Azure Security Center will leverage the Log Analytics agent to scan operating systems for misconfiguration, or to gather evidence for malicious behavior, so security alerts can be created. It will show the “Log Analytics agent should be installed on ... " recommendation in case there is a server that does not have the agent installed, but there won’t be a warning in case an agentstopped reportingto its Log Analytics workspace. In addition to that, you will see the “Azure Defender for Servers should be enabled” recommendation in case you have not switched the plan on.
While, from a CSPM (=Cloud Security Posture Management) perspective, it makes sense to only show the agent installation status ( because agent monitoring is part of operations, not of environment hardening), SOC teams have asked for a capability to easily see machines that are “securely monitored” if three conditions are met:
the machine is protected by Azure Defender for Servers, which means that the plan has been enabled on the machine’s subscription
the Log Analytics agent has been installed and is connected to a workspace which has Azure Defender for Servers enabled