Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Automatic Provisioning of the Monitoring Agent

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-002

Ensure that the automatic provisioning extensions are enabled within the Microsoft Defender for Cloud settings to collect security data and events from your Azure virtual machines (VMs) and containers. By enabling Auto provisioning, you can ensure that the agents needed for processes such as vulnerability assessments, log analytics and container monitoring are automatically installed on your infrastructure.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

When automatic provisioning is enabled, agents will be installed as part of infrastructure deployment. For example, if the Log Analytics extension is enabled, the Log Analytics agent will be installed on all the existing supported virtual machines (VMs), plus on any new ones created later. Once the agent is installed, Microsoft Defender for Cloud reads various security-related configurations and event logs from your virtual machines and sends the data collected (including crash dump files) to your workspace for analysis. The data sent for analysis is required to provide visibility into missing updates, misconfigured operating system (OS) security settings, endpoint protection settings, and health and threat detections. It is highly recommended to enable all extensions within your subscription, in particular the Vulnerability Assessment reports for Virtual Machines and the Microsoft Defender for Container components.


Audit

To determine if each of the the automatic provisioning extensions are enabled within the Microsoft Defender for Cloud settings for your subscription, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Settings, choose Auto provisioning.

06 In the Auto provisioning – Extensions section, check the configuration status of each of the extensions. These include Log Analytics agent for Azure VMs, Vulnerability assessment for machines, Guest Configuration agent and Microsoft Defender for Containers components. If any of the extension configurations status are set to Off, the automatic provisioning extensions are not fully enabled for the selected Azure subscription.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI and PowerShell

01 Run az security auto-provisioning-setting list command (Windows/macOS/Linux) to determine if each of the available automatic provisioning extensions are enabled (e.g. Log Analytics, Vulnerability assessment, Guest Configuration agent and Microsoft Defender for Containers components):

az security auto-provisioning-setting list | jq .[].autoProvision

02 The command output should return the requested feature status:

"Off"

If the account get-access-token command output returns "Off", the automatic provisioning extensions for Microsoft Defender for Cloud are not fully enabled for the selected Microsoft Azure subscription.

03 Repeat steps no. 1 and 2 for each subscription available in your Azure cloud account.

Remediation / Resolution

To enable the automatic provisioning extensions for Microsoft Defender for Cloud, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Settings, choose Auto provisioning.

06 In the Auto provisioning – Extensions section, click on the Enable all extensions button to toggle the setting for each of the available extensions, or manually toggle the extensions which have not been enabled. next to the Log Analytics agent for Azure VMs extension to enable the automatic provisioning of the Log Analytics agent on the existing virtual machines (VMs).

07 Within each extension being enabled, configure the settings suitable for your environment:

  1. For the Log Analytics agent, select your chosen Agent type and the Workspace selection where the data will be stored by selecting either default workspace or setting a custom workspace. If you choose Connect Azure VMs to the default workspace(s) created by Defender for Cloud, Microsoft Defender for Cloud creates a new resource group and a default workspace in the same geolocation, and connects the agent to that workspace.
  2. For the Vulnerability assessment solution, select Microsoft threat and vulnerability management by default, or if you have a custom solution you can choose Microsoft Defender for Cloud integrated Qualys scanner.
  3. For the Microsoft Defender for Containers components, select whether to enable Defender DaemonSet and Azure Policy for Kubernetes. By default, both can be enabled.

08 Choose Save to save the configuration changes.

09 Repeat steps no. 4 – 8 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI and PowerShell

01 Define the configuration parameters for the account get-access-token command, where the autoProvision parameter is enabled to turn on the monitoring feature. Save the configuration document to a JSON file named enable-auto-provision.json and replace the highlighted details, i.e. <azure-subscription-id>, with your own Azure account subscription ID:

{  
	"id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/autoProvisioningSettings/default",
	"name":"default",
	"type":"Microsoft.Security/autoProvisioningSettings",
	"properties":{  
		"autoProvision":"On"
	}
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-auto-provision.json file), to enable the automatic provisioning of the monitoring agent (i.e. Log Analytics agent) for the current Azure subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@"enable-auto-provision.json"'

03 The command output should return information about the modified configuration parameter:

{  
	"id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Security/autoProvisioningSettings/default",
	"name":"default",
	"type":"Microsoft.Security/autoProvisioningSettings",
	"properties":{
		"autoProvision":"On"
	}
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

05 As an alternative approach to update the auto-provisioning-settings, use the az security auto-provisioning-setting update command, for more information see here.

References

Publication date May 21, 2019