Blog Post

Microsoft Sentinel Blog
4 MIN READ

Automating the onboarding on-premises, AWS and GCP VMs on Sentinel with Azure Arc

LauraNicolas's avatar
LauraNicolas
Icon for Microsoft rankMicrosoft
Jun 26, 2020
To collect events in Azure Sentinel from VMs and servers, we use the Microsoft Monitoring Agent. The MMA  supports both Windows and Linux operating systems independently of where they run: on-premise...
Updated Nov 03, 2021
Version 6.0
microsoft sentinel
pshahi12's avatar
pshahi12
Brass Contributor
Sep 30, 2022

Dear All,

I wish you all  are in the pinkest of health. Let me first take this opportunity to express and thank you for putting great guiding documentations and Knowledge articles here as well as Linkedin. I'm commenting to highlight somethings which would make onboarding faster given all the pre-requisites are called out properly.

Below are the issues I faced while onboarding GCP project and connecting them to Azure Arc. Please guide if I can submit these update for below mentioned article.

 

1. Finding one- Unique ID not needed to update in Microsoft Defender for Cloud -

In the below link the point mentioned where it directs to add a "unique numeric ID presented at the end of the Cloud Shell script" should be used back in the Environment setting on the Azure Arc. 

 

Fix - In case, you have followed the documentation word by word and committed this change, then undo it or if you've encountered this comment first then skip that manual step. It is not a required step and the script generated out of the selected settings in the Azure portal while adding the GCP project in Environment setting is enough to do the needed configuration automatically in terms of Service Account name and ID.

https://learn.microsoft.com/en-gb/azure/defender-for-cloud/quickstart-onboard-gcp?pivots=env-settings#configure-the-servers-plan
2. Finding two on GCP Side- Service account missing on Resources-

Although, most of the pre-requisite are mentioned, e.g.
(I) OSConfig Agent API should be pre-enabled;
(II)  Metatags should be set to true for the onboarding GCP Project. 

Issue - The service account name should I did not find this one and it was what causing the issue after observing, we found that the Service account under "API and identity management" of the server was not added.

Fix - To make sure the resources in onboarded GCP project reflect in Azure ARC it is necessary to tag those resources to a Service account ID in the GCP portal. To add it, stop the server first and use the details mentioned in image 1 (this will be custom to your own GCP project) in image 2 under API & Identity management. It can take upto several hours to reflect the changes on Azure ARC portal.
Image 1

 

Image 2


CC - thomasmaurer LauraNicolas