Remediate guest configuration recommendations
Note
As the Log Analytics agent (also known as MMA) is set to retire in November 2024, all Defender for Servers features that currently depend on it, including those described on this page, will be available through either Microsoft Defender for Endpoint integration or agentless scanning, before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see this announcement.
Defender for Cloud evaluates baselines misconfiguration for virtual machines (VMs) connected to your subscription. The evaluation assesses your VMs against predefined security baselines, identifying any deviations or misconfigurations that could pose potential risks. By aligning your VMs with security best practices and organizational policies, you can maintain a robust and secure computing environment.
Machine information is collected through the Azure Policy guest configuration and the evaluation is based on Microsoft benchmarks that cover various compliance benchmarks and regulations. For example, CIS, STIG, and more. Azure Policy guest configuration enables the following policies on your subscription:
Note
If you remove these policies you won't be able to access the benefits of the Azure Policy guest configuration extension.
Prerequisites
Review the Defender for Cloud pricing page to learn about Defender Servers Plan 2 pricing information.
Important
Be aware that additional features provided by Azure Policy guest configuration that exist outside of the Defender for Cloud portal aren't included with Defender for Cloud, and are subject to Azure Policy guest configurations pricing policies. For example remediation and custom policies. For more information, see the Azure Policy guest configuration pricing page.
Review the support matrix for the Azure Policy guest configuration.
Install the Azure Policy guest configuration on your machines:
Azure machines: In the Defender for Cloud portal, on the recommendations page, search for and select Guest Configuration extension should be installed on machines, and remediate the recommendation.
Azure VMs only You must Assign managed Identity in the Defender for Cloud portal. Navigate to the recommendations page. Search for and select Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity. Then remediate the recommendation.
(Optional) Azure VMs only: Enable Azure Policy guest configuration across your entire subscription.
Enable Azure Policy guest configuration extension on your Azure machines across your entire subscription:
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
Navigate to Environment settings > Your subscription > Settings & Monitoring.
Toggle the Guest Configuration agent (preview) to On.
Select Continue.
GCP and AWS: Azure Policy guest configuration is automatically installed when you connect your GCP project, or you connect your AWS accounts with Azure Arc autoprovisioning enabled, to Defender for Cloud.
On-premises machines: Azure Policy guest configuration is enabled by default when you onboard on-premises machines as Azure Arc enabled machine or VMs.
Review and remediate guest configuration recommendations
Once the Azure Policy guest configuration is onboarded to your subscription, Defender for Cloud starts evaluating your VMs against the security baselines. Based on your environments, if misconfigurations are found, the following recommendations might appear on your recommendations page:
- Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)
- Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)
To review and remediate these:
Sign in to the Azure portal.
Navigate to Defender for Cloud > Recommendations**.
Search for and select one of the recommendations.
Review the recommendation.
Note
During the deprecation process of the Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA), you may receive duplicate recommendations for the same machine. This is due to the fact that the MMA and the Azure Policy guest configuration are both evaluating the same machine. To avoid this, you can disable the MMA on the machine.
Query recommendations with API
Defender for Cloud uses Azure Resource Graph for API, and portal queries, to query recommendation information. You can utilize these resources to create your own queries to retrieve information.
You can learn how to review recommendations in Azure Resource Graph.
Here are two sample queries you can use:
Query all unhealthy rules for a specific resource
Securityresources | where type == "microsoft.security/assessments/subassessments" | extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id) | where assessmentKey == '1f655fb7-63ca-4980-91a3-56dbc2b715c6' or assessmentKey == '8c3d9ad0-3639-4686-9cd2-2b2ab2609bda' | parse-where id with machineId:string '/providers/Microsoft.Security/' * | where machineId == '{machineId}'All Unhealthy Rules and the amount if Unhealthy machines for each
securityresources | where type == "microsoft.security/assessments/subassessments" | extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id) | where assessmentKey == '1f655fb7-63ca-4980-91a3-56dbc2b715c6' or assessmentKey == '8c3d9ad0-3639-4686-9cd2-2b2ab2609bda' | parse-where id with * '/subassessments/' subAssessmentId:string | parse-where id with machineId:string '/providers/Microsoft.Security/' * | extend status = tostring(properties.status.code) | summarize count() by subAssessmentId, status
You can learn how to create more in depth queries by learning more about Azure Resource Graph's query language.
Note
During the deprecation process of the Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA), you may receive duplicate recommendations for the same machine. This is due to the fact that the MMA and the Azure Policy guest configuration are both evaluating the same machine. To avoid this, you can disable the MMA on the machine.