lacework-global-524
2.2.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' (Manual)
note
This rule has been changed to manual, see Permanently Manual Rules (that were deemed automated) for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 1
Description
Enable automatic provisioning of the monitoring agent to collect security data.
Rationale
When Log Analytics agent for Azure VMs
is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Microsoft Defender for Cloud
- Then
Environment Settings
- Select a subscription
- Then
Auto Provisioning
in the left column. - Ensure that
Log Analytics agent for Azure VMs
is set toOn
Repeat the above for any additional subscriptions.
From Azure CLI
Ensure the output of the below command is On
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscriptionID>/providers/Microsoft.Security/autoProvisioningSettings?api-version=2017-08-01-preview' | jq '.|.value[] | select(.name=="default")'|jq '.properties.autoProvision'
Using Azure PowerShell
Connect-AzAccount
Get-AzSecurityAutoProvisioningSetting
Ensure output for Id Name AutoProvision
is /subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default default On
Remediation
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Microsoft Defender for Cloud
- Select
Environment Settings
- Select a subscription
- Select
Auto Provisioning
in the left column. - Ensure that
Log Analytics agent for Azure VMs
is set toOn
Repeat the above for any additional subscriptions.
From Azure CLI
Use the below command to set Automatic provisioning of monitoring agent
to On
.
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/subscriptionID/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@"input.json"'
Where input.json
contains the Request body json data as mentioned below.
{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/autoProvisioningSettings/default",
"name": "default",
"type": "Microsoft.Security/autoProvisioningSettings",
"properties": {
"autoProvision": "On"
}
}
References
https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
https://msdn.microsoft.com/en-us/library/mt704062.aspx
https://msdn.microsoft.com/en-us/library/mt704063.aspx
https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list
https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification
Additional Information
- Excluding any of the entries in
input.json
may disable the specific setting by default - Microsoft has recently changed APIs to get and Update Automatic Provisioning Setting. This recommendation is updated accordingly.