Remediate guest configuration recommendations

Note

As the Log Analytics agent (also known as MMA) is set to retire in November 2024, all Defender for Servers features that currently depend on it, including those described on this page, will be available through either Microsoft Defender for Endpoint integration or agentless scanning, before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see this announcement.

Defender for Cloud evaluates baselines misconfiguration for virtual machines (VMs) connected to your subscription. The evaluation assesses your VMs against predefined security baselines, identifying any deviations or misconfigurations that could pose potential risks. By aligning your VMs with security best practices and organizational policies, you can maintain a robust and secure computing environment.

Machine information is collected through the Azure Policy guest configuration and the evaluation is based on Microsoft benchmarks that cover various compliance benchmarks and regulations. For example, CIS, STIG, and more. Azure Policy guest configuration enables the following policies on your subscription:

Note

If you remove these policies you won't be able to access the benefits of the Azure Policy guest configuration extension.

Prerequisites

Important

Be aware that additional features provided by Azure Policy guest configuration that exist outside of the Defender for Cloud portal aren't included with Defender for Cloud, and are subject to Azure Policy guest configurations pricing policies. For example remediation and custom policies. For more information, see the Azure Policy guest configuration pricing page.

Review and remediate guest configuration recommendations

Once the Azure Policy guest configuration is onboarded to your subscription, Defender for Cloud starts evaluating your VMs against the security baselines. Based on your environments, if misconfigurations are found, the following recommendations might appear on your recommendations page:

To review and remediate these:

  1. Sign in to the Azure portal.

  2. Navigate to Defender for Cloud > Recommendations**.

  3. Search for and select one of the recommendations.

  4. Review the recommendation.

  5. Remediate the recommendation.

Note

During the deprecation process of the Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA), you may receive duplicate recommendations for the same machine. This is due to the fact that the MMA and the Azure Policy guest configuration are both evaluating the same machine. To avoid this, you can disable the MMA on the machine.

Query recommendations with API

Defender for Cloud uses Azure Resource Graph for API, and portal queries, to query recommendation information. You can utilize these resources to create your own queries to retrieve information.

You can learn how to review recommendations in Azure Resource Graph.

Here are two sample queries you can use:

  • Query all unhealthy rules for a specific resource

    Securityresources 
    | where type == "microsoft.security/assessments/subassessments" 
    | extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id) 
    | where assessmentKey == '1f655fb7-63ca-4980-91a3-56dbc2b715c6' or assessmentKey ==  '8c3d9ad0-3639-4686-9cd2-2b2ab2609bda' 
    | parse-where id with machineId:string '/providers/Microsoft.Security/' * 
    | where machineId  == '{machineId}'
    
  • All Unhealthy Rules and the amount if Unhealthy machines for each

    securityresources 
    | where type == "microsoft.security/assessments/subassessments" 
    | extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id) 
    | where assessmentKey == '1f655fb7-63ca-4980-91a3-56dbc2b715c6' or assessmentKey ==  '8c3d9ad0-3639-4686-9cd2-2b2ab2609bda' 
    | parse-where id with * '/subassessments/' subAssessmentId:string 
    | parse-where id with machineId:string '/providers/Microsoft.Security/' * 
    | extend status = tostring(properties.status.code) 
    | summarize count() by subAssessmentId, status
    

You can learn how to create more in depth queries by learning more about Azure Resource Graph's query language.

Note

During the deprecation process of the Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA), you may receive duplicate recommendations for the same machine. This is due to the fact that the MMA and the Azure Policy guest configuration are both evaluating the same machine. To avoid this, you can disable the MMA on the machine.

Next step