Overview
Enable automatic provisioning of the monitoring agent to collect security data.
DEPRECATION PLANNED: The Log Analytics Agent is slated for deprecation in August 2024. The Microsoft Defender for Endpoint agent, in tandem with new agentless capabilities, will provide replacement functionality. More detail is available here: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-strategy-and-plan-towards-log/ba-p/3883341.
Rationale
When Log Analytics agent for Azure VMs is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones created. The Microsoft Monitoring Agent scans for various security-related configurations and events, such as system updates, OS vulnerabilities, and endpoint protection, and provides alerts.
Default Value
By default, Automatic provisioning of monitoring agent is set to On.
Remediation guidance
From Azure Console
- Go to
Microsoft Defender for Cloud - Under
Management, selectEnvironment Settings - Select a subscription
- Select
Settings & monitoring - Set
Log Analytics agent/Azure Monitor AgenttoOn
Repeat the above for any additional subscriptions.
Using Azure Command Line Interface
Use the below command to set Automatic provisioning of monitoring agent to On.
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/subscriptionID/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@"input.json"'
Where input.json contains the Request body json data as mentioned below.
{
"id": "/subscriptions/<subscriptionID>/providers/Microsoft.Security/autoProvisioningSettings/default",
"name": "default",
"type": "Microsoft.Security/autoProvisioningSettings",
"properties": {
"autoProvision": "On"
}
}
Additional Information
- Excluding any of the entries in
input.jsonmay disable the specific setting by default - Microsoft has recently changed APIs to get and Update Automatic Provisioning Settings. This recommendation is updated accordingly.
References
- https://learn.microsoft.com/en-us/azure/security-center/security-center-data-security
- https://learn.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
- https://msdn.microsoft.com/en-us/library/mt704062.aspx
- https://msdn.microsoft.com/en-us/library/mt704063.aspx
- https://learn.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list
- https://learn.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create
- https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis
- https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
- https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Platform
Use the provider or platform baseline, preventive policy, and IaC modules to enforce this setting consistently when many resources are affected.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
No stored query bodies are attached to this entry.
