Hi @ShimKwan
I can try to answer some for you!
Question 1:
I had the same question a while ago! $3 vs $15 right!? It provides quite a few things around what you mentioned, Find info at https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-introduction#what-are...
Question 2:
You need to onboard them first then they will show. (Sorry if I'm teaching you to suck eggs here!)
How to onboard them depends on O/S and where the servers are located. (On prem vs Azure)
You could also set your subscription to enable defender for all resources (Hosted in Azure) which should automatically enrol them. Go to ASC (Now called Defender for cloud) Click on "Environment settings" under management :
and then you can select your subscription, select the subscription and you would see something like this:
You can then use the radio buttons to turn defender on or off for each resource
Question 3:
To view all your servers in DFE Security centre You need to enable integration between Defender for cloud and Defender for Endpoint. Here's how: https://docs.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=win...
Question 4:
I have the same question! However note that if you onboard a server to MDE by installing the Microsoft management agent, this is the same agent used for onboarding to log analytics!
However its different for newer Server O/S where the telemetry/DFE etc is already built into the O/S and you onboard using the install script (Which simply enables all the built in signals) I will try and find out if you still need log analytics agent as well!
Regards
Christo
For Question 4:
The Log Analytics Agent will use the provide the Windows Event logs, or Local Syslog from Linux. This is not part of defender for Endpoint. Defender for endpoint does provide a fair amount with the tables it creates.
Defender for Cloud will also push the Azure Monitor Agent (AMA). This is the new default moving forward and the OMS agent ( log analytics) will be deprecated 2024.
Either of the agents allow the ingest of Windows Security Events and Custom EventIDs. In defender for cloud you can have those be sent to a separate Log Analytics workspace. I.e., one that has Sentinel deployed on it. This can then be used for the UEBA in Sentinel. This adds anomalous detection as well plus a multitude of out of the box detections in Sentinel.
Overall - It is not required to install the log analytics agent with either defender for cloud or defender for endpoint. It is useful though for custom logs or windows event ingestion. Same goes for the new AMA. The AMA however is automatically deployed with Defender for Cloud for all Azure VMs, and then via the Arc agent for non-Azure VMs and on-prem.
Personally I always recommend that you go with Defender for Cloud's Defender for Servers of MDE when it comes to servers because of the additional features, integration with MDE, and license.
Hope this helps.
