# Step 1: Evidence Details


|Evidence name|Original name|System|Source of data|Frameworks|Purpose|
|---|:---|:---|:---|:---|:--------|
|loganalyticsagentforvmmonitoring|installloganalyticsagentonvmssmonitoring|Azure|Azure Virtual Machines Extensions Data|Virtual Machines|Ensure Log Analytics agent is installed on your virtual machine for Azure Security Center monitoring|


```
 Purpose: This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats. When the Log Analytics agent is connected to a workspace, heartbeat data is collected by default.
With Log Analytics agent the following logs can be collected - Windows Event logs, Syslog, Performance(Numerical values measuring performance of different aspects of operating system and workloads), IIS logs and Custom logs.

**Note** : The legacy Log Analytics agent will be deprecated by August 2024. After this date, Microsoft will no longer provide any support for the Log Analytics agent. All systems should migrate to Azure Monitor agent before August 2024 to continue ingesting data.


```

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

In [None]:
#Extended Schema
{
    "Id": "/subscriptions/sub_id/resourceGroups/exampleResourceGroup/providers/Microsoft.Compute/virtualMachines/exampleVM",
    "Name": "exampleVM",
    "PropertiesStorageProfileOsDiskOsType": "Windows",
    "Values": [
        {
            "name": "exampleExtension",
            "id": "/subscriptions/sub_id/resourceGroups/exampleResourceGroup/providers/Microsoft.Compute/virtualMachines/exampleVM/extensions/exampleExtension",
            "type": "Microsoft.Compute/virtualMachines/extensions",
            "location": "westus2",
            "properties": {
                "autoUpgradeMinorVersion": true,
                "provisioningState": "Failed",
                "publisher": "Microsoft.Azure.ActiveDirectory",
                "type": "AADSSHLoginForLinux",
                "typeHandlerVersion": "1.0"
            }
        }
    ]
}


# Step 3: Define the Standard Schema

  

In [None]:
#standard schema
{
    "System": "azure",
    "Source": "compliancecow",
    "ResourceId": "/subscriptions/sub_id/resourceGroups/exampleResourceGroup/providers/Microsoft.Compute/virtualMachines/exampleVM",
    "ResourceType": "Virtual Machines",
    "ResourceName": "exampleVM",
    "AgentInstalledInVM": false,
    "ComplianceStatus": "NON_COMPLIANT",
    "ValidationStatusCode": "DEPENDENCY_AGENT_NOT_INSTALLED_IN_LINUX_VM",
    "ComplianceStatusReason": "Dependency Agent Not Installed In Linux VM",
    "ValidationStatusNotes": "Install Dependency Agent in the Linux VM To Ensure Compliancy",
    "EvaluatedTime": "2023-12-18 11:56:26.940263",
    "Action": "",
    "Tags": []
}


# Step 3.a: Sample Data

| System | Source | ResourceId | ResourceName | ResourceGroup | ResourceType | ResourceLocation | ComplianceStatus | ComplianceStatusReason | ValidationStatusCode | ValidationStatusNotes | EvaluationTime | Tags | UserAction | ActionResponseURL |
|:------|:------|:------|:------|:------|:------|:------|:------|:------|:------|:------|:------|:------|:------|:------|
| azure | azure_policy | /subscriptions/12345678/resourcegroups/example/providers/microsoft.compute/virtualmachines/exampleVM | exampleVM | exampleResourceGroup | Microsoft.Compute/virtualMachine | westus2 | NON COMPLIANT | Log Analytics agent is not installed | OMS_EXT_NOT_INSTALLED | OmsAgentForLinux extension is not found | 2023-08-31T00:02:08.7806403Z | | | https://something.something |
| azure | azure_policy | /subscriptions/87654321/resourcegroups/example/providers/microsoft.compute/virtualmachines/anotherVM | anotherVM | exampleResourceGroup | Microsoft.Compute/virtualMachine | westus2 | NON COMPLIANT | Log Analytics agent is not installed | OMS_EXT_NOT_INSTALLED | OmsAgentForLinux extension is not found | 2023-08-31T00:02:09.2887781Z | | | https://something.something |
| azure | azure_policy | /subscriptions/99999999/resourcegroups/company-demo-apps/providers/microsoft.compute/virtualmachines/demoVM | demoVM | company-demo-apps | Microsoft.Compute/virtualMachine | westus2 | NON COMPLIANT | Log Analytics agent is not installed | OMS_EXT_NOT_INSTALLED | OmsAgentForLinux extension is not found | 2023-08-31T00:02:09.2887781Z | | | https://something.something |
| azure | azure_policy | /subscriptions/77777777/resourcegroups/internal/providers/microsoft.compute/virtualmachines/build-server | build-server | internal | Microsoft.Compute/virtualMachine | westus2 | NON COMPLIANT | Log Analytics agent is not installed | OMS_EXT_NOT_INSTALLED | OmsAgentForLinux extension is not found | 2023-08-31T00:02:06.3480622Z | | | https://something.something |
| azure | azure_policy | /subscriptions/55555555/resourcegroups/project/providers/microsoft.compute/virtualmachines/wordpress | wordpress | project | Microsoft.Compute/virtualMachine | westus2 | NON COMPLIANT | Log Analytics agent is not installed | OMS_EXT_NOT_INSTALLED | OmsAgentForLinux extension is not found | 2023-08-31T00:02:08.7806403Z | | | https://something.something |


# Step 4: Describe the Compliance Taxonomy

The Compliance Cow's ComplianceStatus is determined from CC ValidationStatusCode field

|For Windows VM|
|:--------------|

|CC ValidationStatusCode |CC Compliance Reason | CC Compliance Status|
|-------------------- | :--------------------| :--------------------|
|MMA_EXT_INSTALLED|Log Analytics agent is installed|COMPLIANT|
|MMA_EXT_NOT_INSTALLED|Log Analytics agent is not installed|NON_COMPLIANT|
|MMA_EXT_STATUS_UNKNOWN|Could not determine installation status of Log Analytics agent|NON DETERMINED|

|For Linux VM|
|:--------------|

|CC ValidationStatusCode |CC Compliance Reason | CC Compliance Status|
|-------------------- | :--------------------| :--------------------|
|OMS_EXT_INSTALLED|Log Analytics agent is installed|COMPLIANT|
|OMS_EXT_NOT_INSTALLED|Log Analytics agent is not installed|NON_COMPLIANT|
|OMS_EXT_STATUS_UNKNOWN|Could not determine installation status of Log Analytics agent|NON DETERMINED|.

# Step 5: Calculation for Compliance Percentage and Status

In [None]:
## For each control
# Refer Step 6 to determine if the assessment for the leaf control was compliant or non-compliant. The compliance percentage is 100% if the assessment was compliant and 0% otherwise

# ## For overall assessment
# Existing calculation will be used

# **Method suggested by Azure**

#  Refer - https://learn.microsoft.com/en-us/azure/governance/policy/concepts/compliance-states

# overall compliance % = (compliant + exempt + unknown)  / (compliant + exempt + unknown + non-compliant + conflicting + error)

is_agent_installed_in_vm = False

if row["Values"] and isinstance(row["Values"], list):
    for item in row["Values"]:
        properties = item.get("properties")
        if properties:
            agent_type = properties.get("type")
            if vals.get("AgentType") == agent_type:
                is_agent_installed_in_vm = True
                break

compliance_status = "COMPLIANT" if is_agent_installed_in_vm else "NON_COMPLIANT"

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

FOR NOT_DETERMINED : NONE

FOR COMPLIANT : None

For NONCOMPLAINCE:

If Compliance Cow needs to notify the client, the following message can be sent via slack or ticket raised in JIRA:

To install Log Analytics Agent for Linux VMs, follow the detailed instructions at :
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agent-linux?tabs=wrapper-script

To install Log Analytics Agent for Linux VMs, follow the detailed instructions at :
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard

## Step 7. Control Setup Details

| Control Details            |                                               |
|----------------------------|-----------------------------------------------|
| **RuleName**               | IsAgentsInstalledInVMs                        |
| **PreRequisiteRuleNames**  | AzureVirtualMachinesData                      |
| **ExtendedSchemaRuleNames**| AzureVirtualMachinesData                      |
| **ApplicationClassName**   | azureappconnector                             |
