Wednesday 29th November 2023
Writer: Gennaro Migliaccio, Reviewer: Giuseppe Damiano
Microsoft Defender for Servers can be confusing for some, as the need to effectively manage and deploy it within Azure is slightly different to doing the same for the typical Endpoint Protection Platform because of how differently the two solutions function.
This article will go through some of the frequent questions I have been asked and will hopefully help in your understanding of Microsoft Defender for Servers.
What is Defender for Servers?
As the name suggests, Defender for Servers employs the same technology as Defender for Endpoint, to protect your servers. Whilst the underlying detection and protection technology are the same, there are differences in the licensing and deployment of Defender for Servers.
The solution is primarily managed via Defender for Cloud within the Microsoft Azure Portal; however, policies, detections and alerts are instead managed via the Microsoft Defender Portal.
Defender for Cloud Vs. Defender for Servers
Microsoft Defender for Cloud provides a comprehensive suite of cloud protection technologies. Defender for Servers sits under the Cloud Workload Protection part of Defender for Cloud
Effectively, Defender for Cloud is a suite of multiple products, one of which is Defender for Servers.
What is the Licensing Model?
Whilst Defender for Endpoint is based on a user license, Defender for Servers operates on a per virtual machine (VM) model.
There is a P1 and a P2 plan for Defender for Servers, with P2 offering more functionality than P1 as shown in the breakdown below.
P1 Vs P2
- Microsoft Defender for Endpoint.
- Microsoft Defender Vulnerability Management.
- Automatic agent onboarding, alert and data integration.
- Generates detailed, context-based, security alerts easily integrated with any SIEM.
- Alerts include guidelines to help investigate and mitigate identified threats.
- All features included in Microsoft Defender for Servers Plan 1.
- Integrated vulnerability assessment (powered by Qualys).
- Agentless vulnerability scanning.
- Agentless secrets scanning.
- Regulatory compliance for industry best practices.
- Just-in-time VM access for management ports.
- Network layer threat detection
- Adaptive application controls
- File integrity monitoring
- Adaptive network hardening
- Log Analytics: 500MB free data ingestion
How are Licenses applied/controlled?
There isn’t a “license” as such. As Defender for Servers is enabled via the Defender for Cloud Portal in Azure, the cost will be charged against your Azure bill.
Also, it is worth noting that as Defender for Servers is enabled at the Subscription Level:
- You cannot scope in or out individual servers, any server that is present in your Azure Subscription will be covered. This includes non-Azure servers managed by Azure Arc.
- Additionally, you cannot scope certain servers to P1 and others to P2. It is one or the other based on the subscription.
Are servers charged if they are powered off?
Generally speaking, Azure resources are charged within your subscription, based on the power state of the machine (on or off).
However, servers that are protected by Defender for Servers will be charged regardless of whether they are running or stopped.
However, if the server is Deallocated, then it will not be billed against Defender for Server.
Azure Arc machines are billed based on the heartbeat of each server; if no heartbeat has been received in a 15–30-minute window then the machine will be shown as “Offline” and will not be billed against Defender for Server. Billing is calculated hourly.
How do I enable Defender for Servers?
Defender for Servers can be enabled via Defender for Cloud in the Azure portal and requires an active Azure subscription.
How do I deploy Defender for Servers?
Once Defender for Servers is enabled in the Defender for Cloud Portal, this will begin an automatic process to deploy and provision Microsoft Defender for Servers onto new and existing machines.
Non-Azure VMs will first need to be onboarded into Azure Arc for the configuration to apply.
Management Vs. Deployment
Defender for Servers is deployed via the Defender for Cloud portal within Azure, using Azure policies and extensions, but the management of policies and investigation of assets is conducted in the Defender portal, in the same place as Defender for Endpoint.
In short, you will use Defender for Cloud in Azure as the deployment mechanism but will then manage all assets (Endpoints and Servers) in the Defender for Endpoint Portal.
Servers that are onboarded via Defender for Cloud will automatically appear in the Defender portal, sometimes after a short delay.
Can we Trial Defender for Servers?
Yes, Defender for Cloud is free for the first 30 days and includes Defender for Servers.
Microsoft Sentinel Benefit
Each server that is covered by Defender for Servers P2 will get 500 MB per VM per day of free data ingestion.
The allowance is specifically for the security data types that are directly collected by Defender for Cloud. For more information on the data types that are allowed for this allowance, please see: Common questions - Defender for Servers - Microsoft Defender for Cloud | Microsoft Learn
Microsoft Sentinel Benefit – Daily Rate
The above allowance is a daily rate averaged across nodes, which means that it is pooled.
Reference: Common questions - Defender for Servers - Microsoft Defender for Cloud | Microsoft Learn
Microsoft Sentinel Benefit – Multiple Workspaces
If you have multiple log analytics workspaces and you want to send logs to more than one, then you will still get the 500 MB free data ingestion for each VM which can be sent to multiple workspaces. You will be charged for any data ingested over this limit.
Hopefully this has helped answer some of the top questions you may have around Defender for Servers… I’m sure there are many more questions out there, but this should serve as a good starting point to understand some of the key areas of how Defender for Servers is purchased, deployed, and managed.
Thank you for reading.
Want to keep informed? Sign up to our Newsletter