Which VM security events are requried for enhanced security features, e.g. in Defender for Servers?

Hi StanislavBelov,

thank you for your response! I have worked through the linked documents, but unfortunately there is no clear answer to my question.

In the first link it says: "Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection." - but it seems that this is not related to collecting (and storing) RAW Windows Security Events via the Autoprovisioning settings (or Environment/Workspace settings) in Defender for Cloud.

The same documents says: "Selecting a data collection tier in Microsoft Defender for Cloud only affects the storage of security events in your Log Analytics workspace. The Log Analytics agent will still collect and analyze the security events required for Defender for Cloud’s threat protection, ..." here: https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-loganalytic#windows-security-event-options-for-the-log-analytics-agent-

This leads to some confusion and I am wondering if is required to "store" any Windows Security Events via the LA agent to have full DfC functionality or not. And if it is required, which collection tier should be selected to have the full feature range of Defender for Servers. Something like a mapping e.g. "Adaptive Application Controls" -> requires collection Tier "Common" etc. would help a lot in that case.