Merge pull request #207007 from bmansheim/auto-provision-azure-monitor-agent

Deploy Azure Monitor agent using auto provisioning

Author: ttorble

articles/defender-for-cloud/TOC.yml

@@ -211,6 +211,8 @@
     - name: Apply Azure security baselines
       displayName: VM, guest configuration, vulnerabilities, ASB, benchmark
       href: apply-security-baseline.md
+    - name: Deploy the Azure Monitor agent
+      href: auto-deploy-azure-monitoring-agent.md
     - name: Vulnerability assessments
       items:
       - name: Find vulnerabilities with threat and vulnerability management

articles/defender-for-cloud/auto-deploy-azure-monitoring-agent.md

@@ -0,0 +1,127 @@
+---
+title: Deploy the Azure Monitor Agent with auto provisioning
+description: Learn how to deploy the Azure Monitor Agent on your Azure, multicloud, and on-premises servers with auto provisioning to support Microsoft Defender for Cloud protections.
+author: bmansheim
+ms.author: benmansheim
+ms.topic: how-to
+ms.date: 08/03/2022
+ms.custom: template-how-to
+---
+
+# Auto provision the Azure Monitor Agent to protect your servers with Microsoft Defender for Cloud
+
+To make sure that your server resources are secure, Microsoft Defender for Cloud uses agents installed on your servers to send information about your servers to Microsoft Defender for Cloud for analysis. You can use auto provisioning to quietly deploy the Azure Monitor Agent on your servers.
+
+In this article, we're going to show you how to use auto provisioning to deploy the agent so that you can protect your servers.
+
+## Availability
+
+[!INCLUDE [azure-monitor-agent-availability](includes/azure-monitor-agent-availability.md)]
+
+## Prerequisites
+
+Before you enable auto provisioning, you must have the following prerequisites:
+
+- Make sure your multicloud and on-premises machines have Azure Arc installed.
+  - AWS and GCP machines
+    - [Onboard your AWS connector](quickstart-onboard-aws.md) and auto provision Azure Arc.
+    - [Onboard your GCP connector](quickstart-onboard-gcp.md) and auto provision Azure Arc.
+  - Other clouds and on-premises machines
+    - [Install Azure Arc](/azure/azure-arc/servers/learn/quick-enable-hybrid-vm.md).
+- Make sure the Defender plans that you want the Azure Monitor Agent to support are enabled:
+  - [Enable Defender for Servers Plan 2 on Azure and on-premises VMs](enable-enhanced-security.md)
+  - [Enable Defender plans on the subscriptions for your AWS VMs](quickstart-onboard-aws.md)
+  - [Enable Defender plans on the subscriptions for your GCP VMs](quickstart-onboard-gcp.md)
+
+## Deploy the Azure Monitor Agent with auto provisioning
+
+To deploy the Azure Monitor Agent with auto provisioning:
+
+1. From Defender for Cloud's menu, open **Environment settings**.
+1. Select the relevant subscription.
+1. Open the **Auto provisioning** page.
+
+    :::image type="content" source="./media/auto-deploy-azure-monitoring-agent/select-auto-provisioning.png" alt-text="Screenshot of the auto provisioning menu item for enabling the Azure Monitor Agent.":::
+
+1. Enable deployment of the Azure Monitor Agent:
+
+    1. For the **Log Analytics agent/Azure Monitor Agent**, select the **On** status.
+
+        In the Configuration column, you can see the enabled agent type. When you enable auto provisioning, Defender for Cloud decides which agent to provision based on your environment. In most cases, the default is the Log Analytics agent.
+
+        :::image type="content" source="./media/auto-deploy-azure-monitoring-agent/turn-on-azure-monitor-agent-auto-provision.png" alt-text="Screenshot of the auto provisioning page for enabling the Azure Monitor Agent." lightbox="media/auto-deploy-azure-monitoring-agent/turn-on-azure-monitor-agent-auto-provision.png":::
+
+    1. For the **Log Analytics agent/Azure Monitor Agent**, select **Edit configuration**.
+
+        :::image type="content" source="./media/auto-deploy-azure-monitoring-agent/configure-azure-monitor-agent-auto-provision.png " alt-text="Screenshot of editing the Azure Monitor Agent configuration." lightbox="media/auto-deploy-azure-monitoring-agent/configure-azure-monitor-agent-auto-provision.png":::
+
+    1. For the Auto-provisioning configuration agent type, select **Azure Monitor Agent**.
+
+        :::image type="content" source="./media/auto-deploy-azure-monitoring-agent/select-azure-monitor-agent-auto-provision.png" alt-text="Screenshot of selecting the Azure Monitor Agent." lightbox="media/auto-deploy-azure-monitoring-agent/select-azure-monitor-agent-auto-provision.png":::
+
+    By default:
+
+    - The Azure Monitor Agent is installed on all existing machines in the selected subscription, and on all new machines created in the subscription.
+    - The Log Analytics agent isn't uninstalled from machines that already have it installed. You can [leave the Log Analytics agent](#impact-of-running-with-both-the-log-analytics-and-azure-monitor-agents) on the machine, or you can manually [remove the Log Analytics agent](/azure/azure-monitor/agents/azure-monitor-agent-migration.md) if you don't require it for other protections.
+    - The agent sends data to the default workspace for the subscription. You can also [configure a custom workspace](#configure-custom-destination-log-analytics-workspace) to send data to.
+    - You can't enable [collection of additional security events](#additional-security-events-collection).
+
+## Impact of running with both the Log Analytics and Azure Monitor Agents
+
+You can run both the Log Analytics and Azure Monitor Agents on the same machine, but you should be aware of these considerations:
+
+- Certain recommendations or alerts are reported by both agents and appear twice in Defender for Cloud.
+- Each machine is billed once in Defender for Cloud, but make sure you track billing of other services connected to the Log Analytics and Azure Monitor, such as the Log Analytics workspace data ingestion.
+- Both agents have performance impact on the machine.
+
+When you enable auto provisioning, Defender for Cloud decides which agent to provision. In most cases, the default is the Log Analytics agent.
+
+Learn more about [migrating to the Azure Monitor Agent](/azure/azure-monitor/agents/azure-monitor-agent-migration.md).
+
+## Custom configurations
+
+### Configure custom destination Log Analytics workspace
+
+When you install the Azure Monitor Agent with auto-provisioning, you can define the destination workspace of the installed extensions. By default, the destination is the “default workspace” that Defender for Cloud creates for each region in the subscription: `defaultWorkspace-<subscriptionId>-<regionShortName>`. Defender for Cloud automatically configures the data collection rules, workspace solution, and additional extensions for that workspace.
+
+If you configure a custom Log Analytics workspace:
+
+- Defender for Cloud only configures the data collection rules and additional extensions for the custom workspace. You'll have to configure the workspace solution on the custom workspace.
+- Machines with Log Analytics agent that report to a Log Analytics workspace with the security solution are billed even when the Defender for Servers plan isn't enabled. Machines with the Azure Monitor Agent are billed only when the plan is enabled on the subscription. The security solution is still required on the workspace to work with the plans features and to be eligible for the 500-MB benefit.
+
+To configure a custom destination workspace for the Azure Monitor Agent:
+
+1. From Defender for Cloud's menu, open **Environment settings**.
+1. Select the relevant subscription.
+1. Open the **Auto provisioning** page.
+1. For the **Log Analytics agent/Azure Monitor Agent**, select **Edit configuration**.
+1. Select **Custom workspace**, and select the workspace that you want to send data to.
+
+### Log analytics workspace solutions
+
+The Azure Monitor Agent requires Log analytics workspace solutions. These solutions are automatically installed when you auto-provision the Azure Monitor Agent with the default workspace. 
+
+The required [Log Analytics workspace solutions](/azure/azure-monitor/insights/solutions.md) for the data that you're collecting are:
+
+  - Security posture management (CSPM) – **SecurityCenterFree solution**
+  - Defender for Servers Plan 2 – **Security solution**
+
+### Additional extensions for Defender for Cloud
+
+The Azure Monitor Agent requires additional extensions. The ASA extension, which supports endpoint protection recommendations and fileless attack detection, is automatically installed when you auto-provision the Azure Monitor Agent.
+
+### Additional security events collection
+
+When you auto-provision the Log Analytics agent in Defender for Cloud, you can choose to collect additional security events to the workspace. When you auto-provision the Log Analytics agent in Defender for Cloud, the option to collect additional security events to the workspace isn't available. Defender for Cloud doesn't rely on these security events, but they can be helpful for investigations through Microsoft Sentinel.
+
+If you want to collect security events when you auto-provision the Azure Monitor Agent, you can create a [Data Collection Rule](/azure-monitor/essentials/data-collection-rule-overview.md) to collect the required events.
+
+Like for Log Analytics workspaces, Defender for Cloud users are eligible for [500-MB of free data](enhanced-security-features-overview.md#faq---pricing-and-billing) daily on defined data types that include security events.
+
+## Next steps
+
+Now that you enabled the Azure Monitor Agent, check out the features that are supported by the agent:
+
+- [Endpoint protection assessment](endpoint-protection-recommendations-technical.md)
+- [Adaptive application controls](adaptive-application-controls.md)
+- [Fileless attack detection](defender-for-servers-introduction.md#plan-features)

articles/defender-for-cloud/enable-data-collection.md

@@ -1,18 +1,19 @@
 ---
 title: Configure auto provisioning of agents for Microsoft Defender for Cloud
 description: This article describes how to set up auto provisioning of the Log Analytics agent and other agents and extensions used by Microsoft Defender for Cloud
+author: bmansheim
+ms.author: benmansheim
 ms.topic: quickstart
-ms.date: 07/06/2022
+ms.date: 08/14/2022
 ms.custom: mode-other
 ---
 # Quickstart: Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud
 
 Microsoft Defender for Cloud collects data from your resources using the relevant agent or extensions for that resource and the type of data collection you've enabled. Use the procedures below to auto-provision the necessary agents and extensions used by Defender for Cloud to your resources.
 
-:::image type="content" source="media/enable-data-collection/auto-provisioning-list-of-extensions.png" alt-text="Screenshot of Microsoft Defender for Cloud's extensions that can be auto provisioned.":::
+When you enable auto provisioning of any of the supported extensions, the extensions are installed on existing and future machines in the subscription. When you **disable** auto provisioning for an extension, the extension is not installed on future machines, but it is also not uninstalled from existing machines.
 
-> [!NOTE]
-> When you enable auto provisioning of any of the supported extensions, you'll potentially impact *existing* and *future* machines. But when you **disable** auto provisioning for an extension, you'll only affect the *future* machines: nothing is uninstalled by disabling auto provisioning. 
+:::image type="content" source="media/enable-data-collection/auto-provisioning-list-of-extensions.png" alt-text="Screenshot of Microsoft Defender for Cloud's extensions that can be auto provisioned.":::
 
 ## Prerequisites
 
@@ -44,6 +45,12 @@ This table shows the availability details for the auto provisioning **feature**
 | Policy-based:                                        | :::image type="icon" source="./media/icons/no-icon.png"::: No                                                                                                                       | :::image type="icon" source="./media/icons/yes-icon.png"::: Yes                                                                                                                    |
 | Clouds:                                              | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Azure Government, Azure China 21Vianet | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government, Azure China 21Vianet |
 
+### [**Azure Monitor Agent**](#tab/autoprovision-ama)
+
+[!INCLUDE [azure-monitor-agent-availability](includes/azure-monitor-agent-availability.md)]
+
+Learn more about [using the Azure Monitor Agent with Defender for Cloud](auto-deploy-azure-monitoring-agent.md).
+
 ### [**Vulnerability assessment**](#tab/autoprovision-va)
 
 | Aspect                                               | Details                                                                                                                                                                            |
@@ -94,8 +101,7 @@ By default, auto provisioning is enabled when you enable Defender for Containers
 
 ---
 
-> [!TIP]
-> For items marked in preview: [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
+[!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
 
 ## How does Defender for Cloud collect data?
 
@@ -110,9 +116,6 @@ Data is collected using:
 - The **Log Analytics agent**, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user.
 - **Security extensions**, such as the [Azure Policy Add-on for Kubernetes](../governance/policy/concepts/policy-for-kubernetes.md), which can also provide data to Defender for Cloud regarding specialized resource types.
 
-> [!TIP]
-> As Defender for Cloud has grown, the types of resources that can be monitored has also grown. The number of extensions has also grown. Auto provisioning has expanded to support additional resource types by leveraging the capabilities of Azure Policy.
-
 ## Why use auto provisioning?
 
 Any of the agents and extensions described on this page *can* be installed manually (see [Manual installation of the Log Analytics agent](#manual-agent)). However, **auto provisioning** reduces management overhead by installing all required agents and extensions on existing - and new - machines to ensure faster security coverage for all supported resources. 

articles/defender-for-cloud/includes/azure-monitor-agent-availability.md

@@ -0,0 +1,15 @@
+---
+author: bmansheim
+ms.author: benmansheim
+ms.service: defender-for-cloud
+ms.topic: include
+ms.date: 08/14/2022
+---
+
+| Aspect                                               | Details                                                                                                                                                         |
+|------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Release state:                                       | Preview                                                                                                                                                                            |
+| Relevant Defender plan:                              | - For [Endpoint protection assessment](../endpoint-protection-recommendations-technical.md): [Security posture management (CSPM)](../overview-page.md) (Free and enabled by default)<br>- For [Adaptive application controls](../adaptive-application-controls.md): [Defender for Servers Plan 2](../defender-for-servers-introduction.md)<br>- For [File Integrity Monitoring](../file-integrity-monitoring-overview.md): [Defender for Servers Plan 2](../defender-for-servers-introduction.md)<br>- For [Fileless attack detection](../defender-for-servers-introduction.md#plan-features): [Defender for Servers Plan 2](../defender-for-servers-introduction.md)                                                                                                         |
+| Supported destinations:                              | :::image type="icon" source="../media/icons/yes-icon.png"::: Azure virtual machines<br> :::image type="icon" source="../media/icons/yes-icon.png"::: Azure Arc-enabled machines                                                                                             |
+| Policy-based:                                        | :::image type="icon" source="../media/icons/no-icon.png"::: No                                                                                                                       |
+| Clouds:                                              | :::image type="icon" source="../media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="../media/icons/no-icon.png"::: Azure Government, Azure China 21Vianet |