning

    If Enable hierarchical namespace is checked, Policy Agent component will not be able to properly set the policy blob url, resulting in Protector error Policy is not available

11. Adjust the Networking and Data protection configurations according to your security requirements or use the default values.

12. Under Review + create, click Create.

13. Record the storage account name

    Storage Account Name (StorageAccountName): ____________________

14. Record the storage blob service URL. Navigate to created Storage Account, select Settings, Endpoints, record the value of Blob Service

    Storage Account Blob Service Url (StorageAccountBlobServiceUrl): ____________________

Upload Files

Create a deployment container using the Azure Blob Service.

1. Go Storage Account created in the previous step.

2. Under Data storage section, select Containers and click + Container .

3. Type in container name and click Create .

4. Upload the following installation artifacts to the container:

• protegrity-protect-azure-<version>.zip
• protegrity-agent-azure-<version>.zip

5. Record Protect function blob URL:

   Protect Function Blob URL (ProtectFuncURL): ____________________

6. Record Forward function blob URL. Both Protect and Forward functions use the same protegrity-protect-azure-<version>.zip distribution:

   Forward Function Blob URL (ForwardFuncURL): ____________________

7. Record Agent function blob URL:

   Agent Function Blob URL (AgentFuncURL): ____________________

Create Protect Function Policy Blob

Create a blob container for encrypted Protegrity security policy using Azure Blob Service. Agent will store encrypted policy in this container. Both Protect and Log Forwarder functions will load policy from this container.

1. Go Storage Account created in the previous step.

2. Under Data storage section, select Containers and click + Container .

3. Type in container name and click Create .

4. Right-click the container name, and select Container properties to obtain URL.

   Append the name of the policy file to the container URL, e.g, https://<your-storage-account>.blob.core.windows.net/<your-policy-container>/<your-policy-file-name>.zip. Record the blob url.

   Protect Function Policy Blob URL (ProtectFuncPolicyBlobUrl): ____________________

Create Agent Policy Blob Container

The Agent function uploads an encrypted policy zip package to a blob container which is used as a staging storage. Create the policy staging container

To prepare the policy blob container:

1. Under Storage account created in previous step, select Data storage > Containers and click + Container .

2. Type in a container name and click Create .

   Agent Policy Blob Container Name (AgentPolicyBlobContainer): ___________________

3 - Protect Service Installation

Preparation

1. Ensure that all the steps in Pre-Configuration are performed.

2. Login to the Azure account console where Protegrity will be installed.

3. Ensure the Azure Resource Manager templates provided by Protegrity are available on your local computer.

Register an Entra ID App

A Microsoft Entra ID App provides the mechanism for Client to authenticate with the Function App instance. Creating an Entra ID app requires appropriate permissions to the Azure Subscription and is typically performed by the Azure Account Administrator.

To register an Entra ID App:

1. In the Azure portal navigate to Microsoft Entra ID.

2. Click + Add and select App registration.

3. Enter a Name and select Accounts in any organizational directory.

4. Leave the Redirect URI empty and select Register.

5. After registration is complete record the application name and application id displayed in the overview window.

   Entra ID Application Name (EntraIDApplicationName): ___________________

   Entra ID Application ID (EntraIDApplicationID): ___________________

Protect Function User-Assigned Managed Identity

User-assigned Azure managed identities are optional. If a user-assigned identity is not provided, a system-assigned managed identity will be enabled the function. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

1. In the search box, enter Managed Identities. Under Services, select Managed Identities

2. Select Create

3. For Subscription provide recorded value of AzureSubscriptionID

4. For Resource Group provide recorded value of ApiResourceGroup

5. For Region provide recorded value of ApiRegion

6. For Name provide a name of the new identity

7. Assign following roles to this identity:

   • Storage Blob Data Owner
   • Monitoring Metrics Publisher
   • Azure Event Hubs Data Sender: required only if function is sending logs to ESA

8. Record Protect function user-assigned identity

   Protect Function User-Assigned Identity (ProtectFuncUserAssignedIdentity): ____________________

Install Protect Function via Azure Resource Manager

Resources created with the ARM template include API Management service, Function App, App Service Plan and Application Insights service.

To install protect function via Azure Resource Manager:

1. From Azure Console, select Create a resource, search for template then select Template deployment (deploy using custom templates) > Create.

2. Select Build your own template in the editor.

3. Click Load File and upload pty_protect_arm_v2.json, then click Save.

4. Select a Resource group.

5. Enter a Name for the resources. All resources will be prefixed with Protegrity-Protect except for log container which will be prefixed with ptylogs. For more information on naming rules see: Azure resource name rules.

6. For Location input specify Azure region name or leave default to deploy in the same region as resource group.

7. For Storage Account Blob Service Url Optionally use the value recorded in Create Storage Account. If value is not given, it will be automatically derived from Protect Function Blob Url.

8. For Protect Function Blob Url use the value from Upload Files.

9. For Function App Managed Identity Optionally use the value from Protect Function User-Assigned Managed Identity. If value is not given, a system-assigned managed identity will be enabled.

10. For Function Sku either EP1 or EP3 are recommended. Note that this will affect the running cost.

11. For Create Api Management Service select Do not create. API Management Service is required only for integration with Snowflake. This service is not required otherwise.

12. For Api Management Service Sku Applicable only when API Management Service is created. Skip this if API Management Service is not created. Either Consumption (if available) or Premium are recommended. Note that this will affect the running cost.

13. For Username Regex you can optionally specify regex to extract policy username from the request. See Configuring Regular Expression to Extract Policy Username for more details.

14. For Entra ID Application ID enter the value recorded in Register an Entra ID App.

15. For Forward Logs To ESA select whether audit logs are to be sent to ESA or not. If you are not planning on sending audit logs to ESA you can skip Event Hub Nameand Event Hub Namespace properties below. For details on creating and configuring Event Hubs see Audit Log Forwarder Installation

16. For Event Hub Name provide the name of Event Hub which will be used to send audit logs to ESA.

17. For Event Hub Namespace provide the name of Event Hub Namespace which is hosting Event Hub selected in previous step.

18. Under Review + create, click Create. Wait for all resources to deploy. If the deployment fails for any resources of type Microsoft.Web/sites/host/functionKeys then click Redeploy and try deploying again.

19. After deployment is complete, go to Outputs and record protectFunctionName, azureTenantId and apiGatewayUrl.

    Protect Function Name (ProtectFuncName): __________________

    Azure Tenant ID (AzureTenantID): __________________

    API Gateway URL (ApiGatewayURL): __________________

Function System-Assigned Managed Identity

System-assigned Azure managed identity is enabled if user-assigned managed identity is not used. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

If you have not created a user-assigned managed identity at Protect Function User-Assigned Managed Identity, setup following role assignments for system-assigned managed identity:

1. Navigate to the function

2. Select Settings, Identity.

3. Confirm Status of system-assigned identity is already On on System Assigned tab

4. Click on Azure role assignments button.

5. Assign following roles to this identity:

   • Storage Blob Data Owner
   • Monitoring Metrics Publisher
   • Azure Event Hubs Data Sender: required only if function is sending logs to ESA

6. From Azure console, navigate to Function App and select protect function deployed in previous section.

7. Select Overview and click Restart button. Wait until function restart completes.

Update Key Vault Access Policies

The Key vault must be updated to allow the Function App to decrypt the policy files. Azure assigns a unique identifier to each Function App instance that can be used to grant permissions to that instance. Update the Key vault access policies with the Protect function. To update the key vault access policies:

Obtain Function App identifier

1. Navigate to the Function App service in the Azure portal.

2. Select the newly created Protect Function App instance.

3. Select the Identity option under Settings.

4. Ensure that setting System assigned is set to Status On.

5. Record the Object ID:

   Protect Function Object ID: ___________________

Update the Key vault access policies with the Protect function’s Object ID

1. From Azure console navigate to Key Vaults, select the Key Vault created in Key Vault.
2. Select Access policies.
3. Click Create.
4. Select the following permissions in Permissions tab: a. Get under Key Management Operations. b. Unwrap Key under Cryptographic Operations. c. Get under Secret Permissions.
5. Proceed Next to Principal.
6. Enter the Protect Function Object ID recorded in this section into the search field.
7. Select the Function App instance.
8. Proceed Next to Application and Next again to Review + Create.
9. Review permissions and Create.

Upload the Sample Policy

The Protegrity installation bundle contains a sample policy which can be used to test the protect service installation without an ESA. Upload the sample policy artifact to the policy Blob storage container:

1. Go to Azure console and select Storage Account Name (StorageAccountName) recorded in step Create Storage Account.

2. Under Data storage select Blob Containers and select container created in Protect Function Policy Blob Container

3. Click Upload and select protegrity-sample-policy-<version>.zip file from your local computer.

4. Click Upload and wait for the file to complete uploading.

5. Record the sample policy blob url:

   Sample Policy Blob Url (SamplePolicyBlobUrl): ___________________

Test the Protect Function Installation

Before continuing with next steps, you may verify the protect service is installed correctly. This step is optional and can be skipped.

1. From Azure console, navigate to Function App and select protect function app.

2. Select Overview and record URL value as <Protect Function URL>.

3. Navigate to Settings > Environment variables and click OPENID_ENABLED.

4. Change value to false and click Apply.

5. Select or create variable AZURE_POLICY_BLOB_URL.

6. Set value of AZURE_POLICY_BLOB_URL to value recorded for SamplePolicyBlobUrl and click Apply.

7. Select Apply and Confirm to finalize setting changes.

8. Go to Functions > App keys and record the value of default key under Host Keys (All function) as <Protect Function app key>.

9. Run the following CURL command to test Function deployment.

   curl -X POST "<Protect Function URL>/api/Protect" -k \
   -H 'sf-custom-X-Protegrity-HCoP-Rules: {"jsonpaths":[{"op_type":"unprotect","data_element":"alpha"}]}' \
   -H 'sf-context-current-user: test' \
   -H 'sf-external-function-current-query-id: test-id' \
   -H 'x-functions-key: <Protect Function app key>' \
   -H 'Content-Type: application/json' \
   -d '{
     "data": [
       ["0", "UtfVk UHgcD!"]
     ]
   }
   '
   

   Note: When you copy-paste the curl command, make sure each header is in a separate line.

10. Replace <Protect Function URL> and <Protect Function app key> with the values recorded in step 2 And 5.

11. Run curl command. Verify the following output.

    {"data":["hello world!"], "success": true, "encoding": "utf8"}
    

12. Go back to Function app. Select Settings > Environment variables and click OPENID_ENABLED,

13. Change value to true and click Apply. Select Apply and Confirm to finalize.

Add Access Restrictions to Protect Function

This step is only applicable when API Management is using any tier except for consumption. The Function App instance can be configured to restrict access to IP addresses used by the API Management instance.

Obtain Function App identifier

1. Navigate to the API Management services service in the Azure portal.

2. Select the newly created API Management instance.

3. Copy the Virtual IP (VIP) addresses.

   Virtual IP (VIP) addresses: ___________________

4. Navigate to the Function App service in the Azure portal.

5. Select the newly created Function App instance.

6. Under Settings > Networking.

7. Select Enabled with no access restrictions link under the section Inbound traffic configuration.

8. Click Add under Site access and rules section.

9. Change Name to API.

10. Ensure the Action is set to Allow.

11. Set Priority to 1.

12. Ensure the Type is IPv4.

13. Paste in the copied value and reformat as an IPv4 CIDR. For example “public: 169.254.169.254” becomes “169.254.169.254/32"

14. Click Add Rule.

15. If there are multiple IP addresses, repeat steps 8 through 14.

Troubleshooting

To review live requests, navigate to Application Insights service and select item with the same name as the protect function. Under Investigate, select Live Metrics. Wait for the dashboard to load, then go to Sample Telemetry pane on the right and look for the requests in question.

To review the full history of requests from Application Insights under Monitoring select Logs:

1. Select the Tables tab.
2. Hover over one of the table names under Application Insights header, for example exceptions.
3. Click on See preview data.
4. Click Use in editor.

You can also run the query directly in the query editor. For instance to select the 10 latest exceptions run the following query.

exceptions 
| where timestamp > ago(24h)
| order by timestamp
| limit 10

Protect Function App Configuration

Protect Function app can be customized using environment variables. From Azure console, navigate to Function App service and select protect function app. Navigate to Settings > Environment variables. Add or Edit environment variables based on the following information.

4 - Snowflake Configuration

The following sections will configure Snowflake to access the API Gateway.

Login to Snowflake as ACCOUNTADMIN

Ensure that the current user can assume the Account Administrator role. This role must be created.

Create the Snowflake API Integration Object

Create Snowflake integration object to allow invoking Protegrity Function App from Snowflake.

1. From the Snowflake console worksheet, select the role ACCOUNTADMIN.

2. Paste the DDL test below.

3. Replace <Azure Tenant ID> and <API Gateway URL> with Azure Tenant ID and API Gateway URL from Install Protect Function via Azure Resource Manager.

4. Replace <Entra ID Application ID> with Entra ID Application ID from Register an Entra ID App.

5. Run DDL

   create or replace api integration protegrity_api
     api_provider = azure_api_management
     azure_tenant_id = '<Azure Tenant ID>'
     azure_ad_application_id = '<Entra ID Application ID>'
     enabled = true
     api_allowed_prefixes = ('<API Gateway URL>');
   

   Note

   The name of the object protegrity_api can be replaced with a name of your choice, however the name you choose must be used consistently throughout the installations below.

Link Snowflake to Active Directory

Snowflake will create an application that must be linked to Azure Active Directory giving it permission to access the API Management and Function App instances. Information about this integration should be retrieved from the Snowflake instance.

To link Snowflake to AD:

1. Run the following query in the console.

   DESCRIBE API INTEGRATION protegrity_api;
   

2. Record the following output values from the resulting query:

   • Azure Multi-Tenant App Name: ___________________
   • Azure Consent URL: ___________________

3. An Azure Account Administrator is required for the remaining steps to grant the Snowflake application access to the Azure Active Directory.

4. Open the Azure Consent URL in a web browser.

5. If redirected to the Snowflake website, then skip to step 9.

6. If prompted to login then enter the credentials of an Azure user or administrator.

7. Click Accept to grant Snowflake access to the Azure account.

8. Additional instructions may be shown if the current user is not authorized to add the Snowflake application.

9. Navigate to the Enterprise applications service within the Azure portal.

10. Select the application that matches the Azure Multi-Tenant App Name.

    Note

    If you do not find an exact match for the AZURE_MULTI_TENANT_APP_NAME, then search again using only the first several characters of this name (if the name contains an underscore, then do not include the underscore or any characters after the underscore)

11. Record the Application ID below.

    Azure Multi-Tenant App ID: ___________________

Update API policies

To update API policies:

1. Navigate to API Management services in the Azure portal.

2. Select the instance created previously.

3. Select the APIs option under APIs.

4. Select All APIs.

5. Click the </> icon next to Policies under Inbound processing.

6. Add the <required-claims> using the example below replacing <Azure Tenant ID>, <Entra ID Application ID>, and <Azure Multi-Tenant App ID> with values recorded in earlier steps.

   <policies>
       <inbound>
           <validate-jwt header-name="Authorization" failed-validation-httpcode="401">
               <openid-config url="https://login.microsoftonline.com/<Azure Tenant ID>/.well-known/openid-configuration" />
               <required-claims>
                   <claim name="aud" match="all">
                       <value><Entra ID Application ID></value>
                   </claim>
                   <claim name="appid" match="all">
                       <value><Azure Multi-Tenant App ID></value>
                   </claim>
               </required-claims>
           </validate-jwt>
       </inbound>
       <backend>
           <forward-request timeout="30" fail-on-error-status-code="true" />
       </backend>
       <outbound></outbound>
       <on-error>
       </on-error>
   </policies>
   

7. Click Save.

Update API Management Backend Function Key

API management allows specifying function key in the request to function app backend.

To update API function key:

1. From Azure console, navigate to Function App and select protect function app.

2. Go to Functions > App keys and record the value of default key under Host Keys (All functions) as <Protect Function app key>.

3. From the API management view, select the Backends option under APIs.

4. Select backend1.

5. Select the Authorization credentials option under Settings.

6. Under Headers locate the x-functions-key header.

7. For x-functions-key Value use the <Protect Function app key> recorded in step above.

8. Click Save.

Update Function App Configuration

The Function App configuration can be updated to verify that the request is coming from Snowflake.

To update Function App configuration:

1. Navigate to the Function App service in the Azure Portal and select the Protegrity-Protect-<name> item (there may be more than one).

2. Navigate to Settings > Environment variables.

3. Click Add.

4. Enter OPENID_APPID in the Name field.

5. Enter the value for Azure Multi-Tenant App ID in the Value field.

6. Click Apply then Apply and Confirm to finalize.

7. Repeat the above steps if there are multiple Function Apps.

Test Connectivity

Verify connectivity from Snowflake to Protect Function app.

1. Access the Snowflake SQL console.

2. Copy and paste the following snippet into a worksheet.

   CREATE OR REPLACE SECURE EXTERNAL FUNCTION PTY_UNPROTECT_SAMPLE_POLICY(VAL VARCHAR)
       RETURNS VARCHAR(16777216)
       IMMUTABLE
       API_INTEGRATION = PROTEGRITY_API
       HEADERS = (
         'X-Protegrity-HCoP-Rules'=
         '{"jsonpaths":[{"op_type":"unprotect","data_element":"alpha"}]}'
       )
       CONTEXT_HEADERS = (CURRENT_USER,CURRENT_TIMESTAMP,CURRENT_ACCOUNT)
       COMMENT='Unprotects text using an alpha token type.'
       AS '<API Gateway URL>/api/Protect';
   

3. Replace the placeholder value indicated substituting your API Gateway URL captured in Install Protect Function via Azure Resource Manager

4. Run the following protect in the console:

   select pty_unprotect_sample_policy('UtfVk UHgcD!');
   

Troubleshooting

To review live requests, navigate to Application Insights service and select item with the same name as the protect function. Under Investigate, select Live Metrics. Wait for the dashboard to load, then go to Sample Telemetry pane on the right and look for the requests in question.

To review the full history of requests from Application Insights under Monitoring select Logs:

1. Select the Tables tab.
2. Hover over one of the table names under Application Insights header, for example exceptions.
3. Click on See preview data.
4. Click Use in editor.

You can also run the query directly in the query editor. For instance to select the 10 latest exceptions run the following query.

exceptions 
| where timestamp > ago(24h)
| order by timestamp
| limit 10

For more helpful platform-specific symptoms, refer to the Snowflake documentation: Platform Specific Symptoms

5 - Policy Agent Installation

Policy Agent Function installation is done via Azure Resource Manager template provided by Protegrity. Before running the template, some resources must be created manually.

ESA Server

Policy Agent function requires ESA server running and accessible from Agent Function App on TCP port 8443. Make sure inbound connections on TCP:8443 are allowed for the network where ESA is hosted. You can find the list of Agent Function Outbound IP addresses after you deploy the function in Agent Function Outbound IP address

Note down ESA IP to be accessed form Agent Function:

ESA IP Address (EsaIpAddress): ___________________

Certificates on ESA

By default, ESA is configured with self-signed certificates, which can only be validated using self-signed CA certificate supplied in policy agent Cloud Function Environment variables configuration.

In case ESA is configured with publicly signed certificates, this section can be skipped since the agent function will use public CA to validate ESA certificates.

To obtain self-signed CA certificate from ESA:

1. Log in to ESA Web UI.

2. Select Settings > Network > Manage Certificates.

3. Hover over Server Certificate and click on download icon to download the CA certificate.

4. After certificate is downloaded, open the PEM file in text editor and replace all new lines with escaped new line: \n.

   To escape new lines from command line, use one of the following commands depending on your operating system:

   Linux Bash:

   awk 'NF {printf "%s\\n",$0;}' ProtegrityCA.pem > output.txt
   

   Windows PowerShell:

   (Get-Content '.\ProtegrityCA.pem') -join '\n' | Set-Content 'output.txt'
   

5. Record the certificate content with new lines escaped.

   ESA CA Server Certificate (EsaCaCert): ___________________

   This value will be used to set PTY_ESA_CA_SERVER_CERT variable in the Policy Agent Function Configuration section Configure Function

For more information about ESA certificate management refer to Certificate Management Guide in ESA documentation.

Create Policy Encryption Key

Create a policy encryption key.

To create policy encryption key:

1. From Azure console, navigate to Key Vaults and select Key Vault created in Key Vault.

2. Under Objects, select Keys.

3. Click Generate/Import.

4. Specify the following:

   a. Key name for the Name field.

   b. RSA for Key type.

   c. 2048 for RSA key size.

   d. Set Enabled toggle to Yes.

5. Select Create.

6. Click on the key name after creation is complete, then click on the key identifier row under CURRENT VERSION.

7. Copy the full URL value of Key Identifier. Record it for later use:

   Policy Encryption Key ID (PolicyEncryptionKey): _________________

Agent Function User-Assigned Managed Identity

User-assigned Azure managed identities are optional. If a user-assigned identity is not provided, a system-assigned managed identity will be enabled the function. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

1. In the search box, enter Managed Identities. Under Services, select Managed Identities

2. Select Create

3. For Subscription provide recorded value of AzureSubscriptionID

4. For Resource Group provide recorded value of ApiResourceGroup

5. For Region provide recorded value of ApiRegion

6. For Name provide a name of the new identity

7. Assign following roles to this identity:

   • Storage Blob Data Owner with scope Storage account
   • Monitoring Metrics Publisher with scope Resource Group
   • Website Contributor with scope Resource Group

8. Record Agent function user-assigned identity

   Agent Function User-Assigned Identity (AgentFuncUserAssignedIdentity): ____________________

Install Agent via ARM template

Resources created with ARM template include Function App, Premium V3 App Service Plan (optional) and Application Insights service. Run Azure Resource Manager deployment.

To install Agent via ARM template:

1. From Azure Console, select Create a resource, search for template and then select Template deployment > Create.

2. Select Build your own template in editor.

3. Select Load File and upload pty_agent_arm_v2.json. Click Save.

4. Select Resource Group.

5. Specify Name for the resources (All resources will be prefixed with Protegrity-Agent).

6. For Location input specify Azure region name or leave default to deploy in the same region as resource group

7. For Agent Function Blob Url use the value from Upload Files

8. For Function App Managed Identity Optionally use the value from Agent Function User-Assigned Managed Identity. If value is not given, a system-assigned managed identity will be enabled.

9. If you set Use Existing App Service Plan to True, you must specify existing Linux App Service Plan name in the next parameter.

10. For Storage Account Blob Service Url Optionally use the value recorded in Create Storage Account. If value is not given, it will be automatically derived from Agent Function Blob Url.

11. Select Review + create then Create. Wait for all resources to deploy

12. After deployment is complete, go to Outputs and record agentFunctionName:

    Agent Function Name: __________________

Function System-Assigned Managed Identity

System-assigned Azure managed identity is enabled if user-assigned managed identity is not used. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

If you have not created a user-assigned managed identity at Agent Function User-Assigned Managed Identity, setup following role assignments for system-assigned managed identity:

1. Navigate to the function

2. Select Settings, Identity.

3. Confirm Status of system-assigned identity is already On on System Assigned tab

4. Click on Azure role assignments button.

5. Assign following roles to this identity:

   • Storage Blob Data Owner with scope Storage account
   • Monitoring Metrics Publisher with scope Resource Group
   • Website Contributor with scope Resource Group

Creating ESA Credentials

Policy Agent Function requires ESA credentials to be provided as one of the two options:

• ESA credentials stored as secrets in Azure Key Vault
• ESA credentials provided by a custom Azure Function App )

ESA Credentials In Azure Key Vault

Policy Agent Function uses Key Vault as secure store for sensitive information like ESA username and password.

Create ESA credentials secrets:

1. Navigate to Key Vault.

2. Under Objects, select Secrets > Generate/import.

3. Select Manual, then type in valid json as shown in the example for Secret value.

   {"username": "<policy_export_user>", "password": "<password>"}
   

4. Select Create.

5. Navigate to the secret details in Key Vault by selecting the newly created secret.

6. Inspect the current secret version properties by selecting the current version.

7. Copy the Secret Identifier value. For example https://<myvault>.vault.azure.net/secrets/<mysecret>/abcdefgxyz8edef595adaehij0d99123.

8. Record the Secret Identifier for later use.

ESA Credentials From Custom Azure Function App

Policy Agent Function requests ESA username and password from a custom Azure Function App, further referred to as ESA Credentials function. This method may be used to get the username and password from external vaults.

There are four options for configuring Policy Agent authorization with ESA Credentials function: Option 1, Option 2, Option 3 and Option 4. Only one option is expected to be configured at a time.

Create ESA credentials function:

1. Create Azure HTTP triggered ESA Credentials function using any supported runtime.

   a. There is no input needed.

   b. The function must accept an HTTP POST request.

   c. The function must return the following response schema

   ```
   response: 
   type: json object
     properties: 
       username: string 
       password: string  
   ```
   
   For example,
   
   ```
   {"username": "admin", "password": "Password1234"} 
   ```
   

2. Configure Policy Agent to use ESA Credentials function app.

   a. Navigate to HTTP triggered function to open ‘Code + Test’ page.

   b. Under ‘Code + Test’ tab on ‘Code + Test’ page select ‘Resource JSON’.

   c. In ‘Resource JSON’ blade record the value of ‘invoke_url_template’ property.

   **'invoke_url_template'** property is located towards the bottom of resource json.
   
   URL must be in the form of 'https://[function-app-name].azurewebsites.[net|us]/api/[http-trigger-name]'.
   
   **ESA Credentials function URL (EsaCredentialsFnUrl):__________**
   

   d. Navigate to Policy Agent function app.

   e. Expand Settings menu item.

   f. Select Environment Variables menu item.

   g. Click Add button.

   h. For Name use PTY_ESA_CREDENTIALS_FUNCTION.

   i. For Value use ESA Credentials function URL (EsaCredentialsFnUrl) recorded in previous steps.

   j. Hit Apply in Add/Edit application setting blade.

   k. Hit Apply in App Settings tab.

3. Configure Authorization Option 1: Function Key Option 2: Key Vault Option 3: System-assigned Identity Option 4: User-assigned Identity

Authorization Option 1: Configure Policy Agent to access ESA Credentials function using ESA Credentials function key from environment variables.

1. Configure HTTP trigger of ESA Credentials function with authentication level FUNCTION.

   Review Azure documentation on how to accomplish this.

2. Navigate to ESA Credentials function app.

3. Expand Functions menu item.

4. Select App Keys.

5. Record default key value.

   ESA Credentials function key (EsaCredentialsFnKey):_______________

6. Navigate to Policy Agent function app.

7. Expand Settings menu item.

8. Select Environment Variables menu item.

9. Click Add button.

10. For Name use PTY_ESA_CREDENTIALS_FUNCTION_KEY.

11. For Value use ESA Credentials function key (EsaCredentialsFnKey) recorded in previous steps.

12. Hit Apply in Add/Edit application setting blade.

13. Hit Apply in App Settings tab.

Authorization Option 2: Configure Policy Agent to access ESA Credentials function using ESA Credentials function key from Azure Key Vault.

1. Configure HTTP trigger of ESA Credentials function with authentication level FUNCTION.

   Review Azure documentation on how to accomplish this.

2. Navigate to ESA Credentials function app.

3. Expand Functions menu item.

4. Select App Keys.

5. Record default key value.

   ESA Credentials function key (EsaCredentialsFnKey):_______________

6. Navigate to Key Vault.

7. Under Objects, select Secrets > Generate/import.

8. Select Manual, type in secret name and use ESA Credentials function key value recorded in previous steps (EsaCredentialsFnKey) for Secret value.

9. Select Create.

10. Record Key Vault secret name.

    ESA Credentials function key secret name (EsaCredentialsFnKeySecretName):_______________

11. Navigate to Policy Agent function app.

12. Expand Settings menu item.

13. Select Environment Variables menu item.

14. Click Add button.

15. For Name use PTY_ESA_CREDENTIALS_FUNCTION_KEY_SECRET.

16. For Value use ESA Credentials function key secret name (EsaCredentialsFnKeySecretName) recorded in previous steps.

17. Hit Apply in Add/Edit application setting blade.

18. Hit Apply in App Settings tab.

Authorization Option 3: Configure ESA Credentials authentication provider to authorize Policy Agent system-assigned identity.

1. Navigate to Policy Agent function app

2. Expand Settings menu item

3. Select Identity

4. Select System assigned tab

5. Status should already be On

   Other Status indicates Policy Agent was installed without system-assigned identity. Before proceeding any further you need to either install Policy Agent with system-assigned identity or follow Option 4 which describes configuration steps for Policy Agent installed with user-assigned managed identity.

6. Copy Object (principal) ID

7. Navigate to ESA Credentials function app

8. Expand Settings menu item

9. Select Authentication

10. Select Add identity provider

    Review related Microsoft documentation

11. Select Microsoft in identity provider dropdown

12. For App registration type provide details of your choice

13. For Issuer URL accept the default value

14. For Client application requirement select Allow requests from any application

    Access will be limited to only the Policy Agent identity in the next step

15. For Identity requirement select Allow requests from specific identities

16. For Allowed identities add Object (principal) ID copied in previous step

17. For Restrict access select Require authentication

18. For Unauthenticated requests select HTTP 401 Unauthorized: recommended for APIs

19. Check Token store

20. Select Add

21. Click OK to apply constraint

22. Click Save

23. Navigate to Application of Microsoft identity provider

    A link to identity providers application is available under Authentication menu item of ESA Credentials function

24. Expand Manage menu item

25. Select Expose an API

26. Copy Application ID URI or select Add if it does not exist and Save to accept the default value

27. Record Application ID URI of identity provider

    ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri):_______________

28. Navigate to Policy Agent function app.

29. Expand Settings menu item.

30. Select Environment Variables menu item.

31. Click Add button.

32. For Name use PTY_ESA_CREDENTIALS_FUNCTION_SCOPE.

33. For Value use ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri) recorded in previous steps appended with /.default

    Review Microsoft identity platform default scope

34. Hit Apply in Add/Edit application setting blade.

35. Hit Apply in App Settings tab.

Authorization Option 4: Configure ESA Credentials authentication provider to authorize Policy Agent user-assigned identity.

1. Navigate to Policy Agent function app

2. Expand Settings menu item

3. Select Identity

4. Select User assigned tab

   User-assigned identity should already be provided. Missing user-assigned identity indicates Policy Agent was installed without user-assigned identity. Before proceeding any further you need to either install Policy Agent with user-assigned identity or follow Option 3 which describes configuration steps for Policy Agent installed with system-assigned managed identity.

5. Copy Client ID

6. Copy Object (principal) ID

7. Navigate to ESA Credentials function app

8. Expand Settings menu item

9. Select Authentication

10. Select Add identity provider

    Review related Microsoft documentation

11. Select Microsoft in identity provider dropdown

12. For App registration type provide details of your choice

13. For Issuer URL accept the default value

14. For Client application requirement select Allow requests from specific client applications

15. For Allowed client applications add Client ID copied in previous step

16. Click OK to apply constraint

17. For Identity requirement select Allow requests from specific identities

18. For Allowed identities add Object (principal) ID copied in previous step

19. Click OK to apply constraint

20. Click Save

21. Navigate to Application of Microsoft identity provider

    A link to identity providers application is available under Authentication menu item of ESA Credentials function

22. Expand Manage menu item

23. Select Expose an API

24. Copy Application ID URI or select Add if it does not exist and Save to accept the default value

25. Record Application ID URI of identity provider

    ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri):_______________

26. Navigate to Policy Agent function app.

27. Expand Settings menu item.

28. Select Environment Variables menu item.

29. Click Add button.

30. For Name use PTY_ESA_CREDENTIALS_FUNCTION_SCOPE.

31. For Value use ESA Credentials function Application ID URI (EsaCredentialsFnAppIdUri) recorded in previous steps appended with /.default

    Review Microsoft identity platform default scope

32. Hit Apply in Add/Edit application setting blade.

33. Hit Apply in App Settings tab.

Agent Function Key Vault Access Policies

Agent Function requires access to Key Vault created in Key Vault to encrypt policy and to access configuration secrets.

1. From Azure console navigate to Key Vaults, select the Key Vault created in Key Vault.
2. Select Access policies.
3. Click Create.
4. Select the following permissions in Permissions tab: a. Get under Key Management Operations. b. Wrap Key under Cryptographic Operations. c. Get under Secret Permissions.
5. For Principal provide function identity a. For functions with user-assigned identity enter identity recorded in step Agent Function User-Assigned Managed Identity b. For functions with system-assigned identity enter function name recorded in step Install Agent via ARM template
6. Proceed Next to Application and Next again to Review + Create.
7. Review permissions and Create.

Agent Function Outbound IP address

Agent Function App IP addresses may be useful for configuring ESA policy store and allowing traffic between Agent and ESA.

To obtain the list of Outbound IP addresses:

1. From Azure console navigate to Function App, select the Agent Function App.
2. Select Settings > Networking.
3. Under Outbound traffic configuration, select Show More next to Outbound addresses

Configure Function

Agent Function must be configured with parameters recorded in steps above.

To configure Function:

1. Open Function App service from the Azure console. Select the Function App created for policy agent in previous steps.

2. Navigate to Settings > Environment variables .

3. On the App Settings pane, click on Show values to reveal all configuration values

4. To modify multiple parameters, click the pencil icon Advanced edit at the top. Alternatively you may click on the environment variable name to edit single values.

5. Modify parameters according to the table below. If configuration has a default value you don’t have to change it

Protegrity-Protect-func1,Protegrity-Protect-func2

6. Click Apply at the bottom of the screen and then Confirm to save the changes.

Test Agent Function Installation

After configuration is complete you can test the function.

To test Agent function installation:

1. Navigate to Overview.

2. Select the function agent from the Functions tab.

3. Click Code + Test > Test/Run and then Run to execute the function.

4. You should see a 202 Accepted response.

5. Expand Logs output at the bottom of the page. Click Maximize to enlarge log output.

   Note

   It may take 1-2 minutes for the logs to begin populating in the console. Logging in the console is best effort and it is possible for the logs to be cut off. Navigate to Application Insights for full logs.

6. Below is an example log output from successful agent run.

   
   INFO:AZURE_SUBSCRIPTION_ID: [xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]
   INFO:AZURE_KEY_VAULT_NAME: [vault-name]
   INFO:AZURE_ENCRYPTION_KEY_ID: [https://vault-name.vault.azure.net/keys/key-name/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
   INFO:AZURE_RESOURCE_GROUP_NAME: [resource-group-name]
   INFO:AZURE_POLICY_BLOB_URL: [https://resource-group-name.blob.core.windows.net/policy/protegrity-policy-name.zip]
   INFO:AZURE_RETAIN_POLICY_BLOB: [3]
   INFO:PROTEGRITY_PROTECT_FUNCTION: [Protegrity-Protect-xxxx]
   INFO:DISABLE_DEPLOY: [0]
   INFO:PTY_ESA_IP: [xxx.xxx.xxx.xxx]
   INFO:PTY_SYNC_DATASTORE: []
   INFO:POLICY_PULL_TIMEOUT: [40]
   INFO:LOG_LEVEL: [info]
   INFO:PTY_CORE_EMPTYSTRING: [empty]
   INFO:PTY_CORE_CASESENSITIVE: [no]
   INFO:PTY_ADDIPADDRESSHEADER: [yes]
   INFO:Starting policy agent [4.0.3] ...
   INFO:ESA_CONNECTION_TIMEOUT: [60]
   INFO:Using ESA CA certificate from PTY_ESA_CA_SERVER_CERT environment variable.
   INFO:ResilientPackageClient initialized.
   INFO:Retrieving ESA rps version
   INFO:Resilient package correlation_id=[xxxxxxxxxxxxxxxxxxxxxxxxx] datastore=[]
   INFO:RPS Version: 1.9.2, Build: 1.9.2+1.g4bfba.1.9
   INFO:Checking ESA rps export availability
   INFO:Resilient package correlation_id=[xxxxxxxxxxxxxxxxxxxxxxxxx] datastore=[QA_DATA_STORE]
   INFO:Export available, Last-Modified: [Thu, 01 Jan 2026 00:00:00 GMT]
   INFO:Getting current policy metadata [https://resource-group-name.blob.core.windows.net/policy/protegrity-policy-name.zip] ...
   INFO:Last modified: [Thu, 01 Jan 2026 00:00:00 GMT], Last deployed: [Thu, 01 Jan 2026 00:00:00 GMT]
   WARNING:Current policy deployment has no checksum_mapping metadata:
   INFO:No changes in the policy since last download. Skipping policy deployment.
   INFO:Checking container for the last deployed policy [https://resource-group-name.blob.core.windows.net/policy]...
   INFO:[Protegrity-Protect-xxxx] current policy blob url: [https://resource-group-name.blob.core.windows.net/policy/2026-02-01_18-00-00/protegrity-policy-name.zip]
   INFO:Policy blob in sync for function [Protegrity-Protect-xxxx]
   INFO:[0] blobs are outside of the retention period [3]
   

7. If the log output in this window pauses or is difficult to read, you may navigate back to the Agent Function App overview and select Monitoring > Logs from the menu on the left. Run the query traces in the query editor to view logs.

Troubleshooting

To review the most recent invocation traces, navigate to the function app instance. Select Monitoring > Logs from the menu on the left. Run the query traces in the query editor to retrieve the full history of executions with detailed traces.

6 - Audit Log Forwarder Installation

The following sections provide installation steps for the Log Forwarder component in Azure. The Log Forwarder deployment allows for the audit logs generated by Protect Service to be delivered to ESA for auditing and governance purposes. Log Forwarder component is optional and is not required for the Protect Service to work properly. See Audit Log Forwarder Architecture for more information. Some of the installation steps are not required for the operation of the software but recommended for establishing a secure environment. Contact Protegrity for further guidance on configuration alternatives in the cloud.

ESA Audit Store Configuration

ESA server is required as the recipient of audit logs. Verify the information below to ensure ESA is accessible and configured properly.

1. ESA server running and accessible on TCP port 9200 (Audit Store) or 24284 (td-agent).

2. Audit Store service is configured and running on ESA. Applies when audit logs are output to Audit Store directly or through td-agent. For information related to ESA Audit Store configuration, refer to Audit Store Guide.

3. (Optional) td-agent is configured for external input. For more information related to td-agent configuration, refer to ESA guide Sending logs to an external security information and event management (SIEM).

Certificates on ESA

By default, ESA is configured with self-signed certificates, which can only be validated using self-signed CA certificate supplied in Log Forwarder configuration.

In case ESA is configured with publicly signed certificates, this section can be skipped since the Log Forwarder will use public CA to validate ESA certificates.

To obtain self-signed CA certificate from ESA:

1. Download ESA CA certificate from the /etc/ksa/certificates/plug directory of the ESA

2. After certificate is downloaded, open the PEM file in text editor and replace all new lines with escaped new line: \n.

   To escape new lines from command line, use one of the following commands depending on your operating system:

   Linux Bash:

   awk 'NF {printf "%s\\n",$0;}' CA.pem > output.txt
   

   Windows PowerShell:

   (Get-Content '.\CA.pem') -join '\n' | Set-Content 'output.txt'
   

3. Record the certificate content with new lines escaped.

   ESA CA Server Certificate (EsaCaCert): ___________________

   This value will be used to set PTY_ESA_CA_SERVER_CERT Log Forwarder variable in section Install Log Forwarder via ARM template

For more information about ESA certificate management refer to Certificate Management Guide in ESA documentation.

ESA Authentication

Audit Log Forwarder must authenticate with ESA using certificate-based authentication with client certificate and certificate key. Download the following certificates from the /etc/ksa/certificates/plug directory of the ESA:

• client.key
• client.pem

Both certificate and certificate key must be converted to single-line values using code similar to the following examples.

Client certificate (client.pem):

• Powershell
• Bash

$folder = 'C:\Temp'
cd $folder
(Get-Content "$folder\client.pem") -join '\n' | Set-Content "$folder\one-liner-client.pem"
cat "$folder\one-liner-client.pem"

folder="/tmp"
cd "$folder"
awk 'NF {printf "%s\\n",$0}' "client.pem" > "one-liner-client.pem"
cat "one-liner-client.pem"

Client certificate key (client.key):

• Powershell
• Bash

$folder = 'C:\Temp'
cd $folder
(Get-Content "$folder\client.key") -join '\n' | Set-Content "$folder\one-liner-client.key"
cat "$folder\one-liner-client.key"

folder="/tmp"
cd "$folder"
awk 'NF {printf "%s\\n",$0}' "client.key" > "one-liner-client.key"
cat "one-liner-client.key"

There are two options to configure Log Forwarder for certificate authentication:

• While installing using ARM template
  1. Provide single-line client certificate for Esa Client Cert
  2. Provide Azure Key Vault secret name for Esa Client Cert Key Secret Name which stores single-line certificate key file.
• When re-configuring after installation using environment variables
  1. Provide single-line client certificate for ESA_CLIENT_CERT
  2. Provide Azure Key Vault secret name for ESA_CLIENT_CERT_KEY_SECRET_NAME which stores single-line certificate key file.

Create Key Vault Secrets

Log Forwarder uses Key Vault as a secure store for certificate key file.

Create secret in Key Vault for certificate key file:

1. Navigate to Key Vault.

2. Under Objects, select Secrets > Generate/import.

3. Select Manual, type in secret name and specify single-line certificate key file value for Secret value.

4. Select Create.

5. Record secret name:

   ESA Client Cert Key Secret Name (EsaClientCertKeySecretName): ___________________

Function User-Assigned Managed Identity

User-assigned Azure managed identities are optional. If a user-assigned identity is not provided, a system-assigned managed identity will be enabled the function. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

1. In the search box, enter Managed Identities. Under Services, select Managed Identities

2. Select Create

3. For Subscription provide recorded value of AzureSubscriptionID

4. For Resource Group provide recorded value of ApiResourceGroup

5. For Region provide recorded value of ApiRegion

6. For Name provide a name of the new identity

7. Assign following roles to this identity:

   • Storage Blob Data Owner
   • Monitoring Metrics Publisher
   • Azure Event Hubs Data Receiver

8. Record Forward function user-assigned identity

   Forward Function User-Assigned Identity (ForwardFuncUserAssignedIdentity): ____________________

Install Log Forwarder via ARM template

Resources created with ARM template include Function App, App Service Plan and Application Insights service. Optionally, a new Event Hub namespace and Event Hub instance can be created.

To install Log Forwarder via ARM template:

1. From Azure Console, select Create a resource, search for template and then select Template deployment > Create.

2. Select Build your own template in editor.

3. Select Load File and upload pty_forward_arm_v2.json. Click Save.

4. Select Resource Group.

5. Specify Name for the resources (All resources will be prefixed with Protegrity-Forward).

6. For Location input specify Azure region name or leave default to deploy in the same region as resource group

7. For Storage Account Blob Service Url Optionally use the value recorded in Create Storage Account. If value is not given, it will be automatically derived from Forward Function Blob Url.

8. For Forward Function Blob Url use the value from Upload Files.

9. For Function Sku either EP1 or EP3 are recommended. Note that this will affect the running cost.

10. For Function Sku Count Minimum number of workers to keep active.

11. For WorkSpace Sku Azure Monitor log analytics pricing plan. See Azure Monitor Pricing tiers documentation for details: Azure Monitor Pricing

12. For Log Retention In Days The workSpace data retention in days. Allowed values are per pricing plan. See Azure Monitor Pricing tiers documentation for details: Azure Monitor Pricing

13. For Forward Logs to ESA select whether to collect audit logs from a new or an existing Event Hub. A new Event Hub namespace and new Event Hub instance will be created for ‘From new Event Hub’ option.

14. For Audit Log Output select whether to send logs directly to Audit Store or td-agent on ESA

15. For Event Hub Namespace enter Event Hub namespace name. Depending on previous option, a new namespace with this name will be created or an existing namespace with this name will be used.

16. For New Event Hub Namespace Sku Name select Event Hub namespace SKU name. Applicable only when ‘From new Event Hub’ is selected.

17. For New Event Hub Namespace Sku Tier select Event Hub namespace SKU Tier used for new Event Hub namespace. Applicable only when ‘From new Event Hub’ is selected.

18. For New Event Hub Namespace Sku Capacity enter a value of Event Hub throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units. Applicable only when ‘From new Event Hub’ is selected.

19. For Event Hub Name enter Event Hub instance name. A new Event Hub instance with this name will be created or an existing Event Hub instance with this name will be used.

20. For Event Hub Name DLQ enter Event Hub name for the dead-letter queue, where messages will be delivered to in case connection to ESA is lost. A new Event Hub instance with this name will be created or an existing Event Hub with this name will be used.

21. For New Event Hub Partition Count enter number of partitions to create in a new Event Hub. Allowed values are from 1 to 32 partitions. Applicable only when ‘From new Event Hub’ is selected.

22. For New Event Hub Audit Log Retention In Days enter number of days audit logs will be available in Event Hub. Applies to both primary Event Hub and dead-letter queue Event Hub. Applicable only when ‘From new Event Hub’ is selected.

23. For Log Destination Esa Ip enter ESA IP address.

24. For Esa Client Cert enter single-line ESA client certificate. See section Certificate Authentication for details.

25. For Esa Client Cert Key Secret Name enter secret name which stores ESA client certificate single-line private key. See section Certificate Authentication for details.

26. For Key Vault Uri enter URI of the Key Vault that stores ESA username/password secrets.

27. For Esa Tls Disable Cert Verify Set to ‘0’ to enable ESA certificate validation. Set to ‘1’ to disable ESA certificate verification. Disable only for initial setup and development purposes, do not disable in production environments.

28. If ESA is configured with self-signed certificate, set Pty Esa Ca Server Cert. Use the ESA CA Server Certificate escaped content recorded in Certificates on ESA.

    Note that for development and troubleshooting purposes, ESA certificate validation can be disabled by either redeploying this function with this ARM template where Esa Tls Disable Cert Verify option is set to ‘1’ or by directly setting PTY_ESA_DISABLE_TLS_CERT_VERIFY environment variable to ‘1’.

29. For Esa Connect Timeout set time in seconds to wait for the ESA connection response. Minimum value: 1. Default: 5.

30. For Esa Virtual Host provide ESA virtual hostname. This configuration is optional. It can be used when proxy server is present and supports TLS SNI extension.

31. For Min Log Level select minimum log level. Accepted values: off, severe, warning, info, config, all

32. Select Review + create then Create. Wait for all resources to deploy

After deployment is complete:

1. Go to Outputs and record:

   Forward Function Name (ForwardFuncName):__________________

2. Record:

   Event Hub Name (EventHubName):__________________

   Event Hub Namespace (EventHubNamespace):__________________

Function System-Assigned Managed Identity

System-assigned Azure managed identity is enabled if user-assigned managed identity is not used. User-assigned managed identities offer less frequent updates to Azure resources and allow for configuration of permissions ahead of function creation.

If you have not created a user-assigned managed identity at Function User-Assigned Managed Identity, setup following role assignments for system-assigned managed identity:

1. Navigate to the function

2. Select Settings, Identity.

3. Confirm Status of system-assigned identity is already On on System Assigned tab

4. Click on Azure role assignments button.

5. Assign following roles to this identity:

   • Storage Blob Data Owner
   • Monitoring Metrics Publisher
   • Azure Event Hubs Data Receiver

6. From Azure console, navigate to Function App and select audit log forwarder function deployed in previous section.

7. Select Overview and click Restart button. Wait until function restart completes.

Update Function Key Vault Access Policies

The Key vault must be updated to allow the Function App to decrypt the policy files. The Forwarder is using policy to confirm the authenticity of audit logs it receives from Event Hub and to digitally sign the aggregated logs that it sends to ESA. Update the Key vault access policies with function identity. To update the key vault access policies:

1. From Azure console navigate to Key Vaults, select the Key Vault created in Key Vault.
2. Select Access policies.
3. Click Create.
4. Select the following permissions in Permissions tab: a. Get under Key Management Operations. b. Unwrap Key under Cryptographic Operations. c. Get under Secret Permissions.
5. Proceed Next to Principal.
6. For Principal provide function identity a. For functions with user-assigned identity enter identity recorded in step Function User-Assigned Managed Identity b. For functions with system-assigned identity enter function name recorded in step Install Log Forwarder via ARM template
7. Proceed Next to Application and Next again to Review + Create.
8. Review permissions and Create.

Test Log Forwarder Installation

Follow the steps to validate Log Forwarder installation. Successful Log Forwarder installation will aggregate logs, connect to ESA and send audit log events.

Testing in this section validates the connectivity between Log Forwarder and ESA. The sample policy included with the initial installation and test event below are not based on your ESA policy. Any logs forwarded to ESA which are not signed with a policy generated by your ESA will not be added to the audit store.

Install Log Forwarder and configure according to previous sections. Log Forwarder configuration MinLogLevel must be at least info level.

1. In the following command, replace ‘forwarder-function-name’ with your function name

2. In the following command, replace ‘forwarder-function-key’ with your function key

3. Run the command in PowerShell:

   
   $forwarderFunctionName='forwarder-function-name'
   $forwarderFunctionKey='forwarder-function-key'
   
   Invoke-WebRequest -UseBasicParsing -Uri "https://$forwarderFunctionName.azurewebsites.net/admin/functions/auditlogforwarder" `
   -Method POST `
   -Headers @{
     "x-functions-key" = $forwarderFunctionKey
   } `
   -ContentType "application/json" `
   -Body "{`"input`":`"{\`"additional_info\`":{\`"description\`":\`"Data unprotect operation was successful.\`",\`"request_id\`":\`"f0ffbbf8-ab5b-42b7-90f4-51db7443af77\`"},\`"cnt\`": 1,\`"correlationid\`": \`"clfwrqgme0021nj329mijk52w\`",\`"logtype\`": \`"Protection\`",\`"level\`": \`"SUCCESS\`",\`"origin\`": {  \`"hostname\`": \`"169.254.197.189\`",  \`"ip\`": \`"169.254.197.189\`", \`"time_utc\`": 1722941687},\`"protection\`": {\`"dataelement\`": \`"alpha\`", \`"operation\`": \`"Unprotect\`",\`"audit_code\`": 8,\`"policy_user\`": \`"test_user\`",\`"datastore\`": \`"SAMPLE_POLICY\`"},\`"process\`": {  \`"name\`": \`"N/A\`",  \`"id\`": \`"15\`",\`"thread_id\`": \`"2243954624\`",\`"user\`": \`"sbx_user1051\`", \`"platform\`": \`"Linux_x32\`"},\`"client\`": {\`"username\`":\`"sbx_user1051\`",\`"ip\`":\`"169.254.197.189\`"},\`"protector\`": {\`"family\`": \`"IAP Lambda\`",\`"version\`": \`"3.1.0\`",\`"vendor\`": \`"Cloud Protect\`",\`"pcc_version\`": \`"3.5.0.1\`", \`"core_version\`": \`"2.0.1\`"},\`"signature\`": { \`"key_id\`":\`"5f143892-bbe4-4794-b1f4-ed28ca2a077e\`", \`"checksum\`": \`"90BC9BF39354869BD4BC5381820D201797DF4AF53B5A7F5F3AE01EC607C41A6E\`"}}`"}"
   

   Note

   For Cloud API on Azure Government Cloud use the following URL: https://$forwarderFunctionName.azurewebsites.us/admin/functions/auditlogforwarder

   Note

   The Body content is a sample audit log. See Audit Logging for detail on audit log contents.

4. Run following query to see your function logs, allow for a few minutes for Azure to deliver the logs

   
   traces
   | project timestamp, message
   | where timestamp > ago(5m)
   

5. Test is successful if the logs contain the following entry:

   opensearch.0: All logs successfully send to destination
   

   If the log entry is not present, please consult the Troubleshooting section for common errors and solutions.

Update Protect Service With Event Hub details

In this section, Event Hub details will be provided to the Protect Service installation.

1. Navigate to the Protect function environment variables.

2. Set EVENTHUB_NAME to the output value recorded in Install Log Forwarder via ARM template.

3. Set EventHub__fullyQualifiedNamespace to the output value recorded in Install Log Forwarder via ARM template.

4. Apply and Confirm to apply the changes.

Update Policy Agent With Log Forwarder Function Target

Log Forwarder requires a Protegrity policy which is in sync with the Protector Service. This section will describe the steps to update the Policy Agent to include updating the Log Forwarder.

1. Navigate to the Policy Agent function created in Install Agent via ARM template

2. Select Settings > Environment variables > PROTEGRITY_PROTECT_FUNCTION

3. Edit the value for environment variable PROTEGRITY_PROTECT_FUNCTION to include the Log Forwarder function’s name in the comma separated list of function names.

4. Select Apply > Apply > Confirm to save the changes

5. Test Policy Agent installation as described in Test Agent Function Installation

Test Full Log Forwarder Installation

1. Install and configure Protegrity Agent, Protect Service and Log Forwarder components.
2. Set EVENT_LEVEL environment variable on Protect Service function to Informational.
3. Set PTY_LOG_LEVEL environment variable on both Protect Service function and Log Forwarder function to config.

Test Installation

1. Make a protect operation using a data element or user which will result in audit log generation

2. Navigate to the Logs for the Protect Service function

3. Execute ’traces’ query

4. Expect to see a log similar to the below:

   
   Completed publishing events for Event Hub: audit-logs (Partition Id/Key: '0'), Operation Id: 'e17bacd6-91e6-4fb5-8281-2929788bef09'. Service Retry Count: 0; Duration: '0.02' seconds
   

5. Navigate to the Logs for the Log Forwarder function

6. Execute ’traces’ query

7. Expect to see a log similar to the below:

   
   opensearch.0: All logs successfully send to destination
   

Troubleshooting

Configure additional logging for functions:

1. Set EVENT_LEVEL environment variable on Protect function to Informational.
2. Set PTY_LOG_LEVEL environment variable on both Protect function and Log Forwarder function to config.

Unhandled exception. System.Exception: Failed to initialize 
function type,expecting environment variable 
'AzureWebJobs.AuditLogForwarder.Disabled' 
to be set to either 'true' or 'false'

[2024/08/08 10:00:00] [error] [tls] error: unexpected EOF

Failed to aggregate audit logs, 1 audit logs dropped, error: 
The user, group or application 'appid=;oid=;iss=' does not have 
secrets get permission on key vault ';location='...
Status: 403 (Forbidden)
ErrorCode: Forbidden

TCP connection timed out: 001.001.001.001:9200

fail: Protect.Aggregate[0] Failed to aggregate audit logs, 
1 audit logs dropped, error: Invalid URI: The format of the URI 
could not be determined. 
info: iap[0] Shared memory segment POLICY does not exist: The 
system cannot find the file specified.

[Error] Azure-Messaging-EventHubs: An exception occurred while 
publishing a batch of events for buffered producer instance with 
identifier 'x' to Event Hub: audit-logs, Partition Id: '0', 
Operation Id: 'x'. Error Message: 'Unauthorized access.

7 -

Prerequisites

8 -

Required Skills and Abilities