What exactly is difference when comes to enabling different plans against the “azure subscription” here (Azure Pass – Sponsorship) and The Log Analytics Workspace (FirstLAW), which is also under the same subscription.
@RaziEnggEY Let me add bit more details here. During the testing of few scenarios, we found that some of the configuration settings related to "DfC" has causing some level of confusion (refer the attached screen shorts).
When configuring 'Microsoft Defender for Cloud', for the very first time in this subscription [Azure Pass - Sponsorship], we have selected selected few "Defender Plans" like Defender CSPM, Servers, Databases and Storage. After selected the Defender plans, on "settings and monitoring", we have created a 'Log Analytics Workspace', (First LAW). Here is the exact location [Microsoft Defender for Cloud-->Management-->Environment settings-->'Azure Pass - Sponsorship' Subscription -->Settings-->Defender plans-->Settings & Monitoring -->Component-->Log Analytics agent/Azure Monitor agent-->Edit Configuration-->Auto-provisioning configuration-->Custom Workspace-->FirstLAW].
Here we are under the assumption that the 'Microsoft Defender for Cloud' instance is going to utilize the FirstLAW as the preferred 'Log Analytics Workspace' for the subscription and no further configuration is required, may be other than selecting on certain specific configuration areas. However, once you back to the Microsoft Defender for Cloud-->Management-->Environment settings page, you will be able to see, FirstLAW ('Log Analytics Workspace') under the subscription name. If you select "FirstLAW"('Log Analytics Workspace'), you will be able to see more Defender plans listed under it, and it has options again to enable/select plans.
My question here is, what exactly that second set of Defender plans listed under the "FirstLAW"('Log Analytics Workspace'), which is again showing under the same subscription ?
I also struggled with this, and this is what I think is the case:
1) Most defender plans don't use a LAW (Only "Server")
2) You can have many LAW inside a subscription (e.g. for application logging as well)
3) there is some "magic" happening when enabling some plans, namely that a defaultLAW will be created, with some "solutions" enabled by default.
In your case you have made a LAW, and if you configure a VM to send logs to this, it doesn't have the right plans enabled to act on security incidents.
By enabling the "Servers" plan, it will watch the data inside this LAW.
To check which LAW is used, go to Settings Defender plans -> Settings and monitoring on the subscription level
The "default workspace" probably has this enabled by default, and it is not visible in this list.
Definitely a quirk, as well as all the hidden OMS Solutions that also are enabled.