question

GabrielliLuca-5217 avatar image
1 Vote"
GabrielliLuca-5217 asked YashMudaliar-2108 answered

Azure Active Directory events and Security Events of Azure Virtual Server Domain Controller Events

Hi,
on a Azure Sentinel workgroup I have the Azure Active Directory connector and the Security Event Connector Enabled.

Some of the customer Domain Controller are present on Azure Virtual Machine server.

If I install the Agent on the Azure Virtual Machine, do I have duplicated events collected? One from the Azure Active Directory and one from Security Event Connector?

Are the events generated from Azure Active Directory the same of the events generated Security Events of the Domain Controller installed on the Azure Virtual Machine?

I don't want duplicated events on the workgroup.

Regards,


LG

microsoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

YashMudaliar-2108 avatar image
0 Votes"
YashMudaliar-2108 answered

Hi @GabrielliLuca-5217 ,

Not at all the events from Azure AD are the same as from Domain controllers (DCs).
In simple words, the logs from DCs can be considered as the logs from on-premises Windows AD which include every application and system logs generated (which will be required to be enabled from LAW -> Agents Configuration).

And as the term suggests, Azure Ad connector will only generate logs which goes through cloud authentication. You will even have a choice to generate logs of your choice while enabling the connector.

Hope I was able to explain myself. If my answer helps you, please upvote it.

Cheers,
Yash

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.