Defender for Cloud was since the release based on the Microsoft Monitoring Agent (MMA). Since august 2022 it is possible to auto-deploy the Azure Monitoring Agent. With this new improvement, it is finally possible to migrate entirely from the Microsoft Monitoring Agent (MMA) and switch to the new modern Azure Monitoring Agent (AMA) for Defender for Endpoint (MDE) and Defender for Cloud (MDC). Azure Monitoring Agent enables multiple advantages and new features.

Feature currently in public preview. Article latest updated: 15 Augustus 2022

History

Since the release of Defender for Cloud the feature was based on the Microsoft Monitoring Agent (MMA). The MMA agent was used to collect additional logs and onboard Defender for Endpoint. Defender for Endpoint some months ago migrated to the new unified solution which is based on the new unified agent and SENSE service for 2012R2 and 2016.

Difference between AMA and MMA

FeatureAMA agentMMA/OMS agent
EnvironmentsAzure
Other cloud ( Azure Arc)
On-premises (Azure Arc)
Azure
Other cloud
On-premises
EPS per server on Windows5K1K
EventsAll security events
Common
Minimal
Custom
All security events
Common
Minimal
None
Support for file-based logsPublic PreviewYes
Support for IIS, DNSS logsPublic PreviewYes
Support for DCR
Data Collection Rules
YesNo
Supports scopingYesNo

Recommended read; Migrate to Azure Monitor Agent from Log Analytics agent | Microsoft

New feature

Part of the latest release is the new public preview availability for the Azure Monitoring Agent (AMA) which is now integrated as part of the auto-provisioning in Defender for Cloud. Defender for Endpoint is already moved from Microsoft Monitoring Agent. For the following Defender for Cloud services the auto-provisioning is used:

  • Endpoint protection assessment- Security posture management (CSPM)
  • Adaptive application controls – Defender for Servers Plan 2
  • File Integrity Monitoring – Defender for Servers Plan 2
  • Fileless attack detections – Defender for Servers Plan 2

Data collection is required to provide visibility into missing updates, misconfigured OS security settings, Endpoint protection status, and additional data collection.


Migrate from MMA to AMA

Migration from the Microsoft Monitoring Agent is possible directly with auto-provisioning. Before starting the migration it is important to check if Defender for Endpoint is already switched to the new unified solution for removing the dependency of the MMA agent.

Defender for Endpoint

The new Defender for Endpoint unified agent is generally available since April 11th, 2022. The new unified Microsoft Defender for Endpoint solution is supported for Server 2012R2 and Windows Server 2016 (systems based on the MMA agent). Announced: Defender for Servers Plan 2 now integrates with MDE unified solution

Microsoft announced the release of the unified agent integration which makes it possible to directly enable the new Defender for Endpoint unified solution and remove the dependency with Log Analytics Agent (MMA) and other legacy AV toolings like SCEP. Microsoft removes the complexity of the provisioning and created two machine extensions.

The following extensions are now available and available for Windows, Linux machines in Azure, and non-Azure machines connected through Azure Arc-enabled servers:

  • MDE.Windows
  • MDE.Linux

The MDE.Windows extension will remove SCEP from the Server 2012R2 machines during the installation of the new MDE unified solution. Part of the MDE.Windows extension is the onboarding of Defender for Endpoint (SENSE)

New available Azure policies:

  • Deploy Microsoft Defender for Endpoint agent on Windows virtual machines
  • Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines
  • Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines
  • Deploy Microsoft Defender for Endpoint agent on Linux virtual machines

The Defender for Endpoint unified installation package Md4ws.msi is part of the MDE.Windows Extension. Other scripts and the onboarding file are part of the package. The same goes for MDE.Linux extension where the Linux files are visible.

Windows MDE installation files are located in the following folder; C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows

To enable the MDE unified solution in existing subscriptions you can easily opt-in to the unified solution on the subscription environment settings/integrations page. For opening the settings:

  1. Go to Defender for Cloud
  2. Go to Environment settings and select the subscription
  3. Go to Integrations

The button Enable unified solution is visible when the MDE integration was enabled before June 20th, 2022.

View the following blog post for the complete migration; How to upgrade from MMA-based Defender for Endpoint to MDE unified solution in Defender for Cloud? – Jeffreyappel.nl

Configure auto-provisioning with Azure Monitoring Agent

To deploy the Azure Monitoring Agent with auto provisioning use the following steps;

  1. Go to Microsoft Defender for Cloud and open Environment settings
  2. Select the correct subscription(s)
  3. Open the Auto-provisioning page
  4. For the Log Analytics agent / Azure Monitoring Agent, select Edit Configuration

In the configuration screen there are two different agent types:

  • Log Analytics Agent (Default)
  • Azure Monitoring Agent (Preview)

Log Analytics Agent (Default) is the agent based on the Microsoft Monitoring Agent. For the Azure Monitoring Agent select Azure Monitoring Agent (preview).

Data collected by Defender for Cloud is stored in Log Analytics workspace(s). For auto-provisioning, there is the option to use the default workspace(s) or a custom workspace.

When configuring the default workspace option; Defender for Cloud creates a new resource group and default workspace in the same geolocation, and connects the agent to that workspace. If a subscription contains VMs from multiple geolocations, Defender for Cloud creates multiple workspaces to ensure compliance with data privacy requirements. Based on the following name convention; DefaultWorkspace-[subscription-ID]-[geo]

When switching the toggle it will automatically install the Azure Monitoring Agent on all existing machines in the selected subscription, and all new machines created in the subscriptions.

Important: When using a custom workspace make sure to enable the additional workspace solutions manually. See part; Extensions.

Removal of the Log Analytics agent

When switching the toggle from MMA to AMA there is no automated uninstall. Make sure there is no duplicate data streaming enabled for the MMA and AMA agent. Microsoft says;

If a VM already has either SCOM or OMS agent installed locally, the Log Analytics agent extension will still be installed and connected to the configured workspace. Any other solutions enabled on the selected workspace will be applied to Azure VMs that are connected to it. For paid solutions, this could result in additional charges. For data privacy considerations, please make sure your selected workspace is in your desired region.

Microsoft Defender for Cloud portal

Duplicate agent

It is possible to run the Log Analytics and Azure Monitoring Agent on the same machine. Important to know – recommendations or alerts are reported by both agents and appear twice in Defender for Cloud. Advised is to use only one agent.


Security event collection

Based on the Log Analytics agent provisioning it is possible to enable additional security event collection – directly from the Defender for Cloud portal.

With the new Azure Monitoring Agent there is no option to collect additional security events to the workspace. When collecting events to Microsoft Sentinel it is advised to enable Data Collection Rules for collecting required events.

Tip: View the following blog post for the Data Collection Rules (DCR) configuration; Collect Security Events in Microsoft Sentinel with the new AMA agent and DCR – Jeffreyappel.nl


Extensions

The Azure Monitoring Agent installs additional extensions. The ASA extension is installed, which supports Endpoint Protection recommendations and fileless attack detection. The ASA extension is automatically installed when the auto-provisioning is enabled for the Azure Monitoring Agent.

Azure Monitoring agent uses two Log Analytics workspace solutions which are automatically installed when the auto-provisioning of the Azure Monitoring Agent is enabled with the default workspace.

The following Log Analytics workspace solutions are required;

  • Security posture management (CSPM) – SecurityCenterFree solution
  • Defender for Servers Plan 2 – Security solution

When using a custom Log Analytics workspace make sure the Log Analytics workspace solutions are installed manually.


Sources

Microsoft: Deploy the Azure Monitor Agent with auto-provisioning

Microsoft: Migrate to Azure Monitor Agent from Log Analytics agent