AzureMonitorLinuxAgent vs. AzureSecurityLinuxAgent vs. AzureDefenderForServers.MDE.Linux

Martin Macko 15 Reputation points
2023-05-04T13:13:08.6633333+00:00

Hi,

Can somebody help me to understand the difference between these 3 agents?

  1. Microsoft.Azure.Monitor.AzureMonitorLinuxAgent
  2. Microsoft.Azure.Security.Monitoring.AzureSecurityLinuxAgent (or AzureSecurityWindowsAgent)
  3. Microsoft.Azure.AzureDefenderForServers.MDE.Linux

We want to enable defender for servers and enable vulnerability scanning.

I thought that MDE.Linux agent is the one which is doing vulnerability scanning, but what is then role of AzureSecurityLinuxAgent ?

If AzureSecurityLinuxAgent is only for logging some data to feed defender for cloud, then what is the purpose of AzureMonitorLinuxAgent?

The worst thing is there is almost no documentation about what actually these agents do. I understand that AzureMonitorLinuxAgent is basically Azure Monitor agent which is used to log specific OS logs and send them to log analytics workspace but what is its role when it comes to defender for cloud?

What I want to know is what is the difference between them, and which agent should we deploy in order to have vulnerability scanning for Azure VMs enabled + what agent to deploy so defender for cloud has all the necessary info from the VM?

Thanks!

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,192 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Broggy 5,681 Reputation points MVP
    2023-05-04T13:27:28.2533333+00:00

    Hi Martin,

    You shouldn't need any agents aside from the initial deployment of defender for server:
    https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-vulnerability-assessment-agentless
    "When you enable Defender Cloud Security Posture Management (CSPM) or Defender for Servers P2, agentless scanning is enabled on by default."

    As for the 3 agents you mentioned:
    #1 is old, #2 (AMA) is new, and #3 is the Defender for Server agent.

    At least that's my understanding.

    Reference:
    https://learn.microsoft.com/en-us/azure/defender-for-cloud/auto-deploy-azure-monitoring-agent

  2. Andrew Blumhardt 9,491 Reputation points Microsoft Employee
    2023-05-04T14:10:51.6433333+00:00
    1. Microsoft.Azure.Monitor.AzureMonitorLinuxAgent - New AMA for Linux
    2. AzureSecurityWindowsAgent - I assume this is something related to Defender for Servers
    3. Microsoft.Azure.AzureDefenderForServers.MDE.Linux - This is the MDE client for Linux
    0 comments