Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Defender Auto Provisioning Extensions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the automatic provisioning extensions are enabled within the Microsoft Defender for Cloud settings to collect security data and events from Azure cloud resources such as virtual machines (VMs) and containers. By enabling Auto provisioning, you can ensure that the agents needed for processes such as vulnerability assessments, log analytics, and container monitoring are automatically installed on your infrastructure.

Security

When automatic provisioning is enabled, agents will be installed as part of infrastructure deployment. For example, if the Log Analytics extension is enabled, the Log Analytics agent will be installed on all the existing supported virtual machines (VMs), plus on any new ones created later. Once the agent is installed, Microsoft Defender for Cloud reads various security-related configurations and event logs from your virtual machines and sends the data collected (including crash dump files) to your workspace for analysis. The data sent for analysis is required to provide visibility into missing updates, misconfigured operating system (OS) security settings, endpoint protection settings, and health and threat detections. It is highly recommended to enable all extensions within your subscription, in particular the Vulnerability Assessment reports for Virtual Machines and the Microsoft Defender for Container components.


Audit

To determine if each of the automatic provisioning extensions is enabled within the Microsoft Defender for Cloud settings for your subscription, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Choose Expand all and click on the name (link) of the Azure subscription that you want to examine.

05 In the left navigation panel, under Settings, select Defender plans, and choose Settings and monitoring.

06 On the Settings & monitoring page, ensure that Defender plans is set to All, and check the configuration status of each supported extension (component), available in the Status column. If one or more extensions have their Status set to Off, the automatic provisioning extensions are not fully enabled for the selected Azure subscription.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run az security auto-provisioning-setting list command (Windows/macOS/Linux) to determine if the automatic provisioning extensions (components) currently supported by Microsoft Defender for Cloud are enabled for the selected Azure subscription:

  az security auto-provisioning-setting list | jq .[].autoProvision

05 The command output should return the requested configuration information:

"Off"

If the account get-access-token command output returns "Off", the automatic provisioning extensions supported by Microsoft Defender for Cloud are not fully enabled for the selected Azure subscription.

06 Repeat steps no. 3 - 5 for each subscription available in your Azure cloud account.

Remediation / Resolution

To enable the automatic provisioning of extensions for Microsoft Defender for Cloud in your Azure subscriptions, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Choose Expand all and click on the name (link) of the Azure subscription that you want to configure.

05 In the left navigation panel, under Settings, select Defender plans, and choose Settings and monitoring.

06 On the Settings & monitoring page, perform the following actions:

  1. Ensure that Defender plans is set to All.
  2. Toggle the On/Off button from the Status column to enable each extension (component) supported by Microsoft Defender for Cloud for your subscription. If required, modify extension settings to match your specific requirements.
  3. Choose Continue to apply the configuration changes.
  4. Choose Save from the top menu to save the changes.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Define the configuration parameters for the account get-access-token command, where the autoProvision parameter is set to On to enable the auto provision for Microsoft Defender for Cloud. Save the configuration document to a JSON file named enable-auto-provision.json and replace \<azure-subscription-id\> with your own Azure subscription ID:

{
	"id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/autoProvisioningSettings/default",
	"name":"default",
	"type":"Microsoft.Security/autoProvisioningSettings",
	"properties":{
		"autoProvision":"On"
	}
}

04 Run account get-access-token command (Windows/macOS/Linux) with the configuration document defined at the previous step (i.e. enable-auto-provision.json file), to enable the automatic provisioning of extensions such as Log Analytics agent, within the selected Azure subscription. Alternatively, the az security auto-provisioning-setting update command can be used to update your automatic provisioning settings on the subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@"enable-auto-provision.json"'

05 The command output should return the auto provisioning configuration information available for the selected subscription:

{
	"id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Security/autoProvisioningSettings/default",
	"name":"default",
	"type":"Microsoft.Security/autoProvisioningSettings",
	"properties":{
		"autoProvision":"On"
	}
}

06 Repeat steps no. 3 – 5 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date Sep 25, 2024