Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Defender Auto Provisioning Extensions

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that auto-provisioning extensions are enabled within the Microsoft Defender for Cloud settings to collect security data and events from Azure cloud resources such as virtual machines (VMs) and containers. By enabling auto provisioning, you can ensure that the software agents needed for processes such as vulnerability assessments, log analytics, and container monitoring are automatically installed on your cloud infrastructure.

Security

When automatic provisioning is enabled, software agents are installed as part of infrastructure deployment. For example, if the Azure Monitor Agent (AMA) is autoprovisioned in Microsoft Defender for Cloud, it will be installed on all supported virtual machines. The AMA collects monitoring data from the guest OS of Azure and hybrid virtual machines (VMs), delivering it to Azure Monitor (for use by features and insights) and Microsoft Defender for Cloud. This data is required for analysis to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat detections. AMA replaces the Log Analytics agent (also known as Microsoft Monitoring Agent (MMA) or OMS agent) for Windows and Linux machines in Azure, non-Azure, and on-premises environments.

The Log Analytics agent has been deprecated and retired on August 31, 2024, and is being replaced by the Azure Monitor Agent (AMA).

Audit

To determine if auto-provisioning extensions are enabled within the Microsoft Defender for Cloud settings, perform the following operations:

Checking for auto-provisioning extensions in Microsoft Defender for Cloud using Microsoft Azure Portal is not currently supported.

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Choose Expand all and click on the name (link) of the Azure subscription that you want to examine.

05 In the left navigation panel, under Settings, select Defender plans, and choose Settings & monitoring.

06 On the Settings & monitoring page, ensure that Defender plans is set to All, and check the configuration status of each supported extension (component or agent), available in the Status column. If one or more extensions have their Status set to Off, auto-provisioning extensions are not fully enabled for the selected Azure subscription.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription created within your Azure account.

Remediation / Resolution

To enable auto-provisioning extensions in the Microsoft Defender for Cloud settings, perform the following operations:

Enabling auto-provisioning extensions in Microsoft Defender for Cloud using Microsoft Azure Portal is not currently supported.

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Choose Expand all and click on the name (link) of the Azure subscription that you want to configure.

05 In the left navigation panel, under Settings, select Defender plans, and choose Settings & monitoring.

06 On the Settings & monitoring page, perform the following actions:

  1. Ensure that Defender plans is set to All.
  2. Toggle On the feature button from the Status column to enable each active extension (component) supported by Microsoft Defender for Cloud for your Azure subscription. If required, modify extension settings to match your specific requirements. If the On/Off button is not active for a supported extension, check the Microsoft Defender for Cloud section in Knowledge Base to enable the required Defender for Cloud plan. For example, to enable the autoprovisioning process for the Azure Monitor Agent (AMA) when the Azure Monitoring Agent for SQL servers on machines extension is not active on the the Settings & monitoring page, you must enable Defender for SQL servers plan.
  3. Choose Continue to apply the configuration changes.
  4. Choose Save from the top menu to save the changes.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription available within your Azure cloud account.

References

Publication date Sep 25, 2024

Related SecurityCenter rules