question

SumeethaMogasati-9915 avatar image
0 Votes"
SumeethaMogasati-9915 asked AndrewBlumhardt-1137 commented

Azure Monitor - Security Logs to Log Analytics

Hi,

The solution requirement is to store Audit Logs (Security logs) from the Azure Monitor in Azure Log Analytics.

After installing an agent for Azure Monitor and checking the collected logs, it is understood that Security logs are not captured/collected. Azure processes Security Logs through satellite or Windows Defender. It is feasible to process the logs locally on the file server but requires a 3rd party application, which involves cost, licensing, etc.


Currently, there is no native support from Azure Monitor for Security Logs.

Help appreciated meeting the above requirements natively without using any 3rd party services.

Thanks,

azure-monitorazure-security-centermicrosoft-sentinel
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndrewBlumhardt-1137 avatar image
1 Vote"
AndrewBlumhardt-1137 answered AndrewBlumhardt-1137 commented

Log Analytics does not support Windows security event log collection (when using the MMA agent). It is not listed in the custom event log collection list. At least not using the MMA agent directly. You need to use Defender for Cloud or Sentinel for security event collection. Though it appears that the new Data Collection Rules used with the new AMA agent do allow security event collection as well.

· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SumeethaMogasati-9915 avatar image SumeethaMogasati-9915 ·

Hi Andrew,

Thanks for your help.

Can you elaborate the Data Collection Rules with the new AMA agent option with relevant resources/urls, please?

Thanks,

0 Votes 0 ·
AndrewBlumhardt-1137 avatar image AndrewBlumhardt-1137 SumeethaMogasati-9915 ·

Try this: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview

0 Votes 0 ·
SumeethaMogasati-9915 avatar image SumeethaMogasati-9915 AndrewBlumhardt-1137 ·

Thanks, Andrew for your help and insight.

Please note that the required logs are for the 'File Access' on the VM.

Regards

0 Votes 0 ·
AndrewBlumhardt-1137 avatar image AndrewBlumhardt-1137 ·

File access is recorded by the Windows audit policy as event 4663. That is part of the minimal security event collection. Assuming the audit policy is enabled the event can be collected with the methods described above.

https://morgantechspace.com/2014/11/How-to-monitor-or-track-File-Access-in-Windows.html

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects

https://docs.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference

0 Votes 0 ·