lacework-global-524
2.2.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' (Manual)
note
This rule has been changed to manual, see Permanently Manual Rules (that were deemed automated) for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 1
Description
Enable automatic provisioning of the monitoring agent to collect security data.
Rationale
When Log Analytics agent for Azure VMs is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Microsoft Defender for Cloud - Then
Environment Settings - Select a subscription
- Then
Auto Provisioningin the left column. - Ensure that
Log Analytics agent for Azure VMsis set toOn
Repeat the above for any additional subscriptions.
From Azure CLI
Ensure the output of the below command is On
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscriptionID>/providers/Microsoft.Security/autoProvisioningSettings?api-version=2017-08-01-preview' | jq '.|.value[] | select(.name=="default")'|jq '.properties.autoProvision'
Using Azure PowerShell
Connect-AzAccount
Get-AzSecurityAutoProvisioningSetting
Ensure output for Id Name AutoProvision is /subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default default On
Remediation
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Microsoft Defender for Cloud - Select
Environment Settings - Select a subscription
- Select
Auto Provisioningin the left column. - Ensure that
Log Analytics agent for Azure VMsis set toOn
Repeat the above for any additional subscriptions.
From Azure CLI
Use the below command to set Automatic provisioning of monitoring agent to On.
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/subscriptionID/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@"input.json"'
Where input.json contains the Request body json data as mentioned below.
{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/autoProvisioningSettings/default",
"name": "default",
"type": "Microsoft.Security/autoProvisioningSettings",
"properties": {
"autoProvision": "On"
}
}
References
https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
https://msdn.microsoft.com/en-us/library/mt704062.aspx
https://msdn.microsoft.com/en-us/library/mt704063.aspx
https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification
Additional Information
- Excluding any of the entries in
input.jsonmay disable the specific setting by default - Microsoft has recently changed APIs to get and Update Automatic Provisioning Setting. This recommendation is updated accordingly.