How does Defender for Cloud collect data?
Defender for Cloud collects data from your Azure virtual machines (VMs), Virtual Machine Scale Sets, IaaS containers, and non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats. Some Defender plans require monitoring components to collect data from your workloads.
Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection. Data collection is only needed for compute resources such as VMs, Virtual Machine Scale Sets, IaaS containers, and non-Azure computers.
You can benefit from Microsoft Defender for Cloud even if you don’t provision agents. However, you'll have limited security and the capabilities listed aren't supported.
Data is collected using:
- Azure Monitor Agent (AMA)
- Microsoft Defender for Endpoint (MDE)
- Log Analytics agent
- Security components, such as the Azure Policy for Kubernetes
Why use Defender for Cloud to deploy monitoring components?
Visibility into the security of your workloads depends on the data that the monitoring components collect. The components ensure security coverage for all supported resources.
To save you the process of manually installing the extensions, Defender for Cloud reduces management overhead by installing all required extensions on existing and new machines. Defender for Cloud assigns the appropriate Deploy if not exists policy to the workloads in the subscription. This policy type ensures the extension is provisioned on all existing and future resources of that type.
Tip
Learn more about Azure Policy effects, including Deploy if not exists, in Understand Azure Policy effects.
What plans use monitoring components?
These plans use monitoring components to collect data:
- Defender for Servers
- Azure Arc agent (For multicloud and on-premises servers)
- Microsoft Defender for Endpoint
- Vulnerability assessment
- Azure Monitor Agent or Log Analytics agent
- Defender for SQL servers on machines
- Azure Arc agent (For multicloud and on-premises servers)
- Azure Monitor Agent or Log Analytics agent
- Automatic SQL server discovery and registration
- Defender for Containers
- Azure Arc agent (For multicloud and on-premises servers)
- Defender sensor, Azure Policy for Kubernetes, Kubernetes audit log data
Availability of extensions
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Azure Monitor Agent (AMA)
| Aspect | Details |
|---|---|
| Release state: | Generally available (GA) |
| Relevant Defender plan: | Defender for SQL Servers on Machines |
| Required roles and permissions (subscription-level): | Owner |
| Supported destinations: | 
Azure virtual machines
Azure Arc-enabled machines |
| Policy-based: |
Yes |
| Clouds: |
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet |
Learn more about using the Azure Monitor Agent with Defender for Cloud.
Log Analytics agent
| Aspect | Azure virtual machines | Azure Arc-enabled machines |
|---|---|---|
| Release state: | Generally available (GA) | Generally available (GA) |
| Relevant Defender plan: | Foundational Cloud Security Posture Management (CSPM) for agent-based security recommendations Microsoft Defender for Servers Microsoft Defender for SQL |
Foundational Cloud Security Posture Management (CSPM) for agent-based security recommendations Microsoft Defender for Servers Microsoft Defender for SQL |
| Required roles and permissions (subscription-level): | Owner | Owner |
| Supported destinations: |
Azure virtual machines |
Azure Arc-enabled machines |
| Policy-based: |
No |
Yes |
| Clouds: |
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet |
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet |
Supported operating systems for the Log Analytics agent
Defender for Cloud depends on the Log Analytics agent. Ensure your machines are running one of the supported operating systems for this agent as described on the following pages:
- Log Analytics agent for Windows supported operating systems
- Log Analytics agent for Linux supported operating systems
Also ensure your Log Analytics agent is properly configured to send data to Defender for Cloud.
Deploying the Log Analytics agent in cases of a pre-existing agent installation
The following use cases explain how deployment of the Log Analytics agent works in cases when there's already an agent or extension installed.
Log Analytics agent is installed on the machine, but not as an extension (Direct agent) - If the Log Analytics agent is installed directly on the VM (not as an Azure extension), Defender for Cloud will install the Log Analytics agent extension and might upgrade the Log Analytics agent to the latest version. The installed agent will continue to report to its already configured workspaces and to the workspace configured in Defender for Cloud. (Multi-homing is supported on Windows machines.)
If the Log Analytics is configured with a user workspace and not Defender for Cloud's default workspace, you'll need to install the "Security" or "SecurityCenterFree" solution on it for Defender for Cloud to start processing events from VMs and computers reporting to that workspace.
For Linux machines, Agent multi-homing isn't yet supported. If an existing agent installation is detected, the Log Analytics agent won't be deployed.
For existing machines on subscriptions onboarded to Defender for Cloud before 17 March 2019, when an existing agent will be detected, the Log Analytics agent extension won't be installed and the machine won't be affected. For these machines, see to the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines.
System Center Operations Manager agent is installed on the machine - Defender for Cloud will install the Log Analytics agent extension side by side to the existing Operations Manager. The existing Operations Manager agent will continue to report to the Operations Manager server normally. The Operations Manager agent and Log Analytics agent share common run-time libraries, which will be updated to the latest version during this process.
A pre-existing VM extension is present:
- When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. Defender for Cloud doesn't override existing connections to user workspaces. Defender for Cloud will store security data from the VM in the workspace already connected, if the "Security" or "SecurityCenterFree" solution was installed on it. Defender for Cloud might upgrade the extension version to the latest version in this process.
- To see to which workspace the existing extension is sending data to, run the TestCloudConnection.exe tool to validate connectivity with Microsoft Defender for Cloud, as described in Verify Log Analytics agent connectivity. Alternatively, you can open Log Analytics workspaces, select a workspace, select the VM, and look at the Log Analytics agent connection.
- If you have an environment where the Log Analytics agent is installed on client workstations and reporting to an existing Log Analytics workspace, review the list of operating systems supported by Microsoft Defender for Cloud to make sure your operating system is supported.
Learn more about working with the Log Analytics agent.
Microsoft Defender for Endpoint
| Aspect | Linux | Windows |
|---|---|---|
| Release state: | Generally available (GA) | Generally available (GA) |
| Relevant Defender plan: | Microsoft Defender for Servers | Microsoft Defender for Servers |
| Required roles and permissions (subscription-level): | - To enable/disable the integration: Security Admin or Owner - To view Defender for Endpoint alerts in Defender for Cloud: Security reader, Reader, Resource Group Contributor, Resource Group Owner, Security Admin, Subscription owner, or Subscription Contributor |
- To enable/disable the integration: Security Admin or Owner - To view Defender for Endpoint alerts in Defender for Cloud: Security reader, Reader, Resource Group Contributor, Resource Group Owner, Security Admin, Subscription owner, or Subscription Contributor |
| Supported destinations: |
Azure Arc-enabled machines
Azure virtual machines |
Azure Arc-enabled machines
Azure VMs running Windows Server 2022, 2019, 2016, 2012 R2, 2008 R2 SP1, Azure Virtual Desktop, Windows 10 Enterprise multi-session
Azure VMs running Windows 10 |
| Policy-based: |
No |
No |
| Clouds: |
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet |
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet |
Learn more about Microsoft Defender for Endpoint.
Vulnerability assessment
| Aspect | Details |
|---|---|
| Release state: | Generally available (GA) |
| Relevant Defender plan: | Microsoft Defender for Servers |
| Required roles and permissions (subscription-level): | Owner |
| Supported destinations: |
Azure virtual machines
Azure Arc-enabled machines |
| Policy-based: |
Yes |
| Clouds: |
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet |
Guest Configuration
| Aspect | Details |
|---|---|
| Release state: | Preview |
| Relevant Defender plan: | No plan required |
| Required roles and permissions (subscription-level): | Owner |
| Supported destinations: |
Azure virtual machines |
| Clouds: |
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet |
Learn more about Azure's Guest Configuration extension.
Defender for Containers extensions
This table shows the availability details for the components required by the protections offered by Microsoft Defender for Containers.
By default, the required extensions are enabled when you enable Defender for Containers from the Azure portal.
| Aspect | Azure Kubernetes Service clusters | Azure Arc-enabled Kubernetes clusters |
|---|---|---|
| Release state: | • Defender sensor: GA • Azure Policy for Kubernetes: Generally available (GA) |
• Defender sensor: Preview • Azure Policy for Kubernetes: Preview |
| Relevant Defender plan: | Microsoft Defender for Containers | Microsoft Defender for Containers |
| Required roles and permissions (subscription-level): | Owner or User Access Administrator | Owner or User Access Administrator |
| Supported destinations: | The AKS Defender sensor only supports AKS clusters that have RBAC enabled. | See Kubernetes distributions supported for Arc-enabled Kubernetes |
| Policy-based: |
Yes |
Yes |
| Clouds: | Defender sensor:
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet Azure Policy for Kubernetes:
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet |
Defender sensor:
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet Azure Policy for Kubernetes:
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet |
Learn more about the roles used to provision Defender for Containers extensions.
Troubleshooting
- To identify monitoring agent network requirements, see Troubleshooting monitoring agent network requirements.
- To identify manual onboarding issues, see How to troubleshoot Operations Management Suite onboarding issues.
Next steps
This page explained what monitoring components are and how to enable them.
Learn more about:
- Setting up email notifications for security alerts
- Protecting workloads with the Defender plans