Azure Virtual Machines

When creating an Azure integration with Cloudhouse Guardian (Guardian), you can choose to detect and add your Azure Virtual Machines (VM) to Guardian for monitoring. The following topic describes how to configure your Azure VM(s) in Guardian; what aspects of the Azure VM you want to be scanned, how they should be scanned, and where that data should be stored. For more information on how to set up an Azure integration, see Azure Integration.

When detecting an Azure VM via Guardian, you can choose to detect one or both of the following node types:

Node Types	Description
Instance nodes	This option detects any Windows or Linux nodes within your Azure VM(s).
Configuration data nodes	This option detects the Azure VM configuration data associated with the Azure VM(s).

These nodes represent the Azure VM instance and its associated configuration. For more information on the differences between these nodes, see below.

Azure Integration

On the Azure Integration page, if the Virtual Machines checkbox is selected from the list of Check Things You Want To Detect checkboxes, the following options are displayed:

Option	Description
Detect Azure Virtual Machines (e.g. the Windows, Linux etc nodes) checkbox	The option to detect the Azure VM instance, that is, the operating system and its associated components. For example, users, services, and packages. If selected, the Operating System column in the Detected tab (Inventory > Detected) displays any detected instance nodes as 'A type of Windows' or 'A type of Linux'.
Select credential type checkbox	The credentials to be used when authenticating Guardian's access to the source. The following options are available to select: Password – The username and password of the user account configured to use SSH. Microsoft Entra ID – The Azure CLI service principle credentials that are configured to use SSH.

Option

Description

Detect Azure Virtual Machines (e.g. the Windows, Linux etc nodes) checkbox

The option to detect the Azure VM instance, that is, the operating system and its associated components. For example, users, services, and packages.

If selected, the Operating System column in the Detected tab (Inventory > Detected) displays any detected instance nodes as 'A type of Windows' or 'A type of Linux'.

Select credential type checkbox

The credentials to be used when authenticating Guardian's access to the source. The following options are available to select:

Password – The username and password of the user account configured to use SSH.
Microsoft Entra ID – The Azure CLI service principle credentials that are configured to use SSH.

Depending on what credential type you choose to use, the fields displayed on this page will vary, see below for more information.

Password

If the Password credential option is selected, the following options are displayed:

Option	Description
Linux Credentials drop-down	When scanning Linux nodes, provide your Linux credentials according to the following: Linux Connection Manager Group drop-down list – The Connection Manager group that is responsible for scanning any non-Windows node(s) in your Azure VM instance. Select a Connection Manager group from the drop-down list. SSH Port (Optional) field – The Secure Shell (SSH) port number that the Linux Connection Manager uses to communicate with the target nodes for scanning. If you selected a Linux Connection Manager from the drop-down list above, enter the port number you are using. If no value is provided, Guardian will default to port 22. Note: If you enter a port number that is different to the default (port 22), make sure that it matches the port number that the administrator of the target node is using to run their SSH server. Linux Credentials – Option to use a stored credential. Select an option from the Credentials drop-down list. Additionally, you can select 'Add New Credential' to display the Create Credential dialog if you anticipate using these same credentials for other nodes or integrations. For more information, see Create Credential. Note: This option is only available if you have the Credentials feature enabled. If you don't, you'll be prompted to enter a Username and Password for authentication. If no value is provided, the nodes are added to the Detected tab, regardless of whether the Automatically start monitoring and scanning newly detected nodes checkbox is selected.
Windows Credentials drop-down	When scanning Windows nodes, provide your Windows credentials according to the following: Windows Connection Manager drop-down list – The Connection Manager group that is responsible for scanning any Windows node(s) in your Azure VM instance. Select a group from the drop-down list. WinRM Port field – The default port for WinRM. Enter 5985 for HTTP-based connections, or 5986 for HTTPS/cert-based connections. If you are using non-standard ports for WinRM, enter them here. Windows Credentials – Option to use a stored credential. Select an option from the Credentials drop-down list. Additionally, you can select 'Add New Credential' to display the Create Credential dialog if you anticipate using these same credentials for other nodes or integrations. For more information, see Create Credential. Note: This option is only available if you have the Credentials feature enabled. If you don't, you'll be prompted to enter a Username and Password for authentication. If no value is provided, the nodes are added to the Detected tab, regardless of whether the Automatically start monitoring and scanning newly detected nodes checkbox is selected.
Detect Azure Virtual Machine Configurations checkbox	The option to detect the Azure VM configuration data associated with the Azure VM instance. This option detects any security groups, policies, storage properties, load balancers, and other options attached to the Azure VM instance. If selected, once the integration is created, any detected configuration data node(s) are displayed with 'Config' appended to its name and the OS type is 'Azure VM Configuration' to differentiate it from the associated instance. For example, 'Windows Server 2022 Config'.

Option

Description

Linux Credentials drop-down

When scanning Linux nodes, provide your Linux credentials according to the following:

Linux Connection Manager Group drop-down list – The Connection Manager group that is responsible for scanning any non-Windows node(s) in your Azure VM instance. Select a Connection Manager group from the drop-down list.
SSH Port (Optional) field – The Secure Shell (SSH) port number that the Linux Connection Manager uses to communicate with the target nodes for scanning.

If you selected a Linux Connection Manager from the drop-down list above, enter the port number you are using. If no value is provided, Guardian will default to port 22.

Note: If you enter a port number that is different to the default (port 22), make sure that it matches the port number that the administrator of the target node is using to run their SSH server.

Linux Credentials – Option to use a stored credential. Select an option from the Credentials drop-down list. Additionally, you can select 'Add New Credential' to display the Create Credential dialog if you anticipate using these same credentials for other nodes or integrations. For more information, see Create Credential.

Note: This option is only available if you have the Credentials feature enabled. If you don't, you'll be prompted to enter a Username and Password for authentication.

If no value is provided, the nodes are added to the Detected tab, regardless of whether the Automatically start monitoring and scanning newly detected nodes checkbox is selected.

Windows Credentials drop-down

When scanning Windows nodes, provide your Windows credentials according to the following:

Windows Connection Manager drop-down list – The Connection Manager group that is responsible for scanning any Windows node(s) in your Azure VM instance. Select a group from the drop-down list.
WinRM Port field – The default port for WinRM. Enter 5985 for HTTP-based connections, or 5986 for HTTPS/cert-based connections. If you are using non-standard ports for WinRM, enter them here.
Windows Credentials – Option to use a stored credential. Select an option from the Credentials drop-down list. Additionally, you can select 'Add New Credential' to display the Create Credential dialog if you anticipate using these same credentials for other nodes or integrations. For more information, see Create Credential.

Note: This option is only available if you have the Credentials feature enabled. If you don't, you'll be prompted to enter a Username and Password for authentication.

If no value is provided, the nodes are added to the Detected tab, regardless of whether the Automatically start monitoring and scanning newly detected nodes checkbox is selected.

Detect Azure Virtual Machine Configurations checkbox

The option to detect the Azure VM configuration data associated with the Azure VM instance. This option detects any security groups, policies, storage properties, load balancers, and other options attached to the Azure VM instance.

If selected, once the integration is created, any detected configuration data node(s) are displayed with 'Config' appended to its name and the OS type is 'Azure VM Configuration' to differentiate it from the associated instance. For example, 'Windows Server 2022 Config'.

Once the correct values have been set for the above fields, you can continue with the integration, see Next Steps for more information.

Microsoft Entra ID (previously Azure Active Directory)

If the Microsoft Entra ID credential option is selected, the following options are displayed:

Option	Description
Azure CLI service principal password (leave blank if unchanged). field	The password of the service principal configured to use SSH.
Azure CLI service principal tenant. field	The tenant ID of the service principal configured to use SSH.
Azure CLI login command (Optional). field	The `az login` command for Azure CLI.
Detect the Compute VM configuration for this node checkbox	The option to detect the Azure VM configuration data associated with the Azure VM instance. This option detects any security groups, policies, storage properties, load balancers, and other options attached to the Azure VM instance. If selected, once the integration is created, any detected configuration data node(s) are displayed with 'Config' appended to its name and the OS type is 'Azure VM Configuration' to differentiate it from the associated instance. For example, 'Windows Server 2022 Config'.

Once the correct values have been set for the above fields, you can continue with the integration, see Next Steps below for more information.

Next Steps

Once the correct values have been set for the above fields, you can choose the Detection Options for your integration. By default, any detected nodes are displayed within the Detected tab of your Guardian instance, with the appended identifier attributed to that Azure VM instance's node type.

If you choose to promote a detected node to the Monitored tab (Inventory > Monitored) for regular scanning, it will be automatically added to the corresponding dynamic node group. For example, configuration nodes are added to ‘Azure Virtual Machine Configuration’ node groups regardless of whether they are Windows or Linux.

Note: If a Windows node group is not present in your Guardian instance, it will be automatically created upon the addition of a monitored Windows node. For more information, see Node Groups.

However, if you choose to select the Automatically start monitoring and scanning newly detected nodes checkbox, all detected nodes are added to the Monitored tab. Here, they are automatically added to the corresponding Windows, Linux, or Azure Virtual Machine Configuration node groups.

Once you have set the correct values for each of the instances options displayed, you can continue completing the options to add the Azure integration to the Integrations tab of your Guardian instance.