Forum Discussion
MDE vs Azure Defender for Servers
For Question 4:
The Log Analytics Agent will use the provide the Windows Event logs, or Local Syslog from Linux. This is not part of defender for Endpoint. Defender for endpoint does provide a fair amount with the tables it creates.
Defender for Cloud will also push the Azure Monitor Agent (AMA). This is the new default moving forward and the OMS agent ( log analytics) will be deprecated 2024.
Either of the agents allow the ingest of Windows Security Events and Custom EventIDs. In defender for cloud you can have those be sent to a separate Log Analytics workspace. I.e., one that has Sentinel deployed on it. This can then be used for the UEBA in Sentinel. This adds anomalous detection as well plus a multitude of out of the box detections in Sentinel.
Overall - It is not required to install the log analytics agent with either defender for cloud or defender for endpoint. It is useful though for custom logs or windows event ingestion. Same goes for the new AMA. The AMA however is automatically deployed with Defender for Cloud for all Azure VMs, and then via the Arc agent for non-Azure VMs and on-prem.
Personally I always recommend that you go with Defender for Cloud's Defender for Servers of MDE when it comes to servers because of the additional features, integration with MDE, and license.
Hope this helps.
Is it a no-brainer to always pick the Defender for Endpoint P2 license?
and then the vuln assessment feature is extra? So you can't run a vuln scan from security.microsoft.com w/o P2 + scanning?
Thank you.