question

PraveenMittapalli-6705 avatar image
0 Votes"
PraveenMittapalli-6705 asked SwathiDhanwada-MSFT commented

Unable to get Security Event in log analytics from data collection rule in Azure Monitor

Unable to get Security Event in log analytics from data collection rule in Azure Monitor. I want to capture security events like 4624 for particular VMs. I created data collection rule in azure monitor and Added the VM in the resource and added windows event logs in source(Selected All checkboxes).
In destination I have given log analytics workspace but unable to get SecurityEvent table itself.

azure-virtual-machinesazure-monitorazure-virtual-machines-monitoring
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Note: This is a private message which only you as Original Poster and Microsoft Moderators can view. Please respond directly to this comment to privately share the requested information. For your privacy, please do not share any Personal Identifiable Information (PII) as a public comment. All private messages will be periodically deleted from the site.

@PraveenMittapalli-6705 Checking in to see if the answer helped. If yes, please do "Accept Answer" and up-vote it. Let us know if there are still any additional issues we can help with.

0 Votes 0 ·

1 Answer

SwathiDhanwada-MSFT avatar image
0 Votes"
SwathiDhanwada-MSFT answered

@PraveenMittapalli-6705 Apologies for late response. Kindly note security events are collected from windows machines by Azure Security Center or Azure Sentinel. However, Azure Monitor agent does not support solutions and insights such as VM insights and Azure Security Center as of now. The only scenario currently supported is collecting data using the data collection rules that you configure.

  • You can use AMA to natively collect Security Events, same as other Windows Events. These flow to the 'Event' table in your Log Analytics workspace.

  • If you have Sentinel enabled on the workspace, the Security Events flow via AMA into the 'SecurityEvent' table instead (same as using Log Analytics Agent). This will always require the solution to be enabled first.

For your reference , availability of solutions for AMA.

103442-image.png

In your case, for security events , I would suggest you to query Event table of log analytics workspace.



image.png (47.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.