🛡️ Azure Subscription Log Analytics Agent is not auto provisioned🟢

• Contextual name: 🛡️ Log Analytics Agent is not auto provisioned🟢
• ID: /ce/ca/azure/subscription/log-analytics-agent-auto-provisioning
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Subscription
  • 🔌 Azure Subscription - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable Automatic Provisioning of the Monitoring Agent
• Internal: dec-x-181422d8

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-181422d8	1

Description

Open File

Description

Enable automatic provisioning of the monitoring agent to collect security data.

DEPRECATION PLANNED: The Log Analytics Agent is slated for deprecation in August 2024. The Microsoft Defender for Endpoint agent, in tandem with new agentless capabilities will be providing replacement functionality. More detail is available here: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-strategy-and-plan-towards-log/ba-p/3883341.

Rationale

When Log Analytics agent for Azure VMs is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.

Audit

From Azure Portal

1. From Azure Home select the Portal Menu.
2. Select Microsoft Defender for Cloud.
3. Under Management, select Environment Settings.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. From Azure Home select the Portal Menu.
2. Select Microsoft Defender for Cloud.
3. Under Management, select Environment Settings.
4. Select a subscription.
5. Click on Settings & monitoring.
6. Set the Status of Log Analytics agent to On.
7. Select a Workspace.
8. Click Apply.
9. Click Continue.

Repeat the above for any additional subscriptions.

From Azure CLI

Use the below command to set Automatic provisioning of monitoring agent to On:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/subscriptionID/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@"input.json"'

Where input.json contains the Request body json data as mentioned below:

{
    "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/autoProvisioningSettings/default", 

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 16f information security reporting and analytics;		9	11		no data
💼 APRA CPG 234 → 💼 36j monitoring controls — for timely detection of compromises to information security;		9	11		no data
💼 APRA CPG 234 → 💼 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;		19	22		no data
💼 CIS Azure v2.0.0 → 💼 2.1.15 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' - Level 1 (Automated)		1	1		no data
💼 CIS Azure v2.1.0 → 💼 2.1.14 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' - Level 1 (Automated)		1	1		no data
💼 CIS Azure v3.0.0 → 💼 3.1.1.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' (Automated)			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			65		no data
💼 Cloudaware Framework → 💼 Microsoft Defender Configuration			26		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification		19	21		no data