Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'

Enable automatic provisioning of the monitoring agent to collect security data.

Risk Level: Low
Cloud Entity: Auto Provisioning Settings
CloudGuard Rule ID: D9.AZU.MON.58
Covered by Spectral: No
Category: Security Center

GSL LOGIC

AutoProvisioningSettings should have properties.autoProvision regexMatch /[Oo][Nn]/

REMEDIATION

From Portal

  1. Go to Microsoft Defender for Cloud
  2. Click on Environment Settings
  3. Click on a subscription
  4. Click on Auto Provisioning in the left column.
  5. Ensure that Log Analytics agent for Azure VMs is set to On

From TF
Set the 'auto_provision' argument under 'azurerm_security_center_auto_provisioning' to On:

resource "azurerm_security_center_auto_provisioning" "example" {
	...
	auto_provision = "On"
	...
}

From Command Line

Use the below command to set Automatic provisioning of monitoring agent to On.
Run

az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings?default?api-version=2017-08-01-preview -d@'input.json''

Where input.json contains the Request body json data as mentioned below.
{
'id': '/subscriptions/YOUR-SUBSCRIPTIONID/providers/Microsoft.Security/autoProvisioningSettings/default',
'name': 'default',
'type': 'Microsoft.Security/autoProvisioningSettings',
'properties': {
'autoProvision': 'On'
}
}
References

  1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature
  2. https://docs.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_auto_provisioning

Auto Provisioning Settings

Auto Provision is used to install the extensions on existing and future machines in the subscription.

Compliance Frameworks

  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset