Microsoft Defender for Cloud and Log Analytics Workspace with Azure Monitor Agent

Question

Hello,

Over the past few days I have been testing MS Defender for Cloud with the new Azure Monitor Agent. There is one setup I have not been able to get to work, which is unfortunately one I would like to have included in my design which includes a dedicated subscription for security related matters.

Is it currently possible to use a single Log Analytics Workspace to store Defender for Cloud data for multiple subscriptions when using the new Azure Monitor Agent?
I believe this was possible with the old Log Analytics Agent.

I have tried with two approaches:

Approach number 1:

• enable Defender for Cloud Plan 2 on the subscription level
• configure Azure Monitor Agent auto-provisioning
  The problem with this approach is that I can only select a Log Analytics Workspace from the subscription I am enabling Defender on. Which does not suit my needs.

Approach number 2:

• enable Defender for Cloud Plan 2 on the Log Analytics Workspace level
• configure a Data Collection Rule (pretty much a copy of the DCR that's created automatically after enabling agent auto-provisioning), setting the destination as the Defender-enabled Workspace
• associate the DCR with my test VMs
  Using this approach, I can see the SecurityCenterFree and Security Solutions enabled on the Workspace, the DCR properly shows the VM association, but not a single security related log had appeared in the Workspace. In fact, the only logs I have available are Heartbeat and Usage.

Is there any way to make it work the way I want to?

Kind regards,

Wojciech

Answer 1

The first option should work. I can see workspaces from several subscriptions in my lab. I assume it may be permission related.

Though the documentation suggests that the workspace must be in the same subscription...

https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-data-workspace