<  Back to rules search

'Automatic provisioning of monitoring agent' is set to 'On'

azure.policy

Set up the azure.policy integration.

Description

Enable automatic provisioning of the monitoring agent to collect security data.

Rationale

When automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.

Remediation

From the console

  1. Go to Microsoft Defender for Cloud
  2. Click on Environment Settings
  3. Click on a subscription
  4. Click on Auto Provisioning in the left column.
  5. Ensure that Log Analytics agent for Azure VMs is set to On

From the command line

Use the below command to set automatic provisioning of monitoring agent:

az account get-access-token --query
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" 
https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the Request body JSON data as mentioned below:

{
	"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/autoProvisioningSettings/default ",
	"name": "default",
	"type": "Microsoft.Security/autoProvisioningSettings",
	"properties": {
		"autoProvision": "On"
	}
}

References

  1. https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security
  2. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
  3. https://msdn.microsoft.com/en-us/library/mt704062.aspx
  4. https://msdn.microsoft.com/en-us/library/mt704063.aspx
  5. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list
  6. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create
  7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation–setup-incident-notification

Additional Information

  • Excluding any of the entries in input.json may disable the specific setting by default.
  • Microsoft has recently changed APIs to get and Update Automatic Provisioning setting. This recommendation is updated accordingly.