Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'

Enable automatic provisioning of the monitoring agent to collect security data.

Risk Level: Low
Cloud Entity: Auto Provisioning Settings
CloudGuard Rule ID: D9.AZU.MON.58
Covered by Spectral: No
Category: Security Center

GSL LOGIC

AutoProvisioningSettings should have properties.autoProvision regexMatch /[Oo][Nn]/

REMEDIATION

From Portal

Go to Microsoft Defender for Cloud
Click on Environment Settings
Click on a subscription
Click on Auto Provisioning in the left column.
Ensure that Log Analytics agent for Azure VMs is set to On

From TF
Set the 'auto_provision' argument under 'azurerm_security_center_auto_provisioning' to On:

resource "azurerm_security_center_auto_provisioning" "example" {
	...
	auto_provision = "On"
	...
}

From Command Line

Use the below command to set Automatic provisioning of monitoring agent to On.
Run

az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings?default?api-version=2017-08-01-preview -d@'input.json''

Where input.json contains the Request body json data as mentioned below.
{
'id': '/subscriptions/YOUR-SUBSCRIPTIONID/providers/Microsoft.Security/autoProvisioningSettings/default',
'name': 'default',
'type': 'Microsoft.Security/autoProvisioningSettings',
'properties': {
'autoProvision': 'On'
}
}
References

Auto Provisioning Settings

Auto Provision is used to install the extensions on existing and future machines in the subscription.

Compliance Frameworks

Azure CIS Foundations v. 1.4.0
Azure CIS Foundations v. 1.5.0
Azure CIS Foundations v.2.0
Azure CloudGuard Best Practices
Azure NIST 800-53 Rev 5
CloudGuard Azure All Rules Ruleset

Updated about 1 year ago