Skip to main content

Install Windows Agent with Azure Resource Manager

You can install the Lacework agent on your Windows host through an Azure Resource Manager (ARM) template. In this type of deployment, the ARM template uses the CustomScriptExtension to download and run a Install-LWCollector.ps1 PowerShell script that installs the agent onto a Windows VM instance.

Prerequisites

  1. Install Azure CLI on your machine. For instructions, see How to install the Azure CLI.
  2. Download the ARM Template (azurerm.zip file) using the instructions in Download Windows Agent Installers.
  3. Unzip the azurerm.zip file. The azurerm folder that is created contains the following files:
    • parameters.json
    • template.bicep
    • template.json

Configure an ARM Template

Create an ARM template that deploys your Azure resources and the Windows agent. You can use the sample ARM template (template.json or template.bicep) in the azurerm folder. This template creates a VM instance and installs the Windows agent. This template downloads and runs a PowerShell script (Install-LWCollector.ps1) to install the agent on the VM instance.

The Install-LWCollector.ps1 script installs the Windows agent and adds a local firewall rule to allow the agent to communicate with Lacework. In addition, the script optionally configures a Windows Defender exclusion for the agent with the -defender parameter.

note

Lacework recommends that you exclude the agent from any antivirus or Endpoint Detection and Response (EDR) applications on your host. The Install-LWCollector.ps1 script allows you to enable this exclusion for Microsoft Defender. For other antivirus applications, you can customize the script to exclude the agent from scanning.

Configure a Parameters File for your Azure Deployment

Create a JSON file for your deployment parameters. You can modify the sample parameters file (parameters.json) in the azurerm folder as required. Specify values for the following parameters in the parameters.json file:

  • laceworkEndpoint - The Lacework API server URL, either api.lacework.net (default), or aprodus2.agent.lacework.net (for US-02 (US)), api.fra.lacework.net (for European Union (EU)), or auprodn1.agent.lacework.net (for Australia and New Zealand (ANZ)).
  • laceworkMSIURL - The URL for downloading the Windows agent MSI package. To obtain the URL, do the following:
    1. Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
    2. Go to the release you want to install.
    3. Copy the URL for Lacework Windows Agent MSI Package.
  • laceworkPSScript - The URL for the Install-LWDataCollector.ps1 PowerShell script. To obtain the URL, do the following:
    1. Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
    2. Go to the release you want to install.
    3. Copy the URL for Install-LWDataCollector.ps1 Script.
  • laceworkToken - A valid Lacework agent access token. For more information, see Obtain an Access Token for the Windows Agent. It is good practice to store access tokens securely in Azure Key Vault. The parameters.json file references the access token in a Key Vault.
  • laceworkDefender - (Optional) To configure a Windows Defender exclusion for the agent, change the value of this parameter to true.
  • Parameters for your Windows VM on Azure.

Deploy the ARM Template

Execute the command to deploy the ARM template.

PowerShell

Open a PowerShell terminal as administrator and execute the following command:

  • To use the parameters.json file:
    New-AzResourceGroupDeployment -Name <deployment_name> -ResourceGroupName <resource_group> -TemplateFile template.json -TemplateParameterFile parameters.json
  • To use the parameters.bicep file:
    New-AzResourceGroupDeployment -Name <deployment_name> -ResourceGroupName <resource_group> -TemplateFile template.json -TemplateParameterFile parameters.bicep
    Where -Name specifies the name of your Azure deployment, and -ResourceGroupName specifies the name of the Azure resource group to which you want to add the deployment.

Azure CLI

Execute the following command in the Azure CLI:

  • To use the parameters.json file:
    az deployment group create -n <deployment_name> -g <resource_group> -f template.json -p @parameters.json
  • To use the parameters.bicep file:
    az deployment group create -n <deployment_name> -g <resource_group> -f template.json -p @parameters.bicep

Deploy to an Existing Azure VM Instance without Using an ARM Template

You can install the Lacework Windows agent to an existing Azure VM instance without using an ARM template.

PowerShell

Open a PowerShell terminal as administrator and execute the following command:

Set-AzVMCustomScriptExtension -ResourceGroupName <resource_group> `
   -VMName <target_vm_name> `
   -FileUri "https://updates.lacework.net/windows/<Release-Version>/Install-LWCollector.ps1" `
   -Run 'Install-LWCollector.ps1 -AccessToken <lacework_token> -ServerURL api.lacework.net -defender' `
   -Name install-lacework-dc `
   -SecureExecution

Azure CLI

Execute the following command in the Azure CLI:

az vm extension set -n customScriptExtension --publisher Microsoft.Compute --extension-instance-name install-lacework-dc -g <resource_group> --vm-name <target_vm_name> --protected-settings '{"FileUris": "https://updates.lacework.net/windows/<Release-Version>/Install-LWCollector.ps1", "commandToExecute": "powershell -File Install-LWCollector.ps1 -AccessToken <lacework_token> -ServerURL api.lacework.net -defender"}'

Where:

  • https://updates.lacework.net/windows/<Release-Version>/Install-LWCollector.ps1 specifies the URL for the Install-LWCollector.ps1 PowerShell script. To obtain the URL for the Install-LWDataCollector.ps1 script, do the following:
    1. Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
    2. Go to the release you want to install.
    3. Copy the URL for the Install-LWDataCollector.ps1 Script.
  • -AccessToken specifies your agent access token. For more information, see Obtain an Access Token for the Windows Agent.
  • -ServerURL specifies your Lacework API server URL, either api.lacework.net (default), or aprodus2.agent.lacework.net (for US-02 (US)), api.fra.lacework.net (for European Union (EU)), or auprodn1.agent.lacework.net (for Australia and New Zealand (ANZ)).
  • -defender configures a Windows Defender exclusion for the agent.