lacework-global-524
Set Auto provisioning of 'Log Analytics agent for Azure VMs' to 'On' (Manual)
This rule has been changed to manual, see Permanently Manual Policies (that were deemed automated) for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 1
Description
Enable automatic provisioning of the monitoring agent to collect security data.
Rationale
When Log Analytics agent for Azure VMs
is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Microsoft Defender for Cloud
- Then
Environment Settings
- Select a subscription
- Then
Auto Provisioning
in the left column. - Ensure that
Log Analytics agent for Azure VMs
is set toOn
Repeat the above for any additional subscriptions.
From Azure CLI
Ensure the output of the below command is On
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscriptionID>/providers/Microsoft.Security/autoProvisioningSettings?api-version=2017-08-01-preview' | jq '.|.value[] | select(.name=="default")'|jq '.properties.autoProvision'
Using Azure PowerShell
Connect-AzAccount
Get-AzSecurityAutoProvisioningSetting
Ensure output for Id Name AutoProvision
is /subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default default On
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Defender for Cloud
. - Select
Environment Settings
. - Select a subscription.
- Click
Settings & Monitoring
. - Set
Log Analytics agent/Azure Monitor agent
toOn
. - Select the appropriate Auto-provisioning configuration for the subscription and click
Apply
. - Click
Continue
.
Repeat the preceding steps for any additional subscriptions.
From Azure CLI
Use the below command to set Automatic provisioning of monitoring agent to On.
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/subscriptionID/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@"input.json"'
Where input.json contains the Request body json data as mentioned below.
{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/autoProvisioningSettings/default",
"name": "default",
"type": "Microsoft.Security/autoProvisioningSettings",
"properties": {
"autoProvision": "On"
}
}
References
https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
https://msdn.microsoft.com/en-us/library/mt704062.aspx
https://msdn.microsoft.com/en-us/library/mt704063.aspx
https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification
Additional Information
- Excluding any of the entries in input.json may disable the specific setting by default.
- Microsoft has recently changed APIs to get and Update Automatic Provisioning Setting. The Center for Internet Security (CIS) updated this recommendation accordingly.