Skip to content

Microsoft.Security/autoProvisioningSettings/write

Azure

Microsoft.Security/autoProvisioningSettings/write

service: Azure - Microsoft Defender for Cloud
techniques:

Event

Modifies auto-provisioning settings, potentially disabling automatic deployment of security monitoring agents.

Security Context

  • Auto-provisioning automatically installs security monitoring agents on new and existing resources; disabling it creates a blind spot where new workloads deploy without security monitoring.
  • Adversaries disable auto-provisioning to ensure that newly created resources used in their attack are not instrumented with monitoring agents that would detect malicious activity.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud flips the subscription’s auto-provisioning setting to Off, ensuring that any new VMs (including ones he intends to spin up to host C2) will NOT auto-deploy the Log Analytics agent / AMA — so they won’t appear in Defender for Cloud or send security telemetry to the workspace.

{
"authorization": {
"action": "Microsoft.Security/autoProvisioningSettings/write",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/autoProvisioningSettings/default"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "autoProv214ExampleUti",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100100111",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100101000",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T17:35:42.0218107Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/autoProvisioningSettings/default/events/90000000-0000-4000-8000-000100101000/ticks/638798200200218107",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100101001",
"operationName": {
"value": "Microsoft.Security/autoProvisioningSettings/write",
"localizedValue": "Create or Update Auto Provisioning Settings"
},
"resourceGroupName": "",
"resourceProviderName": {
"value": "Microsoft.Security",
"localizedValue": "Microsoft.Security"
},
"resourceType": {
"value": "Microsoft.Security/autoProvisioningSettings",
"localizedValue": "Microsoft.Security/autoProvisioningSettings"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/autoProvisioningSettings/default",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T17:35:42.5781055Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Security/autoProvisioningSettings/default",
"message": "Microsoft.Security/autoProvisioningSettings/write",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001",
"requestbody": "{\"properties\":{\"autoProvision\":\"Off\"}}"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...