How often does Defender for Cloud scan for operating system vulnerabilities, system updates, and endpoint protection issues?
Defender for server creates workspaces
By default, when you onboard for the first time Defender for Cloud creates a new resource group and default workspace in the region of each subscription with Defender for Cloud enabled.
If you have VMs in multiple locations, Defender for Cloud creates multiple workspaces accordingly, to ensure data compliance.
Locations of default workspaces
For VMs in the United States and Brazil the workspace location is the United States
For VMs in Canada, the workspace location is Canada
For VMs in Europe the workspace location is Europe
For VMs in the UK the workspace location is the UK
For VMs in East Asia and Southeast Asia the workspace location is Asia
For VMs in Korea, the workspace location is Korea
For VMs in India, the workspace location is India
For VMs in Japan, the workspace location is Japan
For VMs in China, the workspace location is China
For VMs in Australia, the workspace location is Australia
Deleting the default workspace is not recommended if you don't have custom workspace.
If Defender for cloud is using default workspace but you delete it accidently, Defender for Cloud is unable to collect this data and some security recommendations and alerts are unavailable.
To recover, remove the Log Analytics agent on the VMs connected to the deleted workspace. Defender for Cloud reinstalls the agent and creates new default workspaces. You can also define custom workspace in auto-provisioning configuration if you don't want MDC to use default workspaces.
Move to on
Extension already installed before enabling auto-provisioning?
When the Monitoring Agent has already been installed as an extension(such as manual installation via API), the extension configuration allows reporting to only a single workspace.
Defender for Cloud does not override existing connections to user workspaces.
Defender for Cloud will store security data from a VM in a workspace that is already connected, provided that the "Security" or "SecurityCenterFree" solution has been installed on it.
Defender for Cloud may upgrade the extension version to the latest version in this process.
5. What if a Log Analytics agent is directly installed on the machine but not as an extension (Direct Agent)?
If the Log Analytics agent is installed directly on the VM (not as an Azure extension), Defender for Cloud will install the Log Analytics agent extension, and may upgrade the Log Analytics agent to the latest version.
The agent installed will continue to report to its already configured workspace(s), and in addition will report to the workspace configured in Defender for Cloud (Multi-homing is supported on Windows machines).
If the configured workspace is a user workspace (not Defender for Cloud's default workspace), you will need to install the "Security" or "SecurityCenterFree" solution on it for Defender for Cloud to start processing events from VMs and computers reporting to that workspace.
For Linux machines, Agent multi-homing is not yet supported - hence, if an existing agent installation is detected, automatic provisioning will not occur and the machine's configuration will not be altered.
For existing machines on subscriptions onboarded to Defender for Cloud before March 17 2019, when an existing agent will be detected, the Log Analytics agent extension will not be installed and the machine will not be affected. For these machines, see the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines
As mentioned in Defender for cloud FAQ, when you enable Microsoft Defender for Servers on an Azure subscription or on a connected AWS account or GCP project, all connected machines are protected by Defender for Servers. Servers that don't have the Log Analytics agent or Azure Monitor agent installed are also protected.
However, as mentioned in Plan your Defender for Servers deployment, you can enable Microsoft Defender for Servers at the Log Analytics workspace level, but only servers reporting to that workspace will be protected and billed and those servers won't receive some benefits, such as Microsoft Defender for Endpoint, vulnerability assessment, and just-in-time VM access.
To enable defender for server on the workspace,
Navigate to defender for cloud > Environment settings, select the workspace you want to configure
In Settings | Defender plans page, turn on the switch of Servers, save the settings
Then we can deploy AMA on the VM using powershell or Azure policy
Deploy AMA extension using powershell/Azure cloudshell
Associate the Azure VM with DCR so that the logs could be sent to the workspace
Configure Windows Machines to be associated with a Data Collection Rule
Configure Linux Machines to be associated with a Data Collection Rule
Billing for defender for server
When you enable the Servers plan on the subscription level, Defender for Cloud enables the plan on your default workspaces automatically.
If you're using a custom workspace, you need to select it to enable the plan manually.
If you turn on Defender for Servers for a subscription and for a connected custom workspace, you aren't charged for both. The system identifies unique VMs.
If you enable Defender for Servers on cross-subscription workspaces:
- For the
Log Analytics agent, connected machines from all subscriptions are billed, including subscriptions that don't have the servers plan enabled. - For the
Azure Monitor agent, billing and feature coverage for Defender for Servers depends only on the plan being enabled in the subscription.
- If I enable Defender for Clouds Servers plan on the subscription level, do I need to enable it on the workspace level?
- Do I need to enable Defender for Servers on the subscription and on the workspace?
As mentioned in the Plan data residency and workspaces for Defender for Servers, Yes. When you enable Microsoft Defender for Servers on an Azure subscription or a connected AWS account, you'll be charged for all machines that are connected to your Azure subscription or AWS account. The term machines include Azure virtual machines, Azure Virtual Machine Scale Sets instances, and Azure Arc-enabled servers. Machines that don't have Log Analytics installed are covered by protections that don't depend on the Log Analytics agent.
Enable continuous export together with the built-in workbook so that you can get more details about how recommendations affect your secure score.
Continuously export Microsoft Defender for Cloud data
Built-in workbook
Sample
Defender for cloud supported OS
AMA is not supported for Windows server 2008, 2008R2
AMA is supported for Windows server 2012, 2012R2
-
Create Azure VM for test, OS information
-
AMA is installed via auto-provisioning
-
Win10 Pro client OS is supported by defender for cloud
-
The machine is protected by defender for cloud , we can confirm it in
defender for cloud > inventory
Review Defender for server plan
For on-premises server, to receive configuration recommendations machines must be onboarded to Azure with Azure Arc, and Defender for Servers must be enabled.
