Configure auto provisioning of agents for Microsoft Defender for Cloud (2023)

Microsoft Defender for Cloud collects data from your resources using the relevant agent or extensions for that resource and the type of data collection you've enabled. Use the procedures below to auto-provision the necessary agents and extensions used by Defender for Cloud to your resources.

When you enable auto provisioning of any of the supported extensions, the extensions are installed on existing and future machines in the subscription. When you disable auto provisioning for an extension, the extension is not installed on future machines, but it is also not uninstalled from existing machines.

Prerequisites

To get started with Defender for Cloud, you must have a subscription to Microsoft Azure. If you don't have a subscription, you can sign up for a free account.

Availability

• Auto provisioning
• Log Analytics agent
• Azure Monitor Agent
• Vulnerability assessment
• Defender for Endpoint
• Guest Configuration
• Defender for Containers

This table shows the availability details for the auto provisioning feature itself.

Aspect	Details
Release state:	Auto provisioning is generally available (GA)
Pricing:	Auto provisioning is free to use
Required roles and permissions:	Depends on the specific extension - see relevant tab
Supported destinations:	Depends on the specific extension - see relevant tab
Clouds:	Commercial clouds Azure Government, Azure China 21Vianet

The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

How does Defender for Cloud collect data?

Defender for Cloud collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats.

Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection. Data collection is only needed for compute resources such as VMs, virtual machine scale sets, IaaS containers, and non-Azure computers.

You can benefit from Microsoft Defender for Cloud even if you don’t provision agents. However, you'll have limited security and the capabilities listed above aren't supported.

Data is collected using:

• The Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user.
• Security extensions, such as the Azure Policy Add-on for Kubernetes, which can also provide data to Defender for Cloud regarding specialized resource types.

Why use auto provisioning?

Any of the agents and extensions described on this page can be installed manually (see Manual installation of the Log Analytics agent). However, auto provisioning reduces management overhead by installing all required agents and extensions on existing - and new - machines to ensure faster security coverage for all supported resources.

We recommend enabling auto provisioning, but it's disabled by default.

How does auto provisioning work?

Defender for Cloud's auto provisioning settings page has a toggle for each type of supported extension. When you enable auto provisioning of an extension, you assign the appropriate Deploy if not exists policy. This policy type ensures the extension is provisioned on all existing and future resources of that type.

Enable auto provisioning of the Log Analytics agent and extensions

When auto provisioning is on for the Log Analytics agent, Defender for Cloud deploys the agent on all supported Azure VMs and any new ones created. For the list of supported platforms, see Supported platforms in Microsoft Defender for Cloud.

To enable auto provisioning of the Log Analytics agent:

1. From Defender for Cloud's menu, open Environment settings.

2. Select the relevant subscription.

3. In the Auto provisioning page, set the status of auto provisioning for the Log Analytics agent to On.

4. From the configuration options pane, define the workspace to use.

   • Connect Azure VMs to the default workspace(s) created by Defender for Cloud - Defender for Cloud creates a new resource group and default workspace in the same geolocation, and connects the agent to that workspace. If a subscription contains VMs from multiple geolocations, Defender for Cloud creates multiple workspaces to ensure compliance with data privacy requirements.

     The naming convention for the workspace and resource group is:

     • Workspace: DefaultWorkspace-[subscription-ID]-[geo]
     • Resource Group: DefaultResourceGroup-[geo]

     A Defender for Cloud solution is automatically enabled on the workspace per the pricing tier set for the subscription.

     Tip

     For questions regarding default workspaces, see:

     • Am I billed for Azure Monitor logs on the workspaces created by Defender for Cloud?
     • Where is the default Log Analytics workspace created?
     • Can I delete the default workspaces created by Defender for Cloud?

   • Connect Azure VMs to a different workspace - From the dropdown list, select the workspace to store collected data. The dropdown list includes all workspaces across all of your subscriptions. You can use this option to collect data from virtual machines running in different subscriptions and store it all in your selected workspace.

     If you already have an existing Log Analytics workspace, you might want to use the same workspace (requires read and write permissions on the workspace). This option is useful if you're using a centralized workspace in your organization and want to use it for security data collection. Learn more in Manage access to log data and workspaces in Azure Monitor.

     If your selected workspace already has a "Security" or "SecurityCenterFree" solution enabled, the pricing will be set automatically. If not, install a Defender for Cloud solution on the workspace:

     1. From Defender for Cloud's menu, open Environment settings.
     2. Select the workspace to which you'll be connecting the agents.
     3. Set Security posture management to on or select Enable all to turn all Microsoft Defender plans on.

5. From the Windows security events configuration, select the amount of raw event data to store:

   • None – Disable security event storage. (Default)
   • Minimal – A small set of events for when you want to minimize the event volume.
   • Common – A set of events that satisfies most customers and provides a full audit trail.
   • All events – For customers who want to make sure all events are stored.

   Tip

   To set these options at the workspace level, see Setting the security event option at the workspace level.

   For more information of these options, see Windows security event options for the Log Analytics agent.

   (Video) How to Enable Azure Defender and enable automatic installation of agents - Quick Tips to Get Started

6. Select Apply in the configuration pane.

7. To enable auto provisioning of an extension other than the Log Analytics agent:

   1. Toggle the status to On for the relevant extension.

      

   2. Select Save. The Azure Policy definition is assigned and a remediation task is created.

      Extension	Policy
      Policy Add-on for Kubernetes	Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
      Guest Configuration agent (preview)	Deploy prerequisites to enable Guest Configuration policies on virtual machines

8. Select Save. If a workspace needs to be provisioned, agent installation might take up to 25 minutes.

9. You'll be asked if you want to reconfigure monitored VMs that were previously connected to a default workspace:

   

   • No - your new workspace settings will only be applied to newly discovered VMs that don't have the Log Analytics agent installed.
   • Yes - your new workspace settings will apply to all VMs and every VM currently connected to a Defender for Cloud created workspace will be reconnected to the new target workspace.

   Note

   If you select Yes, don't delete the workspace(s) created by Defender for Cloud until all VMs have been reconnected to the new target workspace. This operation fails if a workspace is deleted too early.

   See Also

   Project Manager Resume ExamplesTop 25 Jobs for 30 Year OldsCoronavirus (COVID-19): advice for UK visa applicants and temporary UK residentsПовний огляд Plerdy 2023

Windows security event options for the Log Analytics agent

When you select a data collection tier in Microsoft Defender for Cloud, the security events of the selected tier are stored in your Log Analytics workspace so that you can investigate, search, and audit the events in your workspace. The Log Analytics agent also collects and analyzes the security events required for Defender for Cloud’s threat protection.

Requirements

The enhanced security protections of Defender for Cloud are required for storing Windows security event data. Learn more about the enhanced protection plans.

You maybe charged for storing data in Log Analytics. For more information, see the pricing page.

Information for Microsoft Sentinel users

Security events collection within the context of a single workspace can be configured from either Microsoft Defender for Cloud or Microsoft Sentinel, but not both. If you want to add Microsoft Sentinel to a workspace that already gets alerts from Microsoft Defender for Cloud and to collect Security Events, you can either:

• Leave the Security Events collection in Microsoft Defender for Cloud as is. You'll be able to query and analyze these events in both Microsoft Sentinel and Defender for Cloud. If you want to monitor the connector's connectivity status or change its configuration in Microsoft Sentinel, consider the second option.
• Disable Security Events collection in Microsoft Defender for Cloud and then add the Security Events connector in Microsoft Sentinel. You'll be able to query and analyze events in both Microsoft Sentinel, and Defender for Cloud, but you'll also be able to monitor the connector's connectivity status or change its configuration in - and only in - Microsoft Sentinel. To disable Security Events collection in Defender for Cloud, set Windows security events to None in the configuration of your Log Analytics agent.

What event types are stored for "Common" and "Minimal"?

The Common and Minimal event sets were designed to address typical scenarios based on customer and industry standards for the unfiltered frequency of each event and their usage.

• Minimal - This set is intended to cover only events that might indicate a successful breach and important events with low volume. Most of the data volume of this set is successful user logon (event ID 4625), failed user logon events (event ID 4624), and process creation events (event ID 4688). Sign out events are important for auditing only and have relatively high volume, so they aren't included in this event set.
• Common - This set is intended to provide a full user audit trail, including events with low volume. For example, this set contains both user logon events (event ID 4624) and user logoff events (event ID 4634). We include auditing actions like security group changes, key domain controller Kerberos operations, and other events that are recommended by industry organizations.

Here's a complete breakdown of the Security and App Locker event IDs for each set:

Setting the security event option at the workspace level

You can define the level of security event data to store at the workspace level.

1. From Defender for Cloud's menu in the Azure portal, select Environment settings.

2. Select the relevant workspace. The only data collection events for a workspace are the Windows security events described on this page.

   

3. Select the amount of raw event data to store and select Save.

Manual agent provisioning

To manually install the Log Analytics agent:

1. Disable auto provisioning.

2. Optionally, create a workspace.

3. Enable Microsoft Defender for Cloud on the workspace on which you're installing the Log Analytics agent:

   1. From Defender for Cloud's menu, open Environment settings.

   2. Set the workspace on which you're installing the agent. Make sure the workspace is in the same subscription you use in Defender for Cloud and that you have read/write permissions for the workspace.

   3. Select Microsoft Defender for Cloud on, and Save.

      Note

      If the workspace already has a Security or SecurityCenterFree solution enabled, the pricing will be set automatically.

4. To deploy agents on new VMs using a Resource Manager template, install the Log Analytics agent:

   • Install the Log Analytics agent for Windows
   • Install the Log Analytics agent for Linux

5. To deploy agents on your existing VMs, follow the instructions in Collect data about Azure Virtual Machines (the section Collect event and performance data is optional).

6. To use PowerShell to deploy the agents, use the instructions from the virtual machines documentation:

   • For Windows machines
   • For Linux machines

Auto provisioning in cases of a pre-existing agent installation

The following use cases explain how auto provisioning works in cases when there's already an agent or extension installed.

• Log Analytics agent is installed on the machine, but not as an extension (Direct agent) - If the Log Analytics agent is installed directly on the VM (not as an Azure extension), Defender for Cloud will install the Log Analytics agent extension and might upgrade the Log Analytics agent to the latest version. The installed agent will continue to report to its already configured workspaces and to the workspace configured in Defender for Cloud. (Multi-homing is supported on Windows machines.)

  If the Log Analytics is configured with a user workspace and not Defender for Cloud's default workspace, you'll need to install the "Security" or "SecurityCenterFree" solution on it for Defender for Cloud to start processing events from VMs and computers reporting to that workspace.

  (Video) How to Deploy Microsoft Defender for Cloud at Scale | Microsoft Defender for Cloud Webinar

  For Linux machines, Agent multi-homing isn't yet supported. If an existing agent installation is detected, the Log Analytics agent won't be auto provisioned.

  For existing machines on subscriptions onboarded to Defender for Cloud before 17 March 2019, when an existing agent will be detected, the Log Analytics agent extension won't be installed and the machine won't be affected. For these machines, see to the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines.

• System Center Operations Manager agent is installed on the machine - Defender for Cloud will install the Log Analytics agent extension side by side to the existing Operations Manager. The existing Operations Manager agent will continue to report to the Operations Manager server normally. The Operations Manager agent and Log Analytics agent share common run-time libraries, which will be updated to the latest version during this process. If Operations Manager agent version 2012 is installed, do not enable auto provisioning.

• A pre-existing VM extension is present:

  • When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. Defender for Cloud doesn't override existing connections to user workspaces. Defender for Cloud will store security data from the VM in the workspace already connected, if the "Security" or "SecurityCenterFree" solution has been installed on it. Defender for Cloud may upgrade the extension version to the latest version in this process.
  • To see to which workspace the existing extension is sending data to, run the test to Validate connectivity with Microsoft Defender for Cloud. Alternatively, you can open Log Analytics workspaces, select a workspace, select the VM, and look at the Log Analytics agent connection.
  • If you have an environment where the Log Analytics agent is installed on client workstations and reporting to an existing Log Analytics workspace, review the list of operating systems supported by Microsoft Defender for Cloud to make sure your operating system is supported. For more information, see Existing log analytics customers.

Disable auto provisioning

When you disable auto provisioning, agents won't be provisioned on new VMs.

To turn off auto provisioning of an agent:

1. From Defender for Cloud's menu in the portal, select Environment settings.

2. Select the relevant subscription.

3. Select Auto provisioning.

4. Toggle the status to Off for the relevant agent.

   

5. Select Save. When auto provisioning is disabled, the default workspace configuration section isn't displayed:

   

Troubleshooting

• To identify monitoring agent network requirements, see Troubleshooting monitoring agent network requirements.
• To identify manual onboarding issues, see How to troubleshoot Operations Management Suite onboarding issues.

Next steps

This page explained how to enable auto provisioning for the Log Analytics agent and other Defender for Cloud extensions. It also described how to define a Log Analytics workspace in which to store the collected data. Both operations are required to enable data collection. Data storage in a new or existing Log Analytics workspace might incur more charges for data storage. For pricing details in your local currency or region, see the pricing page.