Default Microsoft Defender for Cloud Data Collection Rule

Bombbe 1,611 Reputation points
2022-12-01T07:59:32.657+00:00

Hi,
we have onboarded few servers to Azure Arc and are using AMA to collect logs from them.

Then I saw there is this policy: [Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule

So, what data does that policy collect and where? We are also using Defender Plan 2 with our Arc servers.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,798 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
793 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Broggy 5,681 Reputation points MVP
    2022-12-01T14:52:51.963+00:00

    Hi bombbe,

    The arc agent by default will log to the assigned log analytics workspace.
    There is no configurable data collection rule by default.
    you can go to Azure Monitor > Data Collection Rule - and create additional custom data collection rules.

    reference:
    auto-deploy-azure-monitoring-agent

  2. Andrew Blumhardt 9,491 Reputation points Microsoft Employee
    2022-12-01T16:28:03.54+00:00

    The AMA onboarding documentation does mention that is will automatically create DCR rules but it doesn't appear that any are created yet. That may be different if you activate the security event collection. Though this it is better to collect that data with Sentinel.

    0 comments