Edit

Protect your servers with Defender for Servers

  • Article

Defender for Servers in Microsoft Defender for Cloud brings threat detection and advanced defenses to your Windows and Linux machines that run in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises environments. This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), file integrity monitoring (FIM), and more.

Microsoft Defender for Servers includes an automatic, native integration with Microsoft Defender for Endpoint. Learn more, Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint. With this integration enabled, you have access to the vulnerability findings from Microsoft threat and vulnerability management.

Defender for Servers offers two plan options with different levels of protection and their own cost. You can learn more about Defender for Cloud's pricing on the pricing page.

Prerequisites

Enable the Defender for Servers plan

You can enable the Defender for Servers plan from the Environment settings page to protect all the machines in an Azure subscription, AWS account, or GCP project.

To enable the Defender for Servers plan:

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Defender for Cloud.

  3. In the Defender for Cloud menu, select Environment settings.

  4. Select the relevant subscription.

  5. On the Defender plans page, toggle the Servers switch to On.

    Screenshot that shows you how to toggle the Defender for Servers plan to on.

Select a Defender for Servers plan

When you enable the Defender for Servers plan, you're then given the option to select which plan - Plan 1 or Plan 2 - to enable. There are two plans you can choose from that offer different levels of protections for your resources.

Review what's included each plan.

To select a Defender for Servers plan:

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Defender for Cloud.

  3. In the Defender for Cloud menu, select Environment settings.

  4. Select the relevant Azure subscription, AWS account, or GCP project.

  5. Select Change plans.

    Screenshot that shows you where on the environment settings page to select change plans.

  6. In the popup window, select Plan 2 or Plan 1.

    Screenshot of the popup where you can select plan 1 or plan 2.

  7. Select Confirm.

  8. Select Save.

Configure monitoring coverage

There are three components that can be enabled and configured to provide extra protections to your environments in the Defender for Servers plans.

Component Description Learn more
Log Analytics agent/Azure Monitor agent Collects security-related configurations and event logs from the machine and stores the data in your Log Analytics workspace for analysis. Learn more about the Log Analytics agent.
Vulnerability assessment for machines Enables vulnerability assessment on your Azure and hybrid machines. Learn more about how Defender for Cloud collects data.
Agentless scanning for machines Scans your machines for installed software and vulnerabilities without relying on agents or impacting machine performance. Learn more about agentless scanning for machines.

Toggle the corresponding switch to On, to enable any of these options.

Configure Log Analytics agent/Azure Monitor agent

After enabling the Log Analytics agent/Azure Monitor agent, you'll be presented with the option to select either the Log Analytics agent or the Azure Monitor agent and which workspace should be utilized.

To configure the Log Analytics agent/Azure Monitor agent:

  1. Select Edit configuration.

    Screenshot that shows you where on the screen you need to select edit configuration, to edit the log analytics agent/azure monitor agent.

  2. In the Auto provisioning configuration window, select one of the following two agent types:

    • Log Analytic Agent (Default) - Collects security-related configurations and event logs from the machine and stores the data in your Log Analytics workspace for analysis.

    • Azure Monitor Agent (Preview) - Collects security-related configurations and event logs from the machine and stores the data in your Log Analytics workspace for analysis.

    Screenshot of the auto provisioning configuration screen with the available options to select.

  3. Select either a Default workspace(s) or a Custom workspace depending on your need.

  4. Select Apply.

Configure vulnerability assessment for machines

Vulnerability assessment for machines allows you to select between two vulnerability assessment solutions:

  • Microsoft Defender Vulnerability Management
  • Microsoft Defender for Cloud integrated Qualys scanner

To select either of the vulnerability assessment solutions:

  1. Select Edit configuration.

    Screenshot that shows you where to select edit for vulnerabilities assessment for machines.

  2. In the Extension deployment configuration window, select either of the solutions depending on your need.

  3. Select Apply.

Configure agentless scanning for machines (preview)

Defender for Cloud has the ability to scan your Azure machines for installed software and vulnerabilities without requiring you to install agents, have network connectivity or affect your machine's performance.

To configure agentless scanning for machines:

  1. Select Edit configuration.

    Screenshot that shows where you need to select to edit the configuration of the agentless scanner.

  2. Enter a tag name and tag value for any machines to be excluded from scans.

  3. Select Apply.

Next steps

Overview of Microsoft Defender for Servers