FAQ for customers already using Azure Monitor logs

If a VM already has the Log Analytics agent installed as an Azure extension, Defender for Cloud does not override the existing workspace connection. Instead, Defender for Cloud uses the existing workspace. The VM will be protected provided that the "Security" or "SecurityCenterFree" solution has been installed on the workspace to which it is reporting.

A Defender for Cloud solution is installed on the workspace selected in the Data Collection screen if not present already, and the solution is applied only to the relevant VMs. When you add a solution, it's automatically deployed by default to all Windows and Linux agents connected to your Log Analytics workspace. Solution Targeting allows you to apply a scope to your solutions.

When Defender for Cloud identifies that a VM is already connected to a workspace you created, Defender for Cloud enables solutions on this workspace according to your pricing configuration. The solutions are applied only to the relevant resources, via solution targeting, so the billing remains the same.

• Enhanced security off – Defender for Cloud installs the "SecurityCenterFree" solution on the workspace. You won't be billed.

• Enable all Microsoft Defender plans – Defender for Cloud installs the 'Security' solution on the workspace.

  

If a VM already has the Log Analytics agent installed as an Azure extension, Defender for Cloud uses the existing connected workspace. A Defender for Cloud solution is installed on the workspace if not present already, and the solution is applied only to the relevant VMs via solution targeting.

When Defender for Cloud installs the Log Analytics agent on VMs, it uses the default workspaces created by Defender for Cloud if it's not pointed to an existing workspace.

The Security & Audit solution is used to enable Microsoft Defender for Servers. If the Security & Audit solution is already installed on a workspace, Defender for Cloud uses the existing solution. There is no change in billing.