Understand data collection in Defender for Servers
This article helps you to understand how Defender for Servers in Microsoft Defender for Cloud collects data for assessment.
Before you begin
This article is the fourth article in the Defender for Servers planning guide. Before you begin, review the earlier articles:
- Start planning your deployment.
- Review Defender for Servers access roles.
- Select a Defender for Servers plan
Data collection
Defender for Servers uses a number of methods to collect machine information, including agentless machine scanning and the Defender for Endpoint agent.
| Feature | Data collection method |
|---|---|
| Assess machines for an EDR solution | Agentless scanning |
| Assess Defender for Endpoint as an EDR solution | Agentless scanning. |
| Scan software inventory | Agentless scanning. Software inventory is provided by the integration with Defender Vulnerability Management. |
| Scan for vulnerabilities | Agentless scanning Agent-based scanning with the Defender for Endpoint agent. Bring your own license (BYOL) scanning with a supported third-party solution. Learn about hybrid scanning using both agentless and agent-based scanning. |
| Scan machines for secrets | Agentless scanning. |
| Scan machines for malware | Agentless scanning. Next-generation antimalware protection is also provided by Defender for Endpoint integration, using the Defender for Endpoint agent. |
| Scan for OS misconfigurations | Assess OS configuration against compute security baselines in the Microsoft Cloud Security Benchmark using the Azure Machine Configuration extension. |
| Scan for file and registry changes with file integrity monitoring | Defender for Endpoint agent. |
| Scan for system and patch updates | Relies on Azure Update Manager VM extension. |
| Use free data ingestion benefit | Azure Monitor agent (AMA). |
Next steps
Understand how data is stored and when you need a Log Analytics workspace