Azure Defender for Servers Monitoring Dashboard - Microsoft Tech Community
Azure Security Center will leverage the Log Analytics agent to scan operating systems for misconfiguration, or to gather evidence for malicious behavior, so security alerts can be created. It will show the “Log Analytics agent should be installed on ... " recommendation in case there is a server that does not have the agent installed, but there won’t be a warning in case an agent stopped reporting to its Log Analytics workspace. In addition to that, you will see the “Azure Defender for Servers should be enabled” recommendation in case you have not switched the plan on.
While, from a CSPM (=Cloud Security Posture Management) perspective, it makes sense to only show the agent installation status ( because agent monitoring is part of operations, not of environment hardening), SOC teams have asked for a capability to easily see machines that are “securely monitored” if three conditions are met:
- the machine is protected by Azure Defender for Servers, which means that the plan has been enabled on the machine’s subscription
- the Log Analytics agent has been installed and is connected to a workspace which has Azure Defender for Servers enabled
- the agent is properly reporting