Thank you for the response and advice given, James & Bharathn. Looking at our setting, the auto-provisioning of Log Analytics agent has been turned on but currently, the centralised workspace is not specified, and types of raw data of the Windows security events has not been selected.
However, we do have a centralised Log Analytics workspace created, mentioned earlier, and connected to all subscriptions, as shown below. What is the difference of the workspace connection between these 2 setups?
Do I still need to specify the connection to the centralised workspace by individual subscription in the setting shown on the first screenshot?
Without selecting the type of raw data to store, is "None" the default? Please advise if selecting the raw data storage option is essential as our Security Center currently has been providing recommendations on some controls, as shown in the screenshot below. Just wonder what other security events are missing or unavailable at this juncture. Your additional input will be very much appreciated.