Defender For Cloud and "Azure Security Agent"

Anonymous
2023-04-26T17:27:47.2766667+00:00

Hi All,

we just switched on Defender for Cloud (using Azure Monitor Agent and a custom workspace) and configured auto-provisioning.

This has - as expected - create a policy initiative called "Custom Defender for Cloud provisioning Azure Monitor agent" with a whole bunch of policies. (The whole list is below my signature - there are also other policy initiatives for Kubernetes and SQL which I think are not relevant to this question)

I fully expected there to be policies to deploy AMA itself and also the various association rules.

However, I am really surprised by two things:

(1) What is the "Azure Security Agent" those policies want to install? Opening the policy definition it wants to install an extension of type "AzureSecurityWindowsAgent" from publisher "Microsoft.Azure.Security.Monitoring" I tried finding this in the MS Doc, but struggled to find anything.

(2) Why are there no policies to install the Qualys agent? We are on Plan 2 and have selected the Qualys agent (just double-checked) as our chosen Vulnerability Management Solution. I believe the type of that is Qualys.WindowsAgent.AzureSecurityCenter with name WindowsAgent.AzureSecurityCentre

Any input is greatly appreciated - in particular the first point bothers me a little - I would rather not have an unidentified piece of software running on my machines!

Kind Regards

Jens

[Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor AgentDeployIfNotExistsCompliant00[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual MachinesDeployIfNotExistsCompliant00[Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection RuleDeployIfNotExistsCompliant00[Preview]: Configure supported Windows Arc machines to automatically install the Azure Security agentDeployIfNotExistsCompliant00Configure Linux Arc-enabled machines to run Azure Monitor AgentDeployIfNotExistsCompliant00[Preview]: Configure supported Windows machines to automatically install the Azure Security agentDeployIfNotExistsCompliant00Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authenticationDeployIfNotExistsCompliant00Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authenticationDeployIfNotExistsCompliant00Configure Windows Arc-enabled machines to run Azure Monitor AgentDeployIfNotExistsCompliant00[Preview]: Configure supported Linux Arc machines to automatically install the Azure Security agentDeployIfNotExistsCompliant00[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agentDeployIfNotExistsCompliant00[Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection RuleDeployIfNotExistsCompliant00[Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor AgentDeployIfNotExists

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
816 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,232 questions
{count} votes

Accepted answer
  1. Andrew Blumhardt 9,676 Reputation points Microsoft Employee
    2023-04-27T11:01:59.6066667+00:00

    The policy installs the agent as an extension on the VM or Arc system. See the Extensions section on the VM/Arc dashboard/blade. I think Qualys is now the secondary option. MDFC uses MDE's assessment engine. You can still choose Qualys in the settings. I would expect this triggers a similar policy and extension.


1 additional answer

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more