Logo of Trend Micro

Enable Automatic Provisioning of the Monitoring Agent

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-002

Ensure that automatic provisioning of the monitoring agent is enabled in your Microsoft Azure account to collect security data and events from your cloud compute resources in order to help you prevent, detect, and respond efficiently to security vulnerabilities and threats.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

When the automatic provisioning of the monitoring agent is turned on, the Azure Security Center installs the Microsoft Monitoring Agent (MMA) on all the existing supported Azure virtual machines (VMs), plus on any new ones created later. Once the MMA is installed, Azure Security Center reads various security-related configurations and event logs from your virtual machines and sends the data collected (including crash dump files) to your workspace for analysis. The data sent for analysis is required to provide visibility into missing updates, misconfigured operating system (OS) security settings, endpoint protection settings, and health and threat detections.

Audit

To determine if the automatic provisioning of the monitoring agent is enabled in your Azure account, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Pricing & settings to access your Azure account subscriptions.

04 On Pricing & Settings page, click on the name of the Azure subscription that you want to examine.

05 In the blade navigation panel, choose Data Collection and check the Auto Provisioning feature status. If the feature configuration status is set to Off, the "Automatic provisioning of monitoring agent" feature is not enabled for the selected Microsoft Azure subscription.

06 Repeat step no. 4 and 5 for each Microsoft Azure subscription available in your account.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to get the "Automatic provisioning of monitoring agent" feature status for the current Azure account subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings?api-version=2017-08-01-preview' | jq '.|.value[] | select(.name=="default")'|jq '.properties.autoProvision'

02 The command output should return the requested feature configuration status: 

"Off"

If the command output returns "Off", as shown in the example above, the "Automatic provisioning of monitoring agent" feature is not enabled for the selected Microsoft Azure subscription.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your account.

Remediation / Resolution

Once active, the "Automatic provisioning of monitoring agent" feature enables the automatic installation of the Microsoft Monitoring Agent (MMA) on all the virtual machines within your Azure subscription. If enabled, any new or existing virtual machines without an installed Microsoft Monitoring agent extension, will have it provisioned. To enable the feature, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Pricing & settings to access your Azure account subscriptions.

04 On Pricing & Settings page, click on the name of the Azure subscription that you want to examine.

05 In the blade navigation panel, choose Data Collection and set Auto Provisioning setting to On to enable the "Automatic provisioning of monitoring agent" feature.

06 Within Workspace configuration section, select whether to have data collected from Azure VMs stored in workspace(s) created by Security Center or in an existing workspace that you created.

07 In the Windows security events section, select All Events to collect and store all Windows security events and AppLocker events.

08 Click Save to apply the changes and enable the automatic provisioning of the monitoring agent in the selected Azure account subscription.

09 If required, repeat steps no. 4 – 8 for other Microsoft Azure cloud subscription available.

Using Azure CLI and PowerShell

01 Define the necessary parameters for the account get-access-token command, where the autoProvision configuration attribute is set to On. Save the following content to a JSON file named enable-auto-provision.json and replace the highlighted details, i.e. <azure-subscription-id>, with your own Azure subscription ID: 

{
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/autoProvisioningSettings/default",
   "name":"default",
   "type":"Microsoft.Security/autoProvisioningSettings",
   "properties":{
      "autoProvision":"On"
   }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the parameters defined at the previous step (i.e. enable-auto-provision.json file) to enable the automatic provisioning of the monitoring agent for the current Microsoft Azure subscription (the command request does not produce an output): 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@"enable-auto-provision.json"'

03 If successful, the command output should return the enabled feature configuration metadata: 

{
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Security/autoProvisioningSettings/default",
   "name":"default",
   "type":"Microsoft.Security/autoProvisioningSettings",
   "properties":{
  	"autoProvision":"On"
   }
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscription available.

References

Publication date May 21, 2019

Related SecurityCenter rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Automatic Provisioning of the Monitoring Agent

Risk level: Medium