Skip to main content

Install Windows Agent with Azure Resource Manager

You can install the Lacework agent on your Windows host through an Azure Resource Manager (ARM) template. In this type of deployment, the ARM template uses the CustomScriptExtension to download and run a Install-LWDataCollector.ps1 PowerShell script that installs the agent onto a Windows VM instance.

Prerequisites

  1. Install the Azure CLI on your machine. For instructions, see How to install the Azure CLI.
  2. Download the ARM Template (azurerm.zip file) following the instructions in Download Windows Agent Installers.
  3. Unzip the azurerm.zip file. The azurerm folder that is created contains the following files:
    • parameters.json
    • template.bicep
    • template.json

Configure an ARM Template

Create an ARM template that deploys your Azure resources and the Windows agent. You can use the sample ARM template (template.json or template.bicep) in the azurerm folder. This template creates a VM instance and installs the Windows agent. The template downloads and runs a PowerShell script (Install-LWDataCollector.ps1) to install the agent on the VM instance.

The Install-LWDataCollector.ps1 script installs the Windows agent and adds a local firewall rule to allow the agent to communicate with Lacework. The script also optionally configures a Windows Defender exclusion for the agent with the -defender parameter.

note

Lacework recommends that you exclude the agent from any antivirus or Endpoint Detection and Response (EDR) applications on your host. The Install-LWDataCollector.ps1 script allows you to enable this exclusion for Microsoft Defender. For other antivirus applications, you can customize the script to exclude the agent from scanning.

Configure a Parameters File for your Azure Deployment

Create a JSON file for your deployment parameters. You can modify the sample parameters file (parameters.json) in the azurerm folder as required. Specify values for the following parameters:

  • laceworkEndpoint - The Lacework agent server URL. For more information, see serverurl Property.
  • laceworkMSIURL - The URL for downloading the Windows agent MSI package. To obtain the URL, do the following:
    1. Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
    2. Go to the release you want to install.
    3. Copy the URL for Lacework Windows Agent MSI Package.
  • laceworkPSScript - The URL for the Install-LWDataCollector.ps1 PowerShell script. To obtain the URL, do the following:
    1. Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
    2. Go to the release you want to install.
    3. Copy the URL for Install-LWDataCollector.ps1 Script.
  • laceworkToken - A valid Lacework agent access token. For more information, see Agent Access Token. It is good practice to store access tokens securely in Azure Key Vault. The parameters.json file references the access token in a Key Vault.
  • laceworkDefender - (Optional) To configure a Windows Defender exclusion for the agent, change the value of this parameter to true.
  • Parameters for your Windows VM on Azure.

Deploy the ARM Template

Run the command to deploy the ARM template.

PowerShell

Open a PowerShell terminal as administrator and execute the following command:

  • To use the parameters.json file:
    New-AzResourceGroupDeployment -Name <deployment_name> -ResourceGroupName <resource_group> -TemplateFile template.json -TemplateParameterFile parameters.json
  • To use the parameters.bicep file:
    New-AzResourceGroupDeployment -Name <deployment_name> -ResourceGroupName <resource_group> -TemplateFile template.json -TemplateParameterFile parameters.bicep
    Where -Name specifies the name of your Azure deployment, and -ResourceGroupName specifies the name of the Azure resource group to which you want to add the deployment.

Azure CLI

Execute the following command in the Azure CLI:

  • To use the parameters.json file:
    az deployment group create -n <deployment_name> -g <resource_group> -f template.json -p @parameters.json
  • To use the parameters.bicep file:
    az deployment group create -n <deployment_name> -g <resource_group> -f template.json -p @parameters.bicep

Deploy to an Existing Azure VM Instance without Using an ARM Template

You can install the Lacework Windows agent to an existing Azure VM instance without using an ARM template.

PowerShell

Open a PowerShell terminal as an administrator and run the following command:

Set-AzVMCustomScriptExtension -ResourceGroupName Your_Resource_Group_Name `
   -VMName Your_VM_Name `
   -Location Your_Azure_Region `
   -FileUri "https://updates.lacework.net/windows/<Release-Version>/Install-LWDataCollector.ps1" `
   -Run 'Install-LWDataCollector.ps1 -MSIURL Agent_MSI_Download_URL -AccessToken Your_Access_Token -ServerURL Your_API_Endpoint -defender' `
   -Name install-lacework-dc `
   -SecureExecution

Azure CLI

Run the following command in the Azure CLI:

az vm extension set -n customScriptExtension --publisher Microsoft.Compute --extension-instance-name install-lacework-dc -g Your_Resource_Group_Name --vm-name Your_VM_Name --protected-settings '{"FileUris": ["https://updates.lacework.net/windows/<Release-Version>/Install-LWDataCollector.ps1"], "commandToExecute": "powershell -File Install-LWDataCollector.ps1 -MSIURL Agent_MSI_Download_URL -AccessToken Your_Access_Token -ServerURL Your_API_Endpoint -defender"}'

Where:

  • Your_Resource_Group_Name species your Azure resource group name.
  • Your_VM_Name specifies the name of the Azure VM in which you want to install the agent.
  • Your_Azure_Region specifies the Azure Region in which the VM exists. For example, eastus.
  • https://updates.lacework.net/windows/<Release-Version>/Install-LWDataCollector.ps1 specifies the URL for the Install-LWDataCollector.ps1 PowerShell script. To obtain the URL for the Install-LWDataCollector.ps1 script, do the following:
    1. Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
    2. Go to the release you want to install.
    3. Copy the URL for the Install-LWDataCollector.ps1 Script.
  • Agent_MSI_Download_URL specifies the URL for downloading the Windows agent MSI package. To obtain the URL, do the following:
    1. Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
    2. Go to the release you want to install.
    3. Copy the URL for Lacework Windows Agent MSI Package.
  • Your_Access_Token specifies your agent access token. For more information, see Agent Access Token.
  • Your_API_Endpoint specifies your Lacework agent server URL. For more information, see serverurl Property.
  • -defender configures a Windows Defender exclusion for the agent.
Last updated on