![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 89%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
1,563 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Good question. :-)
Think of Def for Cloud as having three datasets. You have the alerts, the data behind to visuals like recommendations, and the Defender for Servers data.
Alerts are sent to Sentinel using a data connector. It is a common misconception that this connector contains data. Alerts from 1st party Microsoft services are free in Sentinel. The Sentinel-MDC connector is going away, replaced by the new Unified XDR portal. If and when you activate the unified portal, MDC alerts will flow into Unified XDR first with no additional configuration or connector required. The MDC alerts become part of Sentinel via the XDR connector. Point being that the MDC connector in Sentinel is going away.
Your MDC background data like recommendations and attack paths are stored in each subscription in the resource graph. This data does not contain much in the way of hunting but you may want to store this in a workspace for retention, compliance, or easier reporting. Some of the MDC reports also require that you export this data. Best practice is to choose a central workspace like Sentinel. This data is negligible in size but not free. https://learn.microsoft.com/en-us/azure/defender-for-cloud/benefits-of-continuous-export
Defender for Servers will create a default workspace for each subscription at activation. You can redirect D4S to use a different workspace. It is a best practice to redirect all subscriptions to a central workspace and if you choose Sentinel, there is a potential cost savings. The 500MB discount associated for MDC only applies to specific tables and only to the linked workspace(s), preferably Sentinel. This is configured in environmental settings for each subscription or by policy. This data can be larger but mostly covered by the 500MB discount. Most notably, Windows Security Events is the only table involved of significant size.
Defender for Servers has an option to collect Windows Security Event logs, though it is highly recommended that you do not use this option if collecting security events with Sentinel. I think the MDC option may even be auto disabled when using Sentinel. Doing so would duplicate a potentially expensive dataset. If you link Defender for Servers to Sentinel by sharing the same workspace, the 500MB discount will help to offset security event ingestion costs, even if collected by the Sentinel connector. Also, with Sentinel split pricing the 500MB discount applies only to the workspace cost but with Sentinel simplified pricing the discount applies to both.
Lastly, there is a roadmap in development that has largely been deployed to eliminate the reliance on the deprecated Microsoft Monitoring Agent and Azure Monitoring Agent. Replacing reliance on an agent with agentless and Defender for Endpoint capabilities. Since the MDE sensor is part of the OS. It should be possible to use Defender for Servers without an agent and therefore without a workspace. Though there are some lingering workspace dependencies like Defender for SQL. The 500MB discount will continue to be available, even when a workspace is not specifically defined.
Complicated right? :-)