cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Identify Azure VMs which are not monitored by Security Center
By
Tiander Turpijn
Published Jul 02 2019 03:03 AM 11.2K Views
Tiander Turpijn
Microsoft
‎Jul 02 2019 03:03 AM

Identify Azure VMs which are not monitored by Security Center

‎Jul 02 2019 03:03 AM

And use an input file to onboard them to Security Center automatically

The link for the scripts used in this blog can be found at the end of the blog.

 

Looking to increase your Secure Score? Look here.

 

Security Center offers a couple of options to have your Virtual Machines (VMs) in Azure automatically protected. This provides great benefits by protecting your resources against threats and helps you get more secure in a fast and efficient way.

To safeguard your VMs, Security Center requires the installation of the Microsoft Monitoring Agent (MMA). The easiest way to have that automatically done for you, is to enable Auto Provisioning:

 

autoprovision.png

This installs the (MMA) automatically to all your VMs in your subscription.

 

Another great option is to assign a built-in Azure Policy, which will also install the MMA upon creation of a VM and can also take care of remediations, in case someone has removed the MMA:

 policyDefinition.png

VMs which don’t have the MMA installed, are flagged by Azure Policy as non-compliant.

 

Are you not using the automatic MMA installation options?

There might be exceptions for which you don’t want the MMA automatically installed in your subscription. Although you can define a scope and exceptions in Azure Policy, it is not meant to change frequently, since you must update the Azure Policy assignment to reflect the change.

If for whatever reason you have chosen not to use automatic installations of the MMA, then you obviously have a concern if your resources are properly protected (and you should!) The challenge is how to get insights into the VMs that are not protected. Security Center offers your recommendations and one of those is to install the MMA:

 

mma_recommendation.png

Clicking on the recommendation reveals which VMs are not protected.

 

Using PowerShell to retrieve a list of all unprotected VMs

Another option to get insights into which VMs are not protected by Security Center, is to use PowerShell.

This offers a great way to enable automation for not only creating such a list, but also to bulk install the MMA on VMs that you identify.

 

First, let’s get a list of VMs which are not protected by Security Center:

getVMs.png The script will create an output CSV file, which you can import in Excel and would give you filtering capabilities for every column. You can filter on subscriptions, resource groups and filter if the MMA extension has been installed:

outputFile.png 

Automatically install the MMA VM Extension based on an input file

Now that you have insights into which VMs are not protected by Security Center, you can create an input file which only contains the VMs that you want the MMA to be installed on. Keep the headers as they are and just copy your filtered view in a new CSV file, like this:

inputFile.png 

Now run the second script which will take your input CSV file:

installingMMA.png With these two scripts you can pick and choose which VMs you would want to protect with Security Center in case you cannot use the automatic agent installation capabilities.

 

The sample scripts used in this blog can be found here:

 

Looking to increase your Secure Score? Look here.

 

4 Comments
vitordias
Copper Contributor
‎Nov 19 2019 12:16 AM
‎Nov 19 2019 12:16 AM

Using Azure Portal is becoming a big nightmare... Who had the idea that applying daily undocumented changes on portal was a good idea????

 

This article is completely outdated...

 

Auto Provisioning Settings was removed from portal...

 

NICE JOB!!! :(

0 Likes
Like
Tiander Turpijn
Microsoft
‎Mar 05 2020 09:24 AM
‎Mar 05 2020 09:24 AM

@vitordias , not sure why you can't find the Auto Provisioning settings, it has always been under "Security Center -> Pricing & settings -> Settings -> Data Collection.

 

Which sections in the article do you consider outdated?

Pavan_Gelli1910
Brass Contributor
‎Jun 21 2020 10:38 PM
‎Jun 21 2020 10:38 PM

@Tiander Turpijn  After reading the article a question arises. I'm using auto-provisioning for deploying the MMA. For example, one new VM is created and assume auto-provisioning had installed the MMA on that VM. Someone has removed the MMA from the VM. Will the auto-provisioning feature is capable of identify this VM as no MMA and install the MMA or not? 

 

0 Likes
Like
atillman
Microsoft
‎Apr 25 2022 12:46 PM
‎Apr 25 2022 12:46 PM

Thanks @Tiander Turpijn the scripts worked great! 

 

0 Likes
Like
Co-Authors
Version history
Last update:
‎Nov 29 2021 12:08 PM
Updated by: