Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Which VM security events are requried for enhanced security features, e.g. in Defender for Servers?

Copper Contributor

Hi Azure Cloud Defenders!

I would like to understand which Defender for Cloud Features require VM Security Events to be collected and to which extent. According to a recent Webinar, it is a common misconception that Threat Detection and Vulnerability Assessments for VMs rely on that data beeing collected/ingested. On the other hand the docs, e.g. for adaptive application control, let me assume that gathering those events/logs is required for that feature.

Can someone explain for which cases/scenarios event logs from VMs must be collected and ingested into the log analytics workspace? Furthermore, it would be good to know the level of data to store (all events, common, minimal) for each case. Thank you very much in advance!

2 Replies

Hi @Stanislav Belov,

thank you for your response! I have worked through the linked documents, but unfortunately there is no clear answer to my question.

In the first link it says: "Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection." - but it seems that this is not related to collecting (and storing) RAW Windows Security Events via the Autoprovisioning settings (or Environment/Workspace settings) in Defender for Cloud.

The same documents says: "Selecting a data collection tier in Microsoft Defender for Cloud only affects the storage of security events in your Log Analytics workspace. The Log Analytics agent will still collect and analyze the security events required for Defender for Cloud’s threat protection, ..." here: https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-...

 

This leads to some confusion and I am wondering if is required to "store" any Windows Security Events via the LA agent to have full DfC functionality or not. And if it is required, which collection tier should be selected to have the full feature range of Defender for Servers. Something like a mapping e.g. "Adaptive Application Controls" -> requires collection Tier "Common" etc. would help a lot in that case.