Edit

Share via

How does Defender for Cloud collect data?

Defender for Cloud collects data from your Azure virtual machines (VMs), Virtual Machine Scale Sets, IaaS containers, and non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats. Some Defender plans require monitoring components to collect data from your workloads.

Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection. Data collection is only needed for compute resources such as VMs, Virtual Machine Scale Sets, IaaS containers, and non-Azure computers.

You can benefit from Microsoft Defender for Cloud even if you don’t provision agents. However, you have limited security and the capabilities listed aren't supported.

Data is collected using:

Why use Defender for Cloud to deploy monitoring components?

Visibility into the security of your workloads depends on the data that the monitoring components collect. The components ensure security coverage for all supported resources.

To save you the process of manually installing the extensions, Defender for Cloud reduces management overhead by installing all required extensions on existing and new machines. Defender for Cloud assigns the appropriate Deploy if not exists policy to the workloads in the subscription. This policy type ensures the extension is provisioned on all existing and future resources of that type.

Tip

Learn more about Azure Policy effects, including Deploy if not exists, in Understand Azure Policy effects.

What plans use monitoring components?

These plans use monitoring components to collect data:

Availability of extensions

The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Azure Monitor Agent (AMA)

Aspect Details
Release state: Generally available (GA)
Relevant Defender plan: Defender for SQL Servers on Machines
Required roles and permissions (subscription-level): Owner
Supported destinations: Azure virtual machines
Azure Arc-enabled machines
Policy-based: Yes
Clouds: Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet

Learn more about using the Azure Monitor Agent with Defender for Cloud.

Microsoft Defender for Endpoint

Aspect Linux Windows
Release state: Generally available (GA) Generally available (GA)
Relevant Defender plan: Microsoft Defender for Servers Microsoft Defender for Servers
Required roles and permissions (subscription-level): - To enable/disable the integration: Security Admin or Owner
- To view Defender for Endpoint alerts in Defender for Cloud: Security reader, Reader, Resource Group Contributor, Resource Group Owner, Security Admin, Subscription owner, or Subscription Contributor		 - To enable/disable the integration: Security Admin or Owner
- To view Defender for Endpoint alerts in Defender for Cloud: Security reader, Reader, Resource Group Contributor, Resource Group Owner, Security Admin, Subscription owner, or Subscription Contributor
Supported destinations: Azure Arc-enabled machines
Azure virtual machines		 Azure Arc-enabled machines
Azure VMs running Windows Server 2022, 2019, 2016, 2012 R2, 2008 R2 SP1, Azure Virtual Desktop, Windows 10 Enterprise multi-session
Azure VMs running Windows 10
Policy-based: No No
Clouds: Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet		 Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet

Learn more about Microsoft Defender for Endpoint.

Vulnerability assessment

Aspect Details
Release state: Generally available (GA)
Relevant Defender plan: Microsoft Defender for Servers
Required roles and permissions (subscription-level): Owner
Supported destinations: Azure virtual machines
Azure Arc-enabled machines
Policy-based: Yes
Clouds: Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet

Guest Configuration

Aspect Details
Release state: Preview
Relevant Defender plan: No plan required
Required roles and permissions (subscription-level): Owner
Supported destinations: Azure virtual machines
Clouds: Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet

Learn more about Azure's Guest Configuration extension.

Defender for Containers extensions

This table shows the availability details for the components required by the protections offered by Microsoft Defender for Containers.

By default, the required extensions are enabled when you enable Defender for Containers from the Azure portal.

Aspect Azure Kubernetes Service clusters Azure Arc-enabled Kubernetes clusters
Release state: • Defender sensor: GA
• Azure Policy for Kubernetes: Generally available (GA)		 • Defender sensor: Preview
• Azure Policy for Kubernetes: Preview
Relevant Defender plan: Microsoft Defender for Containers Microsoft Defender for Containers
Required roles and permissions (subscription-level): Owner or User Access Administrator Owner or User Access Administrator
Supported destinations: The AKS Defender sensor only supports AKS clusters that have RBAC enabled. See Kubernetes distributions supported for Arc-enabled Kubernetes
Policy-based: Yes Yes
Clouds: Defender sensor:
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet
Azure Policy for Kubernetes:
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet		 Defender sensor:
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet
Azure Policy for Kubernetes:
Commercial clouds
Azure Government, Microsoft Azure operated by 21Vianet

Learn more about the roles used to provision Defender for Containers extensions.

Troubleshooting

Next steps

This page explained what monitoring components are and how to enable them.

Learn more about: