How to Monitor Windows Server Vulnerabilities with Microsoft Defender and Sentinel

Integrate Windows Server with Microsoft Defender for Servers, Defender XDR, and Microsoft Sentinel for continuous vulnerability monitoring.

Windows Server is still the backbone of many production environments, from on‑premises hypervisors to cloud VMs running critical workloads. That also makes it a prime target, including misconfigurations, missing patches, and exposed services can quickly turn into exploitable vulnerabilities if you are not monitoring continuously.

The good news is that the Microsoft security stack gives you everything you need to build a modern vulnerability monitoring pipeline around Windows Server using Microsoft Defender for Servers, Defender XDR, and Microsoft Sentinel. In this article, you will learn:

• Creating a Log Analytics workspace and enabling Microsoft Sentinel.
• Enabling Defender for Servers and Defender Vulnerability Management.
• Onboarding a Windows Server to Defender for Endpoint.
• Ingesting Windows Security logs into Sentinel.
• Validating with KQL and adding a first automation hook.

By the end, you will have a Windows Server acting as a fully monitored sensor, feeding both vulnerability and security telemetry into a central SIEM/XDR platform.

Prerequisites and Assumptions

Before starting, make sure you have:

• An Azure subscription with permissions, Contributor or above.
• Appropriate licensing for Microsoft Defender for Servers and Defender XDR.
• Access to the Microsoft Defender portal.
• A Windows Server, on‑prem, Azure VM, or a Windows VPS. If you need a fast way to test this setup, you can deploy a Windows VPS with full RDP access.

The examples assume a region like westeurope and a simple naming convention; adjust to your standards.

Step 1: Create the Resource Group and Log Analytics Workspace

First, create a resource group for your security resources:

az group create \
  --name sec-rg \
  --location westeurope

Next, create a Log Analytics workspace that Microsoft Sentinel will use as its data lake:

az monitor log-analytics workspace create \
  --resource-group sec-rg \
  --workspace-name sec-law-sentinel \
  --location westeurope

You will need the workspace ID later, so grab it now:

az monitor log-analytics workspace show \
  --resource-group sec-rg \
  --workspace-name sec-law-sentinel \
  --query customerId \
  --output tsv

This workspace will store Security events, Defender alerts, and any other logs you decide to ingest.

Step 2: Enable Microsoft Sentinel on the Workspace

Next, enable Microsoft Sentinel on that workspace.

In the Azure portal:

1. Open Microsoft Sentinel.
2. Click Create or Add.
3. Select the sec-law-sentinel workspace.
4. Confirm to enable Sentinel for this workspace.

If you prefer CLI, you can also run:

az security sentinel create \
  --resource-group sec-rg \
  --workspace-name sec-law-sentinel

At this point, your Log Analytics workspace is Sentinel‑enabled and ready to ingest data, run analytics rules, and power your dashboards and hunting queries.

Step 3: Enable Defender for Servers and Defender Vulnerability Management

Now you need the endpoint side to actually discover vulnerabilities on your Windows Server.

In the Azure portal:

1. Go to Defender for Cloud.
2. Under Environment settings, select your subscription.
3. Under Plans, enable Defender for Servers. Plan 1 or Plan 2; Plan 2 unlocks more advanced capabilities.
4. In the Defender for Servers configuration, enable Defender Vulnerability Management as the vulnerability assessment solution.

This ensures that Windows Servers in this subscription, including Azure VMs and Arc‑connected machines, will be covered by Defender for Servers and scanned for vulnerabilities with Defender Vulnerability Management.

Step 4: Onboard the Windows Server to Microsoft Defender for Endpoint

If your server is not an Azure VM or you want explicit control, onboard it directly from the Defender portal.

4.1 Download the onboarding package

1. Navigate to security microsoft page.
2. Go to Settings → Endpoints → Onboarding.
3. Select the appropriate Windows Server version.
4. Choose Local script for up to 10 machines and download the package.

The package contains a CMD or PowerShell script that registers the server with Defender for Endpoint.

4.2 Run the onboarding script on the server

Copy the onboarding package to your Windows Server, open an elevated PowerShell session, and run:

cd C:\Temp\MDATPOnboarding
.\WindowsDefenderATPOnboardingScript.cmd

After the script finishes, you can optionally force a diagnostic package to confirm connectivity:

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -GetFiles

Within several minutes, you should see this server appear under Devices in the Defender portal, and Defender Vulnerability Management will start populating its vulnerability inventory, including CVEs, missing patches, and misconfigurations.

Step 5: Connect Defender XDR to Microsoft Sentinel

The next step is to connect Defender XDR to Microsoft Sentinel, so incidents, alerts, and raw events flow into your SIEM.

5.1 Install the Microsoft Defender XDR solution in Sentinel

1. In the Azure portal, open Microsoft Sentinel and select the sec-law-sentinel workspace.
2. Go to Content hub.
3. Search for Microsoft Defender XDR.
4. Click Install to add the solution.

This installs the data connector, analytic rules, and other content needed for integration.

5.2 Configure the Defender XDR data connector

1. In Sentinel, go to Data connectors.
2. Open the Microsoft Defender XDR connector.
3. Under Configuration, enable:

• Ingestion of incidents and alerts.
• Optionally ingestion of raw events, depending on cost and analytics needs.

Then, click Connect.

After this, Defender incidents and alerts will appear in Sentinel as incidents, giving you a unified queue to triage and investigate.

Step 6: Ingest Windows Security Events into Sentinel with AMA

Alerts are useful, but you also want raw Windows Security logs, logons, privilege use, process events, for deeper hunting and correlation.

6.1 Install Azure Monitor Agent (AMA) on the server

For an Azure VM example:

az vm extension set \
  --publisher Microsoft.Azure.Monitor \
  --name AzureMonitorWindowsAgent \
  --resource-group <vm-rg> \
  --vm-name <vm-name>

Replace <vm-rg> and <vm-name> with your VM’s resource group and name.

For on‑prem servers, the recommended way is to onboard them to Azure Arc for Servers, then deploy AMA via the Azure Monitor / DCR pipeline. The Arc onboarding flow will give you a script to run on the server to register it.

6.2 Create a Data Collection Rule (DCR) for SecurityEvent

In the Sentinel / Azure Monitor experience:

1. In Sentinel, go to Data connectors.
2. Open Windows Security Events via AMA.
3. Click Create data collection rule.
4. Name it something like dcr-win-security-common, select sec-rg, and choose the sec-law-sentinel workspace.
5. Under Resources, add your Windows Server or its Arc resource.
6. Under Collect, choose Common Windows Security events (a balanced default), or All if you want full fidelity and will tune volume later.
7. Create the rule.

Security events from your Windows Server will now stream into the SecurityEvent table in your Sentinel workspace.

Step 7: (Optional) Connect Sentinel to the Defender Portal

For a fully unified SecOps experience, connect the Sentinel workspace to the Defender portal so you can manage Sentinel incidents from the same place as Defender XDR.

In the Defender portal:

1. Go to Settings → Microsoft Sentinel.
2. Locate your sec-law-sentinel workspace (it should appear as not connected).
3. Select the workspace and click Connect workspace.

From now on, Sentinel incidents and Defender incidents can be handled in a single pane of glass, including advanced investigation tools and timelines.

Step 8: Validate Ingestion and Start Hunting with KQL

With onboarding complete, you should validate that data is flowing correctly and build your first simple queries.

8.1 Validate Windows Security events

In the Sentinel workspace, open Logs and run:

SecurityEvent
| where TimeGenerated >= ago(1h)
| where Computer == "<YOUR-SERVER-NAME>"
| summarize Count = count() by EventID
| order by Count desc

You should see logon events (4624, 4625), privilege use, and other activities from your server. If not, re‑check the AMA extension and DCR binding.

8.2 Validate Defender alerts

Run:

SecurityAlert
| where TimeGenerated >= ago(1d)
| where ProviderName has "Microsoft Defender"
| project TimeGenerated, AlertName, Severity, CompromisedEntity
| order by TimeGenerated desc

You should see alerts raised by Defender for Endpoint or other Defender products, now available for correlation, dashboards, and automation inside Sentinel.

Step 9: Add a First Automation Playbook (Optional, But Powerful)

To close the loop, create a simple automation that reacts to high‑severity incidents.

At a high level:

1. In Sentinel, go to Automation → Create → Playbook.
2. Use the When a response to an Azure Sentinel alert is triggered Logic Apps trigger.
3. Add actions such as:

• Call the Defender for Endpoint API to isolate the device.
• Create or update a ticket in your ITSM (ServiceNow, Jira, etc.).

Once created, you can attach this playbook to specific analytics rules, for example, a rule that fires when multiple high‑severity Defender alerts occur on the same Windows Server within a short time window.

This turns your monitoring stack into an active response system rather than a passive log bucket.

Conclusion

Monitoring vulnerabilities on Windows Server is no longer just about running a quarterly scan and filing a PDF report. With Microsoft Defender for Servers, Defender XDR, and Microsoft Sentinel, you can build a continuous, cloud‑native monitoring pipeline that:

• Automatically discovers vulnerabilities and misconfigurations.
• Streams security events and alerts into a centralized SIEM.
• Correlates attacker behavior with known weaknesses.
• Automates response workflows for high‑risk scenarios.

From here, you can scale using Azure Arc, policies, and templates, and refine analytics and automation based on your environment’s behavior.

How to Monitor Windows Server Vulnerabilities with Microsoft Defender and Sentinel was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.