question

DanielFerezCasado-4889 avatar image
0 Votes"
DanielFerezCasado-4889 asked JamesTran-MSFT commented

Doubt windows event agents

Hi there.

I have a couple of questions regarding the agents to install on windows machines to bring events to Azure Sentinel.
I currently have the Azure Monitor agent for Log Analytics deployed on the DCs. And a separate LogAnalytic for Azure Sentinel. I want to connect windows events to Sentinel's log analytic.

The questions are as follows:

  1. To connect the windows machines to Azure Sentinel, do I need the SecurityEvents agent or can I use the current Azure Monitor agent.

  2. Can I forward events to the Azure Sentinel Log Analytic, using the Azure Monitor agent, and also keep them coming to the current LogAnalytic?

  3. Using the current agent, can I forward only security events to the log analytic that Sentinel uses? That is, I want the security events to go to the Azure Sentinel log analytics and the rest to the current log analytics, where Sentinel is not.

Thank you for your help.

Regards.






windows-serverazure-monitormicrosoft-sentinel
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DanielFerezCasado-4889
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·
GeorgeMoise-0315 avatar image
0 Votes"
GeorgeMoise-0315 answered

Hi Daniel,

If you're using the new Azure Monitor Agent (AMA) on your Domain Controllers already, then you can just create a new Data Collection Rule from the Azure Sentinel by configuring the Windows Security Events via AMA data connector.

If you're using the Microsoft Monitoring Agent (MMA) on your Domain Controllers, then you can configure those agents from Control Panel --> Microsoft Monitoring Agent, to connect to the Azure Sentinel Log Analytics Workspace (as the MMA can be configured to multi home, reporting to as much as 4 Log Analytics Worksapces).
Once you have the MMA connected to the Azure Sentinel Log Analytics Workspace, from Azure Sentinel you can enable the Security Events collection by configuring the Security Events via Legacy Agent Data Connector.

I hope this helps you!
BR,
George

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @DanielFerezCasado-4889

You can use the current Azure Monitor agent to connect the windows machines to Azure Sentinel.

Connect Microsoft Sentinel to Azure, Windows, Microsoft, and Amazon services
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CAMA

Yes, you can forward events to the Azure Sentinel Log Analytic using the Azure Monitor agent.

Azure Sentinel uses a Log Analytics workspace as its backend, storing events and other information. Log Analytics workspaces are the same technology as Azure Data Explorer uses for its storage. These backends are ultra-scalable, and you can get back results in seconds using the Kusto Query Language (KQL).

Hope this resolves your Query!!

--If the reply is helpful, please Upvote and Accept it as an answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.