Hello
I have configured Azure Log Analytics workspace and two Windows 10 machines have Monitoring Agent installed.
The agent is successfully deployed but I cant see any Windows security event logs such as EventID 4624 and 4625.
Not sure if there is any thing else which needs to be configured, Rest of the non-security event logs are fetched in real time.
Any input or advice is much appreciated.
Thanks
Ashish
you need to enable Azure Defender to able to get security logs on log anaytics.
please see following link.
https://docs.microsoft.com/en-us/answers/questions/235333/log-analytics-windows-security-logs.html
I'm having the same problem. I enabled Microsoft Defender for Cloud (as Azure Defender is now known) but I'm still not seeing any events with EventID 4625, despite seeing thousands of them in the security logs on the host itself.
Hi,
Which security events are logged on your machines also depends on your local group audit policy. Make sure that these events are configured to be logged via the local group policy. If they are not logged on the servers they will not be ingested as well. Example of how these policies are configured you can see here: Configure Windows Event collection
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
I think you can technically connect workstations to Defender for Cloud for testing but it may not be officially supported.
Using the MMA agent, only Sentinel or MDFC have options to collect Windows Security event logs. They are in turn the result of your local audit policy. The workspace UI does not have a Security log option.
The AMA agent can collect security event logs. You first need Aure Arc for hybrid systems.
If you setup MDFC you need to look under the auto provisioning settings to enable security event collection. The minimal collection option will include 4625.
5 people are following this question.
