FAQ - Questions about data collection, agents, and workspaces

Defender for Cloud collects data from your Azure virtual machines (VMs), Virtual machine scale sets, IaaS containers, and non-Azure computers (including on-premises machines) to monitor for security vulnerabilities and threats. Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis.

Am I billed for Azure Monitor logs on the workspaces created by Defender for Cloud?

As explained in the pricing and billing FAQ, there is a 500-MB free data ingestion for each workspace. It's calculated per node, per reported workspace, per day, and available for every workspace that has a 'Security' or 'AntiMalware' solution installed. You'll be charged for any data ingested over the 500-MB limit.

Workspaces created by Defender for Cloud, while configured for Azure Monitor logs per node billing, don't incur Azure Monitor logs charges. Defender for Cloud billing is always based on your Defender for Cloud security policy and the solutions installed on a workspace:

  • Enhanced security off – Defender for Cloud enables the "SecurityCenterFree" solution on the default workspace. There are no charges when there are no Defender plans enabled.

  • All Microsoft Defender for Cloud plans enabled – Defender for Cloud enables the "Security" solution on the default workspace.

For pricing details in your local currency or region, see the pricing page.

Note

The log analytics pricing tier of workspaces created by Defender for Cloud does not affect Defender for Cloud billing.

Note

This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. We are updating the terminology to better reflect the role of logs in Azure Monitor. See Azure Monitor terminology changes for details.

What is the Log Analytics agent?

To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud depends on the Log Analytics Agent - this is the same agent used by the Azure Monitor service.

The agent is sometimes referred to as the Azure Monitor Agent (or "AMA").

The agent collects various security-related configuration details and event logs from connected machines, and then copies the data to your Log Analytics workspace for further analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user.

Ensure your machines are running one of the supported operating systems for the agent as described on the following pages:

Learn more about the data collected by the Log Analytics agent.

What qualifies a VM for automatic provisioning of the Log Analytics agent installation?

Windows or Linux IaaS VMs qualify if:

  • The Log Analytics agent extension is not currently installed on the VM.
  • The VM is in running state.
  • The Windows or Linux Azure Virtual Machine Agent is installed.
  • The VM is not used as an appliance such as web application firewall or next generation firewall.

Where is the default Log Analytics workspace created?

The location of the default workspace depends on your Azure region:

  • For VMs in the United States and Brazil the workspace location is the United States
  • For VMs in Canada, the workspace location is Canada
  • For VMs in Europe the workspace location is Europe
  • For VMs in the UK the workspace location is the UK
  • For VMs in East Asia and Southeast Asia the workspace location is Asia
  • For VMs in Korea, the workspace location is Korea
  • For VMs in India, the workspace location is India
  • For VMs in Japan, the workspace location is Japan
  • For VMs in China, the workspace location is China
  • For VMs in Australia, the workspace location is Australia

What security events are collected by the Log Analytics agent?

For a full list of the security events collected by the agent, see What event types are stored for the "Common" and "Minimal" security events settings?.

Important

For some services, such as Azure Firewall, if you have enabled logging and chosen a chatty resource to log (for example, setting the log to verbose) you may see significant impacts on your Log Analytics workspace storage needs.

Can I delete the default workspaces created by Defender for Cloud?

Deleting the default workspace is not recommended. Defender for Cloud uses the default workspaces to store security data from your VMs. If you delete a workspace, Defender for Cloud is unable to collect this data and some security recommendations and alerts are unavailable.

To recover, remove the Log Analytics agent on the VMs connected to the deleted workspace. Defender for Cloud reinstalls the agent and creates new default workspaces.

How can I use my existing Log Analytics workspace?

You can select an existing Log Analytics workspace to store data collected by Defender for Cloud. To use your existing Log Analytics workspace:

  • The workspace must be associated with your selected Azure subscription.
  • At a minimum, you must have read permissions to access the workspace.

Note

A Log Analytics agent and the machine on which it’s running should both report to a Log Analytics workspace in the same tenant. If they’re reporting to different tenants, you won’t get security alerts from that agent.

To select an existing Log Analytics workspace:

  1. From Defender for Cloud's menu, open Environment settings.

  2. Select the relevant subscription.

  3. In the Monitoring coverage column of the Defender for Server plan, select Settings.

  4. For the Log Analytics agent, select Edit configuration.

    The configuration of the Log Analytics agent to use when using auto deploy

  5. Select Connect Azure VMs to a different workspace and choose your existing workspace.

    Selecting a non-default workspace for your Log Analytics agent to report to

    Tip

    The list only includes workspaces to which you have access and which are in your Azure subscription.

  6. Select Save. You will be asked if you would like to reconfigure monitored VMs.

    Important

    This choice is only relevant if you're changing the configuration from the default workspace to a custom workspace. If you're changing the setting from one custom workspace to another, or from a custom workspace to the default workspace, the change won't be applied to existing machines.

    • Select No if you want the new workspace settings to apply on new VMs only. The new workspace settings only apply to new agent installations; newly discovered VMs that do not have the Log Analytics agent installed.
    • Select Yes if you want the new workspace settings to apply on all VMs. In addition, every VM connected to a Defender for Cloud created workspace is reconnected to the new target workspace.

    Note

    If you select Yes, don't delete any workspaces created by Defender for Cloud until all VMs have been reconnected to the new target workspace. This operation fails if a workspace is deleted too early.

What if the Log Analytics agent was already installed as an extension on the VM?

When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. Defender for Cloud does not override existing connections to user workspaces. Defender for Cloud will store security data from a VM in a workspace that is already connected, provided that the "Security" or "SecurityCenterFree" solution has been installed on it. Defender for Cloud may upgrade the extension version to the latest version in this process.

For more information, see Automatic provisioning in cases of a pre-existing agent installation.

What if a Log Analytics agent is directly installed on the machine but not as an extension (Direct Agent)?

If the Log Analytics agent is installed directly on the VM (not as an Azure extension), Defender for Cloud will install the Log Analytics agent extension, and may upgrade the Log Analytics agent to the latest version.

The agent installed will continue to report to its already configured workspace(s), and in addition will report to the workspace configured in Defender for Cloud (Multi-homing is supported on Windows machines).

If the configured workspace is a user workspace (not Defender for Cloud's default workspace), you will need to install the "Security" or "SecurityCenterFree" solution on it for Defender for Cloud to start processing events from VMs and computers reporting to that workspace.

For Linux machines, Agent multi-homing is not yet supported - hence, if an existing agent installation is detected, automatic provisioning will not occur and the machine's configuration will not be altered.

For existing machines on subscriptions onboarded to Defender for Cloud before March 17 2019, when an existing agent will be detected, the Log Analytics agent extension will not be installed and the machine will not be affected. For these machines, see the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines

For more information, see the next section What happens if a System Center Operations Manager or OMS direct agent is already installed on my VM?

What if a System Center Operations Manager agent is already installed on my VM?

Defender for Cloud will install the Log Analytics agent extension side by side to the existing System Center Operations Manager agent. The existing agent will continue to report to the System Center Operations Manager server normally. Note that the Operations Manager agent and Log Analytics agent share common run-time libraries, which will be updated to the latest version during this process. Note - If version 2012 of the Operations Manager agent is installed, do not turn on automatic provisioning (manageability capabilities can be lost when the Operations Manager server is also version 2012).

What is the impact of removing these extensions?

If you remove the Microsoft Monitoring Extension, Defender for Cloud is not able to collect security data from the VM and some security recommendations and alerts are unavailable. Within 24 hours, Defender for Cloud determines that the VM is missing the extension and reinstalls the extension.

How do I stop the automatic agent installation and workspace creation?

You can turn off extensions for your subscriptions in the security policy but this is not recommended. Turning off extensions limits Defender for Cloud recommendations and alerts. To disable automatic provisioning for a specific agent or extension:

  1. From Defender for Cloud's menu, open Environment settings.
  2. Select the relevant subscription.
  3. In the Monitoring coverage column of the Defender for Server plan, select Settings.
  4. Turn off the extension you want to stop being automatically provisioned.
  5. Select Save.

Should I opt out of the automatic agent installation and workspace creation?

Note

Be sure to review sections What are the implications of opting out? and recommended steps when opting out if you choose to opt out of automatic provisioning.

You may want to opt out of automatic provisioning if the following applies to you:

  • Automatic agent installation by Defender for Cloud applies to the entire subscription. You cannot apply automatic installation to a subset of VMs. If there are critical VMs that cannot be installed with the Log Analytics agent, then you should opt out of automatic provisioning.

  • Installation of the Log Analytics agent extension updates the agent's version. This applies to a direct agent and a System Center Operations Manager agent (in the latter, the Operations Manager and Log Analytics agent share common runtime libraries - which will be updated in the process). If the installed Operations Manager agent is version 2012 and is upgraded, manageability capabilities can be lost when the Operations Manager server is also version 2012. Consider opting out of automatic provisioning if the installed Operations Manager agent is version 2012.

  • If you want to avoid creation of multiple workspaces per subscription and you have your own custom workspace within the subscription, then you have two options:

    • You can opt out of automatic provisioning. After migration, set the default workspace settings as described in How can I use my existing Log Analytics workspace?

    • Or, you can allow the migration to complete, the Log Analytics agent to be installed on the VMs, and the VMs connected to the created workspace. Then, select your own custom workspace by setting the default workspace setting with opting in to reconfiguring the already installed agents. For more information, see How can I use my existing Log Analytics workspace?

What are the implications of opting out of automatic provisioning?

When migration is complete, Defender for Cloud can't collect security data from the VM and some security recommendations and alerts are unavailable. If you opt out, install the Log Analytics agent manually. See recommended steps when opting out.

Manually install the Log Analytics agent extension so Defender for Cloud can collect security data from your VMs and provide recommendations and alerts. See agent installation for Windows VM or agent installation for Linux VM for guidance on installation.

You can connect the agent to any existing custom workspace or Defender for Cloud created workspace. If a custom workspace does not have the "Security" or "SecurityCenterFree" solutions enabled, then you will need to apply a solution. To apply, select the custom workspace and apply a pricing tier via the Environment settings > Defender plans page.

Defender for Cloud will enable the correct solution on the workspace based on the selected options.

How do I remove OMS extensions installed by Defender for Cloud?

You can manually remove the Log Analytics agent. This is not recommended as it limits Defender for Cloud's recommendations and alerts.

Note

If data collection is enabled, Defender for Cloud will reinstall the agent after you remove it. You must disable data collection before manually removing the agent. See How do I stop the automatic agent installation and workspace creation? for instructions on disabling data collection.

To manually remove the agent:

  1. In the portal, open Log Analytics.

  2. On the Log Analytics page, select a workspace:

  3. Select the VMs that you don't want to monitor and select Disconnect.

    Remove the agent

Note

If a Linux VM already has a non-extension OMS agent, removing the extension removes the agent as well and you'll have to reinstall it.

How do I disable data collection?

Deploying extensions with Defender for Cloud is highly recommended in order to get security alerts and recommendations about system updates, OS vulnerabilities, and endpoint protection.

If you've enabled an extension but now want to disable it:

  1. From the Azure portal, open Defender for Cloud and select Environment settings.

  2. Select the subscription on which you want to disable the extension.

  3. In the Monitoring coverage column of the Defender for Server plan, select Settings.

  4. Turn off the Log Analytics agent.

How do I enable data collection?

Data collection is automatically turned on when you enable a Defender plan that requires a monitoring component.

What happens when data collection is enabled?

When automatic provisioning is enabled, Defender for Cloud provisions the Log Analytics agent on all supported Azure VMs and any new ones that are created. Automatic provisioning is recommended but manual agent installation is also available. Learn how to install the Log Analytics agent extension.

The agent enables the process creation event 4688 and the CommandLine field inside event 4688. New processes created on the VM are recorded by EventLog and monitored by Defender for Cloud's detection services. For more information on the details recorded for each new process, see description fields in 4688. The agent also collects the 4688 events created on the VM and stores them in search.

The agent also enables data collection for Adaptive application controls, Defender for Cloud configures a local AppLocker policy in Audit mode to allow all applications. This policy will cause AppLocker to generate events, which are then collected and leveraged by Defender for Cloud. It is important to note that this policy will not be configured on any machines on which there is already a configured AppLocker policy.

When Defender for Cloud detects suspicious activity on the VM, the customer is notified by email if security contact information has been provided. An alert is also visible in Defender for Cloud's security alerts dashboard.

Will Defender for Cloud work using an OMS gateway?

Yes. Microsoft Defender for Cloud leverages Azure Monitor to collect data from Azure VMs and servers, using the Log Analytics agent. To collect the data, each VM and server must connect to the Internet using HTTPS. The connection can be direct, using a proxy, or through the OMS Gateway.

Does the Log Analytics agent impact the performance of my servers?

The agent consumes a nominal amount of system resources and should have little impact on the performance. For more information on performance impact and the agent and extension, see the planning and operations guide.