Protect resources that report to a Log Analytics workspace

Defender for Cloud utilizes Log Analytics workspaces, both default and custom, to collect and analyze data from your connected resources. To protect your resources, you can enable specific Defender for Cloud plans on both the subscription level or on specific workspaces that have resources that report to that Log Analytics workspace.

The available plans that you can enable on a Log Analytics workspace level are:

Important

We recommend you enable the SQL servers on machines plan using the Azure Monitoring Agent (AMA) auto provisioning on the subscription level, and not on the workspace level. When you enable the SQL servers on machines plan on the workspace level, it uses the deprecated Microsoft Monitoring Agent (MMA).

Prerequisites

Enable plans on a Log Analytics workspace

When you enable a plan on a Log Analytics workspace, you enable the plan for all the resources that report to that workspace.

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Defender for Cloud.

  3. Select Environment settings.

  4. Select the relevant workspace.

    Screenshot that shows the environment settings page, with demo workspaces highlighted.

  5. Enable a plan by toggling the switch to On.

    Screenshot that shows the two available plans that can be enabled and where the toggles are.

  6. Select Save.

Once you enable a plan on a workspace, the plan protects to all of the resources that report to that workspace.

Screenshot that shows where on the page you can see how many resources are protected.