Objective:
This workbook addresses a common challenge faced by organizations deploying Defender for Server on AWS or GCP workloads. The challenge is to effectively visualize the health and availability of Azure Arc agent on AWS EC2 or GCP virtual machines. To address this, I have developed a solution using Azure Workbooks. The solution is an interactive workbook that provides view of all machines connected to Defender for Cloud, with and without Azure Arc deployment, including status and additional information.
Introduction:
Did you connected you AWS account to Defender for Server and wonder about the health status of your Azure Arc agent on you EC2 machines in AWS?
Did you connected your GCP workloads to Defender for Server and want to know if Azure Arc agent was onboarded successfully?
In this article I will present to you an option to monitor your AWS EC2 and GCP virtual machines with Azure Arc agent via Azure Workbook, which can be deployed to your environment.
Before I show you how to deploy the workbook, lets briefly talk on Defender for Server, Azure Arc and Azure Workbooks.
Defender for Server -
Comprehensive security solution for protecting servers running in Azure, on-premises, and in other clouds. It offers two plans: Plan 1 and Plan 2. Defender for Server also includes Endpoint detection and Response (EDR) features provided by Microsoft Defender for Endpoint Plan 2. For AWS/GCP/Onprem workloads, machines must be onboarded to Azure with Azure Arc. The best practice to onboard AWS/GCP is by creating a security connector and enable Defender for Servers (P1 or P2) on the security connector with
Arc auto-provisioning. To read more look here:
Connect your AWS account - Microsoft Defender for Cloud | Microsoft Learn
Connect your GCP project - Microsoft Defender for Cloud | Microsoft Learn
Azure Arc -
Azure Arc is a service that extends Azure management and services to any infrastructure. It allows you to manage your Windows and Linux machines hosted outside of Azure, on your corporate network, or other cloud providers, similarly to how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure.
Each connected machine has a Resource ID, is managed as part of a resource group inside a subscription, and benefits from standard Azure constructs such as Azure Policy and applying tags.
Azure Workbooks -
A Workbook is a type of dashboard that allows users to combine text, metrics, logs, queries, parameters, charts, tables, and other visualizations in a single view.
Getting started :
- Select your preferred Subscription, Resource Group, and Region to store the dashboard resource. Leave all other fields as-is
- Once the resource is created, open the Dashboard
- The workbook will then use the Azure Resource Graph to query all virtual machines and display your Azure Connected Machine agents with relevant status
- The workbook will also use the Azure Resource Graph to present the virtual machines connected to Defender for Cloud without Azure Arc deployment
- You can use the Subscription, AWS account and GCP Project fields to have lower-level granularity
- The workbook can be found also in the Azure/Microsoft-Defender-for-Cloud public GitHub Repository. A direct link to the new workbook is available here
AWS:
GCP:
