The AMA onboarding documentation does mention that is will automatically create DCR rules but it doesn't appear that any are created yet. That may be different if you activate the security event collection. Though this it is better to collect that data with Sentinel.
Default Microsoft Defender for Cloud Data Collection Rule
Hi,
we have onboarded few servers to Azure Arc and are using AMA to collect logs from them.
Then I saw there is this policy: [Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule
So, what data does that policy collect and where? We are also using Defender Plan 2 with our Arc servers.
2 answers
Sort by: Newest
-
Andrew Blumhardt 9,496 Reputation points Microsoft Employee
2022-12-01T16:28:03.54+00:00 -
David Broggy 5,681 Reputation points MVP
2022-12-01T14:52:51.963+00:00 Hi bombbe,
The arc agent by default will log to the assigned log analytics workspace.
There is no configurable data collection rule by default.
you can go to Azure Monitor > Data Collection Rule - and create additional custom data collection rules.reference:
auto-deploy-azure-monitoring-agent