Defender for SQL for on-prem Azure Arc connected SQL servers
I am having trouble using the Azure Built-In policy "Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR". I would assume a newly created DCR would work just fine, but I am unsure as when I use the policy that will automatically create a DCR and LA workspace, it works fine. Does my DCR need to be configured with a special data source and destination? (Similarly how Azure Monitor needs a special DCR for Arc machines)Blog | Microsoft Defender for Cloud -strategy and plan towards Log Analytics Agent (MMA) deprecation
Log Analytics agent (also known as MMA) is on a deprecation path and will be retired in Aug 2024. The purpose of this blogpost is to clarify how Microsoft Defender for Cloud will align with this plan and its impact on customers. There are two Defender for Cloud plans with features relying on the Log Analytics agent: Defender for Servers Plan 2 and Defender for SQL server on machines. As part of an updated strategy, Azure monitoring Agent (also known as AMA), won’t be a requirement as part of our Defender for Servers offering, but will remain required as part of Defender for SQL server on machines. As a result, Defender for Servers’ features and capabilities outlined below, as well as the auto-provisioning process that provides the installation and configuration of both agents (MMA/AMA), will be adjusted accordingly. Read the full blog post: Microsoft Defender for Cloud - strategy and plan towards Log Analytics Agent (MMA) deprecation - Microsoft Community Hub
New Blog Post | How to configure Security Events collection with Azure Monitor Agent
How to configure Security Events collection with Azure Monitor Agent - Microsoft Community Hub Although Microsoft Defender for Servers (part of the Microsoft Defender for Cloud suite) does not rely on security events collection to provide its protection capabilities, customers may want to collect this valuable data to bring additional context to their server security investigations or alerts. For this reason, Defender for Servers Plan 2 users benefit from a 500-MB free data ingestion allowance (per day, per server) into Log Analytics, as long as the Defender for Servers Plan 2 is also enabled at the Log Analytics Workspace level. Security events collection (for Windows systems only) is done with the help of a guest agent. This has been possible so far with the legacy Log Analytics agent and the Defender for Servers auto-provisioning experience, and is also possible for Microsoft Sentinel users, via the Log Analytics and Azure Monitor Agent (AMA) data connectors. However, if you are not a Sentinel user yet and you are using Defender for Servers with the new AMA experience, it is still possible to collect security events, as you will learn next.
Log Analytics workspace
Hello, can anyone help me understand the workspace used for Defender for Cloud How to identify which workspace is Defender for cloud connected to, older version of Defender for cloud has clear mention of the workspace name to which it is connected, the latest version just displays it as "Default Workspace" not the actual name of the workspace, as there are multiple "Default workspaces" in a subscription/Tenant. Thanks in Adv.
SecurityEvent table gets populated with events altough data collection not configured?
Hi, I’ve inherited in my new workplace an Azure environment with multiple subscriptions. I’m trying to create an inventory of what is logged and where. What I’m doing now is to get for each subscription is the auto provisioning status. The script is simple: Connect-AzAccount $azSubs = Get-AzSubscription # Set array $Results = @() foreach($azSub in $azSubs){ $azSub | Set-AzContext Write-Host "Processing subscription: " $azSub.Name $autoProvisioningSettings = Get-AzSecurityAutoProvisioningSetting $SecurityWorkspaceSetting = Get-AzSecurityWorkspaceSetting $foo = [PSCustomObject]@{ Subscription = $azSub.Name AutoProvision = $autoProvisioningSettings.AutoProvision SecurityWorkspaceSetting = $SecurityWorkspaceSetting.WorkspaceId } $Results += $foo } $Results AzSecurityAutoProvisioningSetting - https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecurityautoprovisioningsetting?view=azps-8.2.0 Automatic Provisioning Settings let you decide whether you want Azure Security Center to automatically provision a security agent that will be installed on your VMs. The security agent will monitor your VM to create security alerts and monitor the security compliance of the VM. Get-AzSecurityWorkspaceSetting - https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecurityworkspacesetting?view=azps-8.2.0 This cmdlet lets you discover the configured workspace that will hold the security data that was collected by the security agent that is installed in VMs inside this subscription. So basically, I’m aiming to get the following details but programmatically rather than clicking 10000 times: Now, here comes the weird part. Take the two below: The first, has auto provisioning set to on, a selected workspace, and security events set to common (basically a 1 to 1 with what I can see in the portal): The second, has also auto provisioning set to on, but no workspace or security events configured: What I don’t understand why for the second if I browse the Log Analytics in that given subscription I can see the SecurityEvent table ?! The table description states “security events collected from windows machines by Azure Security Center or Azure Sentinel”. We don’t have Sentinel in use…. What am I missing ??
