Automatic provisioning of the monitoring agent should be set to 'On'

Docs > Datadog Security > OOTB Rules > Automatic provisioning of the monitoring agent should be set to 'On'

Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0

Description

Enable automatic provisioning of the monitoring agent to collect security data.

Rationale

When automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.

Remediation

From the console

Go to Microsoft Defender for Cloud
Click on Environment Settings
Click on a subscription
Click on Auto Provisioning in the left column.
Ensure that Log Analytics agent for Azure VMs is set to On

From the command line

Use the below command to set automatic provisioning of monitoring agent:

az account get-access-token --query
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" 
https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the Request body JSON data as mentioned below:

{
	"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/autoProvisioningSettings/default ",
	"name": "default",
	"type": "Microsoft.Security/autoProvisioningSettings",
	"properties": {
		"autoProvision": "On"
	}
}

References

Additional Information

Excluding any of the entries in input.json may disable the specific setting by default.
Microsoft has recently changed APIs to get and Update Automatic Provisioning setting. This recommendation is updated accordingly.