Skip to main content

lacework-global-524

Set Auto provisioning of 'Log Analytics agent for Azure VMs' to 'On' (Manual)

note

This rule has been changed to manual, see Permanently Manual Policies (that were deemed automated) for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 1

Description

Enable automatic provisioning of the monitoring agent to collect security data.

Rationale

When Log Analytics agent for Azure VMs is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Microsoft Defender for Cloud
  3. Then Environment Settings
  4. Select a subscription
  5. Then Auto Provisioning in the left column.
  6. Ensure that Log Analytics agent for Azure VMs is set to On

Repeat the above for any additional subscriptions.

From Azure CLI

Ensure the output of the below command is On

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscriptionID>/providers/Microsoft.Security/autoProvisioningSettings?api-version=2017-08-01-preview' | jq '.|.value[] | select(.name=="default")'|jq '.properties.autoProvision'

Using Azure PowerShell

Connect-AzAccount
Get-AzSecurityAutoProvisioningSetting

Ensure output for Id Name AutoProvision is /subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default default On

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Select Environment Settings.
  4. Select a subscription.
  5. Click Settings & Monitoring.
  6. Set Log Analytics agent/Azure Monitor agent to On.
  7. Select the appropriate Auto-provisioning configuration for the subscription and click Apply.
  8. Click Continue.

Repeat the preceding steps for any additional subscriptions.

From Azure CLI

Use the below command to set Automatic provisioning of monitoring agent to On.

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/subscriptionID/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the Request body json data as mentioned below.

{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/autoProvisioningSettings/default",
"name": "default",
"type": "Microsoft.Security/autoProvisioningSettings",
"properties": {
"autoProvision": "On"
}
}

References

https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
https://msdn.microsoft.com/en-us/library/mt704062.aspx
https://msdn.microsoft.com/en-us/library/mt704063.aspx
https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification

Additional Information

  • Excluding any of the entries in input.json may disable the specific setting by default.
  • Microsoft has recently changed APIs to get and Update Automatic Provisioning Setting. The Center for Internet Security (CIS) updated this recommendation accordingly.