Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud

Note

Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

Learn more about the recent renaming of Microsoft security services.

Microsoft Defender for Cloud collects data from your resources using the relevant agent or extensions for that resource and the type of data collection you've enabled. Use the procedures below to ensure your resources have the necessary agents and extensions used by Defender for Cloud.

Prerequisites

To get started with Defender for Cloud, you must have a subscription to Microsoft Azure. If you don't have a subscription, you can sign up for a free account.

Availability

Aspect Details
Release state: Feature: Auto provisioning is generally available (GA)
Agent and extensions: Log Analytics agent for Azure VMs is GA, Microsoft Dependency agent is in preview, Policy Add-on for Kubernetes is GA, Guest Configuration agent is preview
Pricing: Free
Supported destinations: Azure machines
Azure Arc machines
Kubernetes nodes
Virtual Machine Scale Sets
Clouds: Feature:
Commercial clouds
Azure Government, Azure China 21Vianet
Agent and extensions:
Log Analytics agent for Azure VMs is available on all clouds, Policy Add-on for Kubernetes is available on all clouds, Guest Configuration agent is only available on commercial clouds

How does Defender for Cloud collect data?

Defender for Cloud collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats.

Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection. Data collection is only needed for compute resources such as VMs, virtual machine scale sets, IaaS containers, and non-Azure computers.

You can benefit from Microsoft Defender for Cloud even if you don’t provision agents. However, you'll have limited security and the capabilities listed above aren't supported.

Data is collected using:

  • The Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user.
  • Security extensions, such as the Azure Policy Add-on for Kubernetes, which can also provide data to Defender for Cloud regarding specialized resource types.

Tip

As Defender for Cloud has grown, the types of resources that can be monitored has also grown. The number of extensions has also grown. Auto provisioning has expanded to support additional resource types by leveraging the capabilities of Azure Policy.

Why use auto provisioning?

Any of the agents and extensions described on this page can be installed manually (see Manual installation of the Log Analytics agent). However, auto provisioning reduces management overhead by installing all required agents and extensions on existing - and new - machines to ensure faster security coverage for all supported resources.

We recommend enabling auto provisioning, but it's disabled by default.

How does auto provisioning work?

Defender for Cloud's auto provisioning settings have a toggle for each type of supported extension. When you enable auto provisioning of an extension, you assign the appropriate Deploy if not exists policy. This policy type ensures the extension is provisioned on all existing and future resources of that type.

Tip

Learn more about Azure Policy effects including deploy if not exists in Understand Azure Policy effects.

Enable auto provisioning of the Log Analytics agent and extensions

When automatic provisioning is on for the Log Analytics agent, Defender for Cloud deploys the agent on all supported Azure VMs and any new ones created. For the list of supported platforms, see Supported platforms in Microsoft Defender for Cloud.

To enable auto provisioning of the Log Analytics agent:

  1. From Defender for Cloud's menu, open Environment settings.

  2. Select the relevant subscription.

  3. In the Auto provisioning page, set the status of auto provisioning for the Log Analytics agent to On.

    Enabling auto provisioning of the Log Analytics agent.

  4. From the configuration options pane, define the workspace to use.

    Configuration options for auto provisioning Log Analytics agents to VMs.

    • Connect Azure VMs to the default workspace(s) created by Defender for Cloud - Defender for Cloud creates a new resource group and default workspace in the same geolocation, and connects the agent to that workspace. If a subscription contains VMs from multiple geolocations, Defender for Cloud creates multiple workspaces to ensure compliance with data privacy requirements.

      The naming convention for the workspace and resource group is:

      • Workspace: DefaultWorkspace-[subscription-ID]-[geo]
      • Resource Group: DefaultResourceGroup-[geo]

      A Defender for Cloud solution is automatically enabled on the workspace per the pricing tier set for the subscription.

    • Connect Azure VMs to a different workspace - From the dropdown list, select the workspace to store collected data. The dropdown list includes all workspaces across all of your subscriptions. You can use this option to collect data from virtual machines running in different subscriptions and store it all in your selected workspace.

      If you already have an existing Log Analytics workspace, you might want to use the same workspace (requires read and write permissions on the workspace). This option is useful if you're using a centralized workspace in your organization and want to use it for security data collection. Learn more in Manage access to log data and workspaces in Azure Monitor.

      If your selected workspace already has a "Security" or "SecurityCenterFree" solution enabled, the pricing will be set automatically. If not, install a Defender for Cloud solution on the workspace:

      1. From Defender for Cloud's menu, open Environment settings.
      2. Select the workspace to which you'll be connecting the agents.
      3. Select Enhanced security off or Enable all Microsoft Defender plans.
  5. From the Windows security events configuration, select the amount of raw event data to store:

    • None – Disable security event storage. This is the default setting.
    • Minimal – A small set of events for when you want to minimize the event volume.
    • Common – A set of events that satisfies most customers and provides a full audit trail.
    • All events – For customers who want to make sure all events are stored.

    Tip

    To set these options at the workspace level, see Setting the security event option at the workspace level.

    For more information of these options, see Windows security event options for the Log Analytics agent.

  6. Select Apply in the configuration pane.

  7. To enable automatic provisioning of an extension other than the Log Analytics agent:

    1. If you're enabling auto provisioning for the Microsoft Dependency agent, ensure the Log Analytics agent is set to auto deploy.

    2. Toggle the status to On for the relevant extension.

      Toggle to enable auto provisioning for K8s policy add-on.

    3. Select Save. The Azure Policy definition is assigned and a remediation task is created.

      Extension Policy
      Policy Add-on for Kubernetes Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
      Microsoft Dependency agent (preview) (Windows VMs) Deploy Dependency agent for Windows virtual machines
      Microsoft Dependency agent (preview) (Linux VMs) Deploy Dependency agent for Linux virtual machines
      Guest Configuration agent (preview) Deploy prerequisites to enable Guest Configuration policies on virtual machines
  8. Select Save. If a workspace needs to be provisioned, agent installation might take up to 25 minutes.

  9. You'll be asked if you want to reconfigure monitored VMs that were previously connected to a default workspace:

    Review options to reconfigure monitored VMs.

    • No - your new workspace settings will only be applied to newly discovered VMs that don't have the Log Analytics agent installed.
    • Yes - your new workspace settings will apply to all VMs and every VM currently connected to a Defender for Cloud created workspace will be reconnected to the new target workspace.

    Note

    If you select Yes, don't delete the workspace(s) created by Defender for Cloud until all VMs have been reconnected to the new target workspace. This operation fails if a workspace is deleted too early.

Windows security event options for the Log Analytics agent

Selecting a data collection tier in Microsoft Defender for Cloud only affects the storage of security events in your Log Analytics workspace. The Log Analytics agent will still collect and analyze the security events required for Defender for Cloud’s threat protection, regardless of the level of security events you choose to store in your workspace. Choosing to store security events enables investigation, search, and auditing of those events in your workspace.

Requirements

The enhanced security protections of Defender for Cloud are required for storing Windows security event data. Learn more about the enhanced protection plans.

Storing data in Log Analytics might incur additional charges for data storage. For more information, see the pricing page.

Information for Microsoft Sentinel users

Users of Microsoft Sentinel: note that security events collection within the context of a single workspace can be configured from either Microsoft Defender for Cloud or Microsoft Sentinel, but not both. If you're planning to add Microsoft Sentinel to a workspace that is already getting alerts from Microsoft Defender for Cloud, and is set to collect Security Events, you have two options:

  • Leave the Security Events collection in Microsoft Defender for Cloud as is. You will be able to query and analyze these events in Microsoft Sentinel as well as in Defender for Cloud. You will not, however, be able to monitor the connector's connectivity status or change its configuration in Microsoft Sentinel. If this is important to you, consider the second option.
  • Disable Security Events collection in Microsoft Defender for Cloud (by setting Windows security events to None in the configuration of your Log Analytics agent). Then add the Security Events connector in Microsoft Sentinel. As with the first option, you will be able to query and analyze events in both Microsoft Sentinel and Defender for Cloud, but you will now be able to monitor the connector's connectivity status or change its configuration in - and only in - Microsoft Sentinel.

What event types are stored for "Common" and "Minimal"?

These sets were designed to address typical scenarios. Make sure to evaluate which one fits your needs before implementing it.

To determine the events for the Common and Minimal options, we worked with customers and industry standards to learn about the unfiltered frequency of each event and their usage. We used the following guidelines in this process:

  • Minimal - Make sure that this set covers only events that might indicate a successful breach and important events that have a very low volume. For example, this set contains user successful and failed login (event IDs 4624, 4625), but it doesn’t contain sign out which is important for auditing but not meaningful for detection and has relatively high volume. Most of the data volume of this set is the login events and process creation event (event ID 4688).
  • Common - Provide a full user audit trail in this set. For example, this set contains both user logins and user sign outs (event ID 4634). We include auditing actions like security group changes, key domain controller Kerberos operations, and other events that are recommended by industry organizations.

Events that have very low volume were included in the common set as the main motivation to choose it over all the events is to reduce the volume and not to filter out specific events.

Here is a complete breakdown of the Security and App Locker event IDs for each set:

Data tier Collected event indicators
Minimal 1102,4624,4625,4657,4663,4688,4700,4702,4719,4720,4722,4723,4724,4727,4728,4732,4735,4737,4739,4740,4754,4755,
4756,4767,4799,4825,4946,4948,4956,5024,5033,8001,8002,8003,8004,8005,8006,8007,8222
Common 1,299,300,324,340,403,404,410,411,412,413,431,500,501,1100,1102,1107,1108,4608,4610,4611,4614,4622,
4624,4625,4634,4647,4648,4649,4657,4661,4662,4663,4665,4666,4667,4688,4670,4672,4673,4674,4675,4689,4697,
4700,4702,4704,4705,4716,4717,4718,4719,4720,4722,4723,4724,4725,4726,4727,4728,4729,4733,4732,4735,4737,
4738,4739,4740,4742,4744,4745,4746,4750,4751,4752,4754,4755,4756,4757,4760,4761,4762,4764,4767,4768,4771,
4774,4778,4779,4781,4793,4797,4798,4799,4800,4801,4802,4803,4825,4826,4870,4886,4887,4888,4893,4898,4902,
4904,4905,4907,4931,4932,4933,4946,4948,4956,4985,5024,5033,5059,5136,5137,5140,5145,5632,6144,6145,6272,
6273,6278,6416,6423,6424,8001,8002,8003,8004,8005,8006,8007,8222,26401,30004

Note

  • If you are using Group Policy Object (GPO), it is recommended that you enable audit policies Process Creation Event 4688 and the CommandLine field inside event 4688. For more information about Process Creation Event 4688, see Defender for Cloud's FAQ. For more information about these audit policies, see Audit Policy Recommendations.
  • To enable data collection for Adaptive Application Controls, Defender for Cloud configures a local AppLocker policy in Audit mode to allow all applications. This will cause AppLocker to generate events which are then collected and leveraged by Defender for Cloud. It is important to note that this policy will not be configured on any machines on which there is already a configured AppLocker policy.
  • To collect Windows Filtering Platform Event ID 5156, you need to enable Audit Filtering Platform Connection (Auditpol /set /subcategory:"Filtering Platform Connection" /Success:Enable)

Setting the security event option at the workspace level

You can define the level of security event data to store at the workspace level.

  1. From Defender for Cloud's menu in the Azure portal, select Environment settings.

  2. Select the relevant workspace. The only data collection events for a workspace are the Windows security events described on this page.

    Setting the security event data to store in a workspace.

  3. Select the amount of raw event data to store and select Save.

Manual agent provisioning

To manually install the Log Analytics agent:

  1. Disable auto provisioning.

  2. Optionally, create a workspace.

  3. Enable Microsoft Defender for Cloud on the workspace on which you're installing the Log Analytics agent:

    1. From Defender for Cloud's menu, open Environment settings.

    2. Set the workspace on which you're installing the agent. Make sure the workspace is in the same subscription you use in Defender for Cloud and that you have read/write permissions for the workspace.

    3. Select Microsoft Defender for Cloud on, and Save.

      Note

      If the workspace already has a Security or SecurityCenterFree solution enabled, the pricing will be set automatically.

  4. To deploy agents on new VMs using a Resource Manager template, install the Log Analytics agent:

  5. To deploy agents on your existing VMs, follow the instructions in Collect data about Azure Virtual Machines (the section Collect event and performance data is optional).

  6. To use PowerShell to deploy the agents, use the instructions from the virtual machines documentation:

Tip

For more information about onboarding, see Automate onboarding of Microsoft Defender for Cloud using PowerShell.

Automatic provisioning in cases of a pre-existing agent installation

The following use cases specify how automatic provision works in cases when there is already an agent or extension installed.

  • Log Analytics agent is installed on the machine, but not as an extension (Direct agent) - If the Log Analytics agent is installed directly on the VM (not as an Azure extension), Defender for Cloud will install the Log Analytics agent extension, and might upgrade the Log Analytics agent to the latest version. The agent installed will continue to report to its already configured workspace(s), and additionally will report to the workspace configured in Defender for Cloud (Multi-homing is supported on Windows machines).

    If the configured workspace is a user workspace (not Defender for Cloud's default workspace), then you will need to install the "Security" or "SecurityCenterFree" solution on it for Defender for Cloud to start processing events from VMs and computers reporting to that workspace.

    For Linux machines, Agent multi-homing is not yet supported - hence, if an existing agent installation is detected, automatic provisioning will not occur and the machine's configuration will not be altered.

    For existing machines on subscriptions onboarded to Defender for Cloud before 17 March 2019, when an existing agent will be detected, the Log Analytics agent extension will not be installed and the machine will not be affected. For these machines, see to the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines.

  • System Center Operations Manager agent is installed on the machine - Defender for Cloud will install the Log Analytics agent extension side by side to the existing Operations Manager. The existing Operations Manager agent will continue to report to the Operations Manager server normally. The Operations Manager agent and Log Analytics agent share common run-time libraries, which will be updated to the latest version during this process. If Operations Manager agent version 2012 is installed, do not enable automatic provisioning.

  • A pre-existing VM extension is present:

    • When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. Defender for Cloud does not override existing connections to user workspaces. Defender for Cloud will store security data from the VM in the workspace already connected, provided that the "Security" or "SecurityCenterFree" solution has been installed on it. Defender for Cloud may upgrade the extension version to the latest version in this process.
    • To see to which workspace the existing extension is sending data to, run the test to Validate connectivity with Microsoft Defender for Cloud. Alternatively, you can open Log Analytics workspaces, select a workspace, select the VM, and look at the Log Analytics agent connection.
    • If you have an environment where the Log Analytics agent is installed on client workstations and reporting to an existing Log Analytics workspace, review the list of operating systems supported by Microsoft Defender for Cloud to make sure your operating system is supported. For more information, see Existing log analytics customers.

Disable auto provisioning

When you disable auto provisioning, agents will not be provisioned on new VMs.

To turn off automatic provisioning of an agent:

  1. From Defender for Cloud's menu in the portal, select Environment settings.

  2. Select the relevant subscription.

  3. Select Auto provisioning.

  4. Toggle the status to Off for the relevant agent.

    Toggles to disable auto provisioning per agent type.

  5. Select Save. When auto provisioning is disabled, the default workspace configuration section is not displayed:

    When auto provisioning is disabled, the configuration cell is empty

Note

Disabling automatic provisioning does not remove the Log Analytics agent from Azure VMs where the agent was provisioned. For information on removing the OMS extension, see How do I remove OMS extensions installed by Defender for Cloud.

Troubleshooting

Next steps

This page explained how to enable auto provisioning for the Log Analytics agent and other Defender for Cloud extensions. It also described how to define a Log Analytics workspace in which to store the collected data. Both operations are required to enable data collection. Storing data in Log Analytics, whether you use a new or existing workspace, might incur more charges for data storage. For pricing details in your local currency or region, see the pricing page.