Get answers to common questions about Microsoft Defender for Servers.
Can I enable Defender for Servers on a subset of machines in a subscription?
No. When you enable Microsoft Defender for Servers on an Azure subscription, all connected machines are protected by Defender for Servers. Servers that don't have the Log Analytics agent or Azure Monitor agent installed are also protected.
What servers do I pay for in a subscription?
When you enable Defender for Servers on a subscription, you're charged for all machines based on their power states.
Azure VMs:
| State | Details | Billing |
|---|---|---|
| Starting | VM starting up. | Not billed |
| Running | Normal working state. | Billed |
| Stopping | Transitional. Moves to Stopped state when finished. | Billed |
| Stopped | VM shut down from within guest OS or by using PowerOff APIs. Hardware is still allocated, and the machine remains on the host. | Billed |
| Deallocating | Transitional. Moves to Deallocated state when finished. | Not billed |
| Deallocated | VM stopped and removed from the host. | Not billed |
Azure Arc machines:
| State | Details | Billing |
|---|---|---|
| Connecting | Servers connected, but heartbeat not yet received. | Not billed |
| Connected | Receiving regular heartbeat from Connected Machine agent. | Billed |
| Offline/Disconnected | No heartbeat received in 15-30 minutes. | Not billed |
| Expired | If disconnected for 45 days, status might change to Expired. | Not billed |
Do I need to enable Defender for Servers on the subscription and on the workspace?
When you enable the Servers plan on the subscription level, Defender for Cloud automatically enables the plan on your default workspaces automatically. If you're using a custom workspace, you need to select it to enable the plan. Note that:
- If you turn on Defender for Servers for a subscription and for a connected custom workspace, you aren't charged for both. The system identifies unique VMs.
- If you enable Defender for Servers on cross-subscription workspaces:
- For the Log Analytics agent, connected machines from all subscriptions are billed, including subscriptions that don't have the Defender for Servers plan enabled.
- For the Azure Monitor agent, billing and feature coverage for Defender for Servers depends only on the plan being enabled in the subscription.
What happens if I enabled the Defender for Servers plan at the workspace level only (not at subscription)?
You can enable Microsoft Defender for Servers at the Log Analytics workspace level, but only servers reporting to that workspace will be protected and billed, and those servers won't receive some benefits, such as vulnerability assessment, and just-in-time VM access.
Is the 500 MB of free data ingestion allowance applied per workspace or per machine?
For every VM that's connected to the workspace, you get 500 MB of free data ingestion per day. The allowance is specifically for the security data types that are directly collected by Defender for Cloud.
This allowance is a daily rate that's averaged across all nodes. Your total daily free limit is equal to [number of machines] × 500 MB. You aren't charged extra if the total doesn't exceed your total daily free limit, even if some machines send 100 MB and others send 800 MB.
What data types are included in the daily allowance?
Defender for Cloud billing is closely tied to the billing for Log Analytics. Microsoft Defender for Servers provides an allocation of 500 MB per node per day for machines against the following subset of security data types:
- SecurityAlert
- SecurityBaseline
- SecurityBaselineSummary
- SecurityDetection
- SecurityEvent
- WindowsFirewall
- SysmonEvent
- ProtectionStatus
- Update and UpdateSummary when the Update Management solution isn't running in the workspace or solution targeting is enabled.
If the workspace is in the legacy per-node pricing tier, the Defender for Cloud and Log Analytics allocations are combined and applied jointly to all billable ingested data.
Am I charged for machines that don't have Log Analytics installed?
Yes. You're charged for all machines that are protected by Defender for Servers in Azure subscriptions. The term machines includes Azure virtual machines, instances of Azure Virtual Machine Scale Sets, and Azure Arc-enabled servers. Machines that don't have Log Analytics installed are covered by protections that don't depend on the Log Analytics agent.
Are there any options to enforce the application controls?
No enforcement options are currently available. Adaptive application controls are intended to provide security alerts if any application runs other than the ones you've defined as safe. They have a range of benefits (What are the benefits of adaptive application controls?) and are customizable as shown on this page.
Why aren't all of my resources shown, such as subscriptions, machines, storage accounts in my asset inventory?
The inventory view lists your Defender for Cloud connected resources from a Cloud Security Posture Management (CSPM) perspective. The filters show only the resources with active recommendations.
For example, if you have access to eight subscriptions but only seven currently have recommendations, filter by Resource type = Subscriptions shows only the seven subscriptions with active recommendations:
Why do some of my resources show blank values in the Defender for Cloud or monitoring agent columns?
Not all Defender for Cloud monitored resources requires agents. For example, Defender for Cloud doesn't require agents to monitor Azure Storage accounts or PaaS resources, such as disks, Logic Apps, Data Lake Analysis, and Event Hubs.
When pricing or agent monitoring isn't relevant for a resource, nothing is shown in those columns of inventory.
Which ports are supported by adaptive network hardening?
Adaptive network hardening recommendations are only supported on the following specific ports (for both UDP and TCP):
13, 17, 19, 22, 23, 53, 69, 81, 111, 119, 123, 135, 137, 138, 139, 161, 162, 389, 445, 512, 514, 593, 636, 873, 1433, 1434, 1900, 2049, 2301, 2323, 2381, 3268, 3306, 3389, 4333, 5353, 5432, 5555, 5800, 5900, 5900, 5985, 5986, 6379, 6379, 7000, 7001, 7199, 8081, 8089, 8545, 9042, 9160, 9300, 11211, 16379, 26379, 27017, 37215
Are there any prerequisites or VM extensions required for adaptive network hardening?
Adaptive network hardening is an agentless feature of Microsoft Defender for Cloud - nothing needs to be installed on your machines to benefit from this network hardening tool.
When should I use a "Deny all traffic" rule?
A Deny all traffic rule is recommended when, as a result of running the algorithm, Defender for Cloud doesn't identify traffic that should be allowed, based on the existing NSG configuration. Therefore, the recommended rule is to deny all traffic to the specified port. The name of this type of rule is displayed as "System Generated". After enforcing this rule, its actual name in the NSG will be a string comprised of the protocol, traffic direction, "DENY", and a random number.
How do I deploy the prerequisites for the security configuration recommendations?
To deploy the Guest Configuration extension with its prerequisites:
For selected machines, follow the security recommendation Guest Configuration extension should be installed on your machines from the Implement security best practices security control.
At scale, assign the policy initiative Deploy prerequisites to enable Guest Configuration policies on virtual machines.
Why is a machine shown as not applicable?
The list of resources in the Not applicable tab includes a Reason column. Some of the common reasons include:
| Reason | Details |
|---|---|
| No scan data available on the machine | There aren't any compliance results for this machine in Azure Resource Graph. All compliance results are written to Azure Resource Graph by the Guest Configuration extension. |
| Guest Configuration extension isn't installed on the machine | The machine is missing the Guest Configuration extension, which is a prerequisite for assessing the compliance with the Azure security baseline. |
| System managed identity isn't configured on the machine | A system-assigned, managed identity must be deployed on the machine. |
| The recommendation is disabled in policy | The policy definition that assesses the OS baseline is disabled on the scope that includes the relevant machine. |
Will I be charged for machines without the Log Analytics agent installed?
Yes. When you enable Microsoft Defender for Servers on an Azure subscription, you'll be charged for all machines that are connected to your Azure subscription. The term machines include Azure virtual machines, Azure Virtual Machine Scale Sets instances, and Azure Arc-enabled servers. Machines that don't have Log Analytics installed are covered by protections that don't depend on the Log Analytics agent.
If a Log Analytics agent reports to multiple workspaces, will I be charged twice?
If a machine, reports to multiple workspaces, and all of them have Defender for Servers enabled, the machines will be billed for each attached workspace.
If a Log Analytics agent reports to multiple workspaces, is the 500-MB free data ingestion available on all of them?
Yes. If you configure your Log Analytics agent to send data to two or more different Log Analytics workspaces (multi-homing), you'll get 500-MB free data ingestion for each workspace. It's calculated per node, per reported workspace, per day, and available for every workspace that has a 'Security' or 'AntiMalware' solution installed. You'll be charged for any data ingested over the 500-MB limit.
Is the 500-MB free data ingestion calculated for an entire workspace or strictly per machine?
You receive a daily allowance of 500 MB of free data ingestion for each virtual machine (VM) connected to the workspace. This allocation specifically applies to the security data types collected directly by Defender for Cloud.
The data allowance is a daily rate calculated across all connected machines. Your total daily free limit is equal to the [number of machines] x 500 MB. So even if on a given day some machines send 100 MB and others send 800 MB, if the total data from all machines doesn't exceed your daily free limit, you won't be charged extra.
What data types are included in the 500-MB data daily allowance?
Defender for Cloud's billing is closely tied to the billing for Log Analytics. Microsoft Defender for Servers provides a 500 MB/node/day allocation for machines against the following subset of security data types:
- SecurityAlert
- SecurityBaseline
- SecurityBaselineSummary
- SecurityDetection
- SecurityEvent
- WindowsFirewall
- SysmonEvent
- ProtectionStatus
- Update and UpdateSummary when the Update Management solution isn't running in the workspace or solution targeting is enabled.
If the workspace is in the legacy Per Node pricing tier, the Defender for Cloud and Log Analytics allocations are combined and applied jointly to all billable ingested data. To learn more on how Microsoft Sentinel customers can benefit, please see the Microsoft Sentinel Pricing page.
How can I monitor my daily usage?
You can view your data usage in two different ways, the Azure portal, or by running a script.
To view your usage in the Azure portal:
Sign in to the Azure portal.
Navigate to Log Analytics workspaces.
Select your workspace.
Select Usage and estimated costs.
You can also view estimated costs under different pricing tiers by selecting 
for each pricing tier.
To view your usage by using a script:
Sign in to the Azure portal.
Navigate to Log Analytics workspaces > Logs.
Select your time range. Learn about time ranges.
Copy and past the following query into the Type your query here section.
let Unit= 'GB'; Usage | where IsBillable == 'TRUE' | where DataType in ('SecurityAlert', 'SecurityBaseline', 'SecurityBaselineSummary', 'SecurityDetection', 'SecurityEvent', 'WindowsFirewall', 'MaliciousIPCommunication', 'SysmonEvent', 'ProtectionStatus', 'Update', 'UpdateSummary') | project TimeGenerated, DataType, Solution, Quantity, QuantityUnit | summarize DataConsumedPerDataType = sum(Quantity)/1024 by DataType, DataUnit = Unit | sort by DataConsumedPerDataType descSelect Run.
You can learn how to Analyze usage in Log Analytics workspace.
Based on your usage, you won't be billed until you've used your daily allowance. If you're receiving a bill, it's only for the data used after the 500-MB limit is reached, or for other service that doesn't fall under the coverage of Defender for Cloud.
How can I manage my costs?
You might want to manage your costs and limit the amount of data collected for a solution by limiting it to a particular set of agents. Use solution targeting to apply a scope to the solution and target a subset of computers in the workspace. If you're using solution targeting, Defender for Cloud lists the workspace as not having a solution.
Important
Solution targeting has been deprecated because the Log Analytics agent is being replaced with the Azure Monitor agent and solutions in Azure Monitor are being replaced with insights. You can continue to use solution targeting if you already have it configured, but it isn't available in new regions. The feature won't be supported after August 31, 2024. Regions that support solution targeting until the deprecation date are:
| Air-gapped clouds | Region code | Region name |
|---|---|---|
| China | MC | ChinaEast2 |