search

Azure / Microsoft-Defender-for-Cloud

Welcome to the Microsoft Defender for Cloud community repository
https://azure.microsoft.com/en-us/services/security-center/
MIT License
1.7k stars 766 forks source link

Extend support for AMA agent in the workbook. #502

Closed mmkmur closed 2 years ago

mmkmur commented 2 years ago

Many customers are previewing defender for cloud using AMA in the private preview

Could you please extend the support for AMA as well for this workbook? We have AMAs deployed side by side, but the workbook is identifying only the workspace where the MMA is sending heartbeat to.

ShaykeAmar commented 2 years ago

Hi @mmkmur are you referring to Microsoft Defender for Servers monitoring dashboard ?

mmkmur commented 2 years ago

Thanks for getting back . Yes, exactly. Here, I see the workspace being reported is on the basis of where the MMA is pointing to.

In my case, we have both agents side by side and AMA is tasked to collect the SecurityEvents and is pointing to a 'X' workspace. But since the existing machines have MMA by default the workbook reports as if these machines are reporting to 'Y' workspace. I would like to know how I can modify the resource graph query to include the 'AMA' workspace status.

Not sure if I was able to articulate the question well. Thanks

From: ShaykeAmar @.> Sent: Sunday, December 19, 2021 1:49 PM To: Azure/Microsoft-Defender-for-Cloud @.> Cc: MKrish @.>; Mention @.> Subject: Re: [Azure/Microsoft-Defender-for-Cloud] Extend support for AMA agent in the workbook. (Issue #502)

Hi @mmkmurhttps://github.com/mmkmur are you referring to Microsoft Defender for Servers monitoring dashboardhttps://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workbooks/Defender%20for%20Servers%20Monitoring ?

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/Microsoft-Defender-for-Cloud/issues/502#issuecomment-997348775, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AUBO5EPZPQ7YWN7QQYH23VTURWIR5ANCNFSM5KKYO3EQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

ShaykeAmar commented 2 years ago

Thanks for the clarification @mmkmur, adding @TomJanetscheck for awareness.

TomJanetscheck commented 2 years ago

Thanks @ShaykeAmar for adding me.

Hi @mmkmur, The workbook has been created to provide awareness of (mis)configuration within the scope of Defender for Cloud. Since Defender for Cloud leverages the Log Analytics agent only, not the AMA, AMA connection information is not part of the workbook. For Defender for Servers and Defender for SQL on machines to work correctly, it's mandatory to enable these plans on both, the subscription and the Log Analytics workspace the LA agent on a machine is connected to.