This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 28.000000000000004%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA0%3C/text%3E%3C/svg%3E)
Hi,
Anyone can please tell me what’s the difference between enabling Security Event collection with Log Analytics agent using this:
a) Defender for Cloud > Environment Settings > Subscription > Auto provisioning
versus
b) Defender for Cloud > Environment Settings > Subscription > Log Analytics workspace
I see. The first under auto provisioning applies to all workspaces in the subscription that have been activated for MDFC (they have the provider installed). It is possible to have MDFC on more than one workspace. The second option is for setting this at the workspace level. These settings may change soon as MDFC increase support for the new AMA agent\DCR rules. Most only configure this on the Sentinel side or not at all.
Thank you Andrew, it is way clearer now, appreciate it :)!
I hope you don’t mind asking few more questions. Basically, I’m planning to clean up some of the legacy configuration that was made in the past. Was looking at the new AMA agent, and the deprecation path for MMA in 2024. I’m planning to have a at scale approach of enabling MDFC via Azure Policy, however I can’t seem to find a build-in policy definition that would allow me to defined what the actual Log Analytics workspace should be (I don’t want to have MDFC create the default Log Analytics, but rather use one that I already have in place). Also, looking at https://learn.microsoft.com/en-us/azure/defender-for-cloud/faq-data-collection-agents#how-can-i-use-my-existing-log-analytics-workspace- “The list only includes workspaces to which you have access and which are in your Azure subscription.” They emphesize subscription not subscriptions, does that mean I can’t have all my subscriptions have MDFC report to a single Log Analytics that is in a different subscription (the hub one) but still within the same tenant?
MDFC support for AMA is new, I haven't looked closely at it myself. You might consider a new thread on that question. My understanding is that you should be able to define a policy at the management group level.
MDFC is a subscription-based service. Every subscription has an MDFC instance. You can send them all to a single workspace in the same tenant. It is common to use the Sentinel workspace for consolidation of MDFC logs. There is also a cost advantage of this due to the 500MB allotment provided for each MDFC server.
MDFC has the option to gather security events for hunting. MDFC does not use this data specifically, it is a collection only option. Sentinel also collects Windows Security events and relies on those events heavily for detection. The portal will prevent collecting from both simultaneously. Sentinel is preferred as the collection method if you use both. If you do not have Sentinel, then consider this optional for MDFC. Also, the 500MB per day allotment for data collection should cover the Security alert data but high-volume systems like a busy DC can run over 500MB and incur an additional log ingestion cost.
Thanks for your answer! So basically, screen shot 1 is for MDFC specific configuration and screen shot 2 for Sentinel ? Is my assumption correct? I'm asking because both config option are in Defender for Cloud.
They both appear to be from MDFC. Sentinel has two data connector options, one for each agent type.
Well, yes, and that was my initial question, how the two ways of enablement differ from each other. Didn’t ask about Sentinel tbh (I’m aware of the native integration via the data connector).
If within MDFC you’ve got two different places to enable it, then a) there is a reason for this, or b) it just another Microsoft nonsense to confuse people.