Install Windows Agent with Azure Resource Manager
You can install the Lacework agent on your Windows host through an Azure Resource Manager (ARM) template. In this type of deployment, the ARM template uses the CustomScriptExtension
to download and run a Install-LWCollector.ps1
PowerShell script that installs the agent onto a Windows VM instance.
Prerequisites
- Install Azure CLI on your machine. For instructions, see How to install the Azure CLI.
- Download the ARM Template (azurerm.zip file) using the instructions in Download Windows Agent Installers.
- Unzip the azurerm.zip file. The azurerm folder that is created contains the following files:
- parameters.json
- template.bicep
- template.json
Configure an ARM Template
Create an ARM template that deploys your Azure resources and the Windows agent. You can use the sample ARM template (template.json
or template.bicep
) in the azurerm folder. This template creates a VM instance and installs the Windows agent. This template downloads and runs a PowerShell script (Install-LWCollector.ps1
) to install the agent on the VM instance.
The Install-LWCollector.ps1
script installs the Windows agent and adds a local firewall rule to allow the agent to communicate with Lacework. In addition, the script optionally configures a Windows Defender exclusion for the agent with the -defender
parameter.
note
Lacework recommends that you exclude the agent from any antivirus or Endpoint Detection and Response (EDR) applications on your host. The Install-LWCollector.ps1
script allows you to enable this exclusion for Microsoft Defender. For other antivirus applications, you can customize the script to exclude the agent from scanning.
Configure a Parameters File for your Azure Deployment
Create a JSON file for your deployment parameters. You can modify the sample parameters file (parameters.json
) in the azurerm folder as required. Specify values for the following parameters in the parameters.json
file:
laceworkEndpoint
- The Lacework API server URL, eitherapi.lacework.net
(default), oraprodus2.agent.lacework.net
(for US-02 (US)),api.fra.lacework.net
(for European Union (EU)), orauprodn1.agent.lacework.net
(for Australia and New Zealand (ANZ)).laceworkMSIURL
- The URL for downloading the Windows agent MSI package. To obtain the URL, do the following:- Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
- Go to the release you want to install.
- Copy the URL for Lacework Windows Agent MSI Package.
laceworkPSScript
- The URL for the Install-LWDataCollector.ps1 PowerShell script. To obtain the URL, do the following:- Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
- Go to the release you want to install.
- Copy the URL for Install-LWDataCollector.ps1 Script.
laceworkToken
- A valid Lacework agent access token. For more information, see Obtain an Access Token for the Windows Agent. It is good practice to store access tokens securely in Azure Key Vault. Theparameters.json
file references the access token in a Key Vault.laceworkDefender
- (Optional) To configure a Windows Defender exclusion for the agent, change the value of this parameter totrue
.- Parameters for your Windows VM on Azure.
Deploy the ARM Template
Execute the command to deploy the ARM template.
PowerShell
Open a PowerShell terminal as administrator and execute the following command:
- To use the parameters.json file:
New-AzResourceGroupDeployment -Name <deployment_name> -ResourceGroupName <resource_group> -TemplateFile template.json -TemplateParameterFile parameters.json
- To use the parameters.bicep file:Where
New-AzResourceGroupDeployment -Name <deployment_name> -ResourceGroupName <resource_group> -TemplateFile template.json -TemplateParameterFile parameters.bicep
-Name
specifies the name of your Azure deployment, and-ResourceGroupName
specifies the name of the Azure resource group to which you want to add the deployment.
Azure CLI
Execute the following command in the Azure CLI:
- To use the parameters.json file:
az deployment group create -n <deployment_name> -g <resource_group> -f template.json -p @parameters.json
- To use the parameters.bicep file:
az deployment group create -n <deployment_name> -g <resource_group> -f template.json -p @parameters.bicep
Deploy to an Existing Azure VM Instance without Using an ARM Template
You can install the Lacework Windows agent to an existing Azure VM instance without using an ARM template.
PowerShell
Open a PowerShell terminal as administrator and execute the following command:
Set-AzVMCustomScriptExtension -ResourceGroupName <resource_group> `
-VMName <target_vm_name> `
-FileUri "https://updates.lacework.net/windows/<Release-Version>/Install-LWCollector.ps1" `
-Run 'Install-LWCollector.ps1 -AccessToken <lacework_token> -ServerURL api.lacework.net -defender' `
-Name install-lacework-dc `
-SecureExecution
Azure CLI
Execute the following command in the Azure CLI:
az vm extension set -n customScriptExtension --publisher Microsoft.Compute --extension-instance-name install-lacework-dc -g <resource_group> --vm-name <target_vm_name> --protected-settings '{"FileUris": "https://updates.lacework.net/windows/<Release-Version>/Install-LWCollector.ps1", "commandToExecute": "powershell -File Install-LWCollector.ps1 -AccessToken <lacework_token> -ServerURL api.lacework.net -defender"}'
Where:
https://updates.lacework.net/windows/<Release-Version>/Install-LWCollector.ps1
specifies the URL for theInstall-LWCollector.ps1
PowerShell script. To obtain the URL for the Install-LWDataCollector.ps1 script, do the following:- Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
- Go to the release you want to install.
- Copy the URL for the Install-LWDataCollector.ps1 Script.
-AccessToken
specifies your agent access token. For more information, see Obtain an Access Token for the Windows Agent.-ServerURL
specifies your Lacework API server URL, eitherapi.lacework.net
(default), oraprodus2.agent.lacework.net
(for US-02 (US)),api.fra.lacework.net
(for European Union (EU)), orauprodn1.agent.lacework.net
(for Australia and New Zealand (ANZ)).-defender
configures a Windows Defender exclusion for the agent.