azure-defender-auto-provisioning-disabled: Azure Defender for Cloud Automatic Provisioning Disabled

日期: 2025-08-01 | 影响软件: Azure Defender auto provisioning disabled | POC: 已公开

漏洞描述

Ensure that the automatic provisioning extensions are enabled within the Microsoft Defender for Cloud settings to collect security data and events from your Azure virtual machines (VMs) and containers. By enabling Auto provisioning, you can ensure that the agents needed for processes such as vulnerability assessments, log analytics, and container monitoring are automatically installed on your infrastructure.

PoC代码[已公开]

id: azure-defender-auto-provisioning-disabled
info:
  name: Azure Defender for Cloud Automatic Provisioning Disabled
  author: princechaddha
  severity: medium
  description: |
    Ensure that the automatic provisioning extensions are enabled within the Microsoft Defender for Cloud settings to collect security data and events from your Azure virtual machines (VMs) and containers. By enabling Auto provisioning, you can ensure that the agents needed for processes such as vulnerability assessments, log analytics, and container monitoring are automatically installed on your infrastructure.
  impact: |
    Disabling or not configuring automatic provisioning may lead to lack of critical security data collection, hindering effective security monitoring and incident response.
  remediation: |
    Enable the automatic provisioning feature within Microsoft Defender for Cloud to ensure that all necessary security agents are automatically deployed across your Azure resources.
  reference:
    - https://docs.microsoft.com/en-us/azure/security-center/security-center-auto-provisioning
  tags: cloud,devops,azure,microsoft,defender-for-cloud,azure-cloud-config

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az security auto-provisioning-setting list

    matchers:
      - type: word
        words:
          - '"autoProvision": "Off"'

    extractors:
      - type: dsl
        dsl:
          - '"Automatic Provisioning for Microsoft Defender are not enabled"'
# digest: 4b0a00483046022100d03ce238fcbfd5d6e26cfaa77938fd9a3c1288824f07807cfd301e4645097793022100b15d697f6a5205dbbbabd1df68392c4c9d6c18c3464e166fe63b6b9a8062ce61:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/azure/securitycenter/azure-defender-auto-provisioning-disabled.yaml