Over the past few days I have been testing MS Defender for Cloud with the new Azure Monitor Agent. There is one setup I have not been able to get to work, which is unfortunately one I would like to have included in my design which includes a dedicated subscription for security related matters.
Is it currently possible to use a single Log Analytics Workspace to store Defender for Cloud data for multiple subscriptions when using the new Azure Monitor Agent?
I believe this was possible with the old Log Analytics Agent.
I have tried with two approaches:
Approach number 1:
- enable Defender for Cloud Plan 2 on the subscription level
- configure Azure Monitor Agent auto-provisioning
The problem with this approach is that I can only select a Log Analytics Workspace from the subscription I am enabling Defender on. Which does not suit my needs.
Approach number 2:
- enable Defender for Cloud Plan 2 on the Log Analytics Workspace level
- configure a Data Collection Rule (pretty much a copy of the DCR that's created automatically after enabling agent auto-provisioning), setting the destination as the Defender-enabled Workspace
- associate the DCR with my test VMs
Using this approach, I can see the SecurityCenterFree and Security Solutions enabled on the Workspace, the DCR properly shows the VM association, but not a single security related log had appeared in the Workspace. In fact, the only logs I have available are Heartbeat and Usage.
Is there any way to make it work the way I want to?