Deploy Microsoft Defender for Servers via VM ARM template

Posted on 11/11/2021 by azsec

Microsoft Defender for Servers  offers you a capability for Azure VMs to help detect threat and to add additional defense. Currently it is supported on both Windows and Linux.

In this article, let’s quickly check if we can deploy the MDE agent via Azure ARM template.

If you already know about MDE and want to test immediately, use the template from here https://github.com/azsec/scaf-azure-arm-templates/tree/master/VirtualMachine/vm-with-mde

Why?

Undoubtedly endpoint protection and vulnerability assessment are required by InfoSec. It appears to be happening in every organization. Moreover if you work with Microsoft Defender for Cloud (formerly Azure Security Center) recommendation you’d probably know about A vulnerability assessment solution should be enabled on your virtual machines. To improve your secure score you’d need to install a vulnerability assessment solution on Azure VM. MDE is one of the solutions Microsoft Defender for Cloud gives credit to.

ARM template

Windows

For Windows, use the extension below:

{
  "comments": "Deploy Microsoft Defender for Windows VM",
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2021-03-01",
  "location": "[parameters('location')]",
  "name": "[concat(variables('vmName'),'/MDE.Windows')]",
  "dependsOn": [
    "[resourceId('Microsoft.Compute/virtualMachines', variables('vmName'))]",
  ],
  "properties": {
    "autoUpgradeMinorVersion": true,
    "publisher": "Microsoft.Azure.AzureDefenderForServers",
    "type": "MDE.Windows",
    "typeHandlerVersion": "1.0",
    "settings": {
      "azureResourceId": "[resourceId('Microsoft.Compute/virtualMachines',variables('vmName'))]",
      "defenderForServersWorkspaceId": "[parameters('monitoringWorkspaceId')",
      "forceReOnboarding": false
    }
  }
}

Linux

For Linux, use the extension below:

{
  "comments": "Deploy Microsoft Defender for Linux VM",
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2021-03-01",
  "location": "[parameters('location')]",
  "name": "[concat(variables('vmName'),'/MDE.Linux')]",
  "dependsOn": [
    "[resourceId('Microsoft.Compute/virtualMachines', variables('vmName'))]"
  ],
  "properties": {
    "autoUpgradeMinorVersion": true,
    "publisher": "Microsoft.Azure.AzureDefenderForServers",
    "type": "MDE.Linux",
    "typeHandlerVersion": "1.0",
    "settings": {
      "azureResourceId": "[resourceId('Microsoft.Compute/virtualMachines',variables('vmName'))]",
      "defenderForServersWorkspaceId": "[parameters('monitoringWorkspaceId')",
      "forceReOnboarding": false
    }
  }
}

You need the following paremeters:

  • azureResourceId: the resource Id of the Azure VM. It can be referenced using resourceId()
  • defenderForServersWorkspaceId: it is the Log Analytics workspace that Azure Security Center is currently connected to
  • forceReOnboarding: indicate whether you would like to automatically re-onboard VM if it is disconnected from the defender workspace.

Now you can give it a try.

This entry was posted in Security Automation, Security Operation and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *