Defender for SQL Servers - DCRs, LAW and settings

vincent manzari 41 Reputation points
2024-08-04T07:47:51.4966667+00:00

Hello all,

we have activated Defender for SQL Servers in a customer environments. When we have enabled Defender for SQL, it automatically created some resources (as documented by MS) specifically:

  • DCR: MicrosoftDefenderForSQL--dcr
  • DCRA: /Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation
  • Resource group: DefaultResourceGroup-
  • Log analytics workspace: D4SQL--

In the first time, we have enabled 5 instance on D4SQL and we seen them in the DCR. Based on customer request, we need to use only one LAW for all data. Currently we use this LAW for AMA and Log Forwarders. For D4SQL we have tried to change the configuration on Defender for Cloud Portal

2024-08-04 09_34_42-Settings - Microsoft Azure and 1 more page - [InPrivate] - Microsoft​ Edge

2024-08-04 09_34_42-Settings - Microsoft Azure and 1 more page - [InPrivate] - Microsoft​ Edge

and we have specified the custom LAW

2024-08-04 09_34_42-Settings - Microsoft Azure and 1 more page - [InPrivate] - Microsoft​ Edge

After the change, we have migrated 3 servers from the on-premise that have SQL installed. SQL extention was successfully installed but after our expectation was to see the new servers covered on D4SQL. This wasn't happen, and when we checked in the DCR, we seen only the previous servers configured. Also in the D4Cloud portal we seen 5 instances instead of 8. To test, we have added 1 of the last 3 servers in the DCR and after a while we have seen 6/6 instances on D4Cloud portal.

It's a normal behaviour? What we need to do to have the 3 servers (and future servers) automatically covered by D4SQL and added in the DCR ? We need to reconfigure D4SQL? or we need to mantain the D4SQL in its LAW created when enabled?

Thank you for the support

Vincent

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
39,200 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.