TechQA.

Azure - File integrity monitoring should be enabled on machines

1.1k views Asked by At

I have the following recommendation from Microsoft Defender for Cloud

File integrity monitoring should be enabled on machines

enter image description here

I did go through the article - https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-enable-ama#enable-file-integrity-monitoring-with-ama and understood

I want to enable this through Terraform rather than manually. I'm not sure where to begin.

azure azure-defender
Original Q&A
1

There are 1 answers

0
kavyaS On

I tried to reproduce the scenario in my environment:

Code:

resource "azurerm_windows_virtual_machine" "windows-vm" {
  name                = "kav-exp-machine"
  resource_group_name = data.azurerm_resource_group.example.name
  location            =data.azurerm_resource_group.example.location
  size                = "Standard_F2"
  admin_username      = "adminuser"
  admin_password      = "xxxx"
  network_interface_ids = [
    azurerm_network_interface.example.id,
  ]

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }

  source_image_reference {
    publisher = "MicrosoftWindowsServer"
    offer     = "WindowsServer"
    sku       = "2016-Datacenter"
    version   = "latest"
  }
}


resource "azurerm_virtual_machine_extension" "ama" {
 #count                      = var.server_count
 name                 = "kav-windows-vm-extension"
  virtual_machine_id   = azurerm_windows_virtual_machine.windows-vm.id
 publisher                  = "Microsoft.Azure.Monitor"
 type                       = "AzureMonitorWindowsAgent"
 type_handler_version       = "1.10"
 auto_upgrade_minor_version = "true"
 depends_on                 = [azurerm_windows_virtual_machine.windows-vm, azurerm_log_analytics_workspace.la_workspace]
 
 
 
 lifecycle {
   ignore_changes = [tags]
 }
}

Some prerequisites to enable File Integrity management

  1. Enable Azure defender : source code from: Microsoft defender terraform-Github

code:

  resource "azurerm_subscription_policy_assignment" "asb_assignment" {
  name                 = "azuresecuritybenchmark"
  display_name         = "Azure Security Benchmark"
  policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
  subscription_id      = data.azurerm_subscription.current.id
}

resource "azurerm_security_center_subscription_pricing" "mdc_arm" {
  tier          = "Standard"
  resource_type = "Arm"
}

resource "azurerm_security_center_subscription_pricing" "mdc_servers" {
  tier          = "Standard"
  resource_type = "VirtualMachines"
}

resource "azurerm_security_center_setting" "setting_mcas" {
  setting_name = "MCAS"
  enabled      = false
}



resource "azurerm_security_center_setting" "setting_mde" {
  setting_name = "WDATP"
  enabled      = true
}
/*
resource "azurerm_security_center_contact" "mdc_contact" {
  email = "xxxxx.com"
 // phone = "xxxxx89"

  alert_notifications = true
  alerts_to_admins    = true
}
*/

resource "azurerm_security_center_auto_provisioning" "auto-provisioning" {
  auto_provision = "On"
}



resource "azurerm_security_center_workspace" "la_workspace" {
  scope        = data.azurerm_subscription.current.id
  workspace_id = azurerm_log_analytics_workspace.la_workspace.id
}

resource "azurerm_subscription_policy_assignment" "va-auto-provisioning" {
  name                 = "mdc-va-autoprovisioning"
  display_name         = "Configure machines to receive a vulnerability assessment provider"
  policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b"
  subscription_id      = data.azurerm_subscription.current.id
  identity {
    type = "SystemAssigned"
  }
  location = "West Europe"
  parameters = <<PARAMS
{ "vaType": { "value": "mdeTvm" } }
PARAMS
}

resource "azurerm_role_assignment" "va-auto-provisioning-identity-role" {
  scope              = data.azurerm_subscription.current.id
  role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
  principal_id       = azurerm_subscription_policy_assignment.va-auto-provisioning.identity[0].principal_id
}


resource "azurerm_security_center_automation" "la-exports" {
  name                = "ExportToWorkspace"
  location            =data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name

  action {
    type              = "loganalytics"
    resource_id       = azurerm_log_analytics_workspace.la_workspace.id
  }

  source {
    event_source = "Alerts"
    rule_set {
      rule {
        property_path  = "Severity"
        operator       = "Equals"
        expected_value = "High"
        property_type  = "String"
      }
      rule {
        property_path  = "Severity"
        operator       = "Equals"
        expected_value = "Medium"
        property_type  = "String"
      }
    }
  }

  source {
    event_source = "SecureScores"
  }

  source {
    event_source = "SecureScoreControls"
  }

  scopes = [ data.azurerm_subscription.current.id ]
}

Log analytics workspace & Microsoft monitoring Agent connected to Log analytics workspace

code:

resource "azurerm_log_analytics_workspace" "la_workspace" { 
  name = "kav-mdc-security-workspace" 
  location = data.azurerm_resource_group.example.location 
  resource_group_name = data.azurerm_resource_group.example.name
  sku = "PerGB2018" 
}
resource "azurerm_log_analytics_solution" "la_workspace_security" {
  solution_name         = "Security"
  location              = data.azurerm_resource_group.example.location
  resource_group_name   = data.azurerm_resource_group.example.name
  workspace_resource_id = azurerm_log_analytics_workspace.la_workspace.id
  workspace_name        = azurerm_log_analytics_workspace.la_workspace.name

  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/Security"
  }
}

resource "azurerm_log_analytics_solution" "la_workspace_securityfree" {
  solution_name         = "SecurityCenterFree"
  location              = data.azurerm_resource_group.example.location
  resource_group_name   = data.azurerm_resource_group.example.name
  workspace_resource_id = azurerm_log_analytics_workspace.la_workspace.id
  workspace_name        = azurerm_log_analytics_workspace.la_workspace.name

  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityCenterFree"
  }
}

Add Updates workspace solution to log analytics if enable_change_tracking is set to true. # Adding this enables Change Tracking and Inventory.

resource "azurerm_log_analytics_solution" "law_solution_change_tracking" {
 location = data.azurerm_resource_group.example.location 
  resource_group_name = data.azurerm_resource_group.example.name

  solution_name         = "ChangeTracking"
  workspace_resource_id = azurerm_log_analytics_workspace.la_workspace.id
  workspace_name        = azurerm_log_analytics_workspace.la_workspace.name

  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/ChangeTracking"
  }
}

For FIM enabled , Change Tracking resource of type Solution. If the Change Tracking resource is disabled , the File Integrity Monitoring feature in Defender for Cloud also is disabled.

For MMA:

resource "azurerm_virtual_machine_extension" "daa-agent" {
  name                       = "DependencyAgentWindows"
  virtual_machine_id         = azurerm_windows_virtual_machine.windowsvm-c.id
  publisher                  = "Microsoft.Azure.Monitoring.DependencyAgent"
  type                       = "DependencyAgentWindows"
  type_handler_version       = "9.10"
  automatic_upgrade_enabled  = true
  auto_upgrade_minor_version = true
}


resource "azurerm_virtual_machine_extension" "msmonitor-agent" {
  depends_on = [  azurerm_virtual_machine_extension.daa-agent  ]
  name                  = "MicrosoftMonitoringAgent"  
  virtual_machine_id    = azurerm_windows_virtual_machine.windowsvm-c.id
  publisher             = "Microsoft.EnterpriseCloud.Monitoring"
  type                  = "MicrosoftMonitoringAgent"
  type_handler_version  =  "1.0"
  # Not yet supported
  # automatic_upgrade_enabled  = true
  # auto_upgrade_minor_version = true
  settings = <<SETTINGS
    {
        "workspaceId": "${azurerm_log_analytics_workspace.la_workspace.id}",
        "azureResourceId": "${azurerm_windows_virtual_machine.windows-vm.id}",
        "stopOnMultipleConnections": "false"
    }
  SETTINGS
  protected_settings = <<PROTECTED_SETTINGS
    {
      "workspaceKey": "${azurerm_log_analytics_workspace.law.primary_shared_key}"
    }
  PROTECTED_SETTINGS
}

Create Data collection rule that defines files and registries that should be monitored. The fix attaches the DCR to all machines in the subscription that have AMA installed and FIM enabled.

resource "azurerm_monitor_data_collection_rule" "example" {
      name                = "kavya-data-coll-rules"
      resource_group_name = data.azurerm_resource_group.example.name
      location            =data.azurerm_resource_group.example.location

      destinations {
        log_analytics {
          workspace_resource_id = azurerm_log_analytics_workspace.la_workspace.id
          name                  = "test-destination-log"
        }
    
        azure_monitor_metrics {
          name = "test-destination-metrics"
        }
      } 
    
      data_flow {
        streams      = ["Microsoft-InsightsMetrics"]
        destinations = ["test-destination-log"]
      }
    
      data_sources {
    
        performance_counter {
          streams                       = ["Microsoft-InsightsMetrics"]
          sampling_frequency_in_seconds = 60
          counter_specifiers            = ["\\VmInsights\\DetailedMetrics"]
          name                          = "VMInsightsPerfCounters"
        }
    }
     }
    
    # associate to a Data Collection Rule
    resource "azurerm_monitor_data_collection_rule_association" "example1" {
      name                    = "example1-dcra"
      target_resource_id      = azurerm_windows_virtual_machine.windows-vm.id
      data_collection_rule_id = azurerm_monitor_data_collection_rule.example.id
      description             = "example"
    }

Upon terraform plan

enter image description here

terraform apply enter image description here

Below resources are created:

enter image description here

Then I checked file integrity monitoring

enter image description here

File integrity monitoring is enabled for my windows defender

enter image description here

There is a disable option to disable when needed

enter image description here

References:

  1. How to enable Update Management for an Azure Automation Account programmatically? - Stack Overflow
  2. Microsoft-Defender-for-Cloud/main.tf at main · Azure/Microsoft-Defender-for-Cloud · GitHub

Related Questions in AZURE

Related Questions in AZURE-DEFENDER

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions