question

CSunny789 avatar image
0 Votes"
CSunny789 asked AnuragSingh-MSFT commented

How to query multiple Managed Device event logs?

Hi All,

How do I get the security event logs from a managed device into Azure for querying? Can you please tell me the best way to query managed device's Event Logs? What Azure resource should I use Azure Monitor, Log Analytics, Azure Sentinal, or another resource? Can you please give me basic instruction with a few demo queries? Should I be using Log Analytics with Kusto Query Language?

Can you please tell me the difference between the following resources, with examples on when I should use them:

  • Log Analytics

  • Azure Monitor

  • Microsoft Graph

  • Azure Graph

Many thanks
Colin

azure-monitormicrosoft-sentinelmicrosoft-graph-insights
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewBlumhardt-1137 avatar image
0 Votes"
AndrewBlumhardt-1137 answered CSunny789 commented

Security event logs can be collected by Sentinel, Defender for Cloud, or by a Data Collection Rule. The DCR rule required the new Azure Monitor Agent (AMA). These solutions will centrally collect security event logs into a Log Analytics Workspace for further analysis.

Which to choose really depends on what you have currently deployed. Sentinel is the best choice from a security perspective and the most expensive. Using a DCR rule to a standard workspace is less expensive but you have to create your own rules and dashboards.

https://docs.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference
https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Andrew,

Do you know of any step-by-step guides or demo videos for beginners on how to do this?

I hope you can help
Colin



0 Votes 0 ·
AnuragSingh-MSFT avatar image
0 Votes"
AnuragSingh-MSFT answered AnuragSingh-MSFT commented

Hi @CSunny789,

The following content is an extension to Andrew's answer above.

Here are some basics to help you understand different services/solutions:

Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. The analysis and threat intelligence are based on the data collected in Log Analytics workspace.

Log Analytics Workspace is a service which stores the monitoring data. You can think of it as a DB to store and query monitorig data. All the monitoring services/agents forward the data to this workspace, which is used for querying, alerting and analyzing.

Azure Monitor is an umbrella name for a collection of tools designed to provide visibility into the state of your system. It helps you understand how your cloud-native services are performing and proactively identifies issues affecting them. Log analytics also comes under Azure Monitor. Please refer to this link to understand all the other services included in Azure monitor.

Microsoft Graph provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows 10, and Enterprise Mobility + Security. In short, it provides a single endpoint to query data from Microsoft services (not event logs from VMs).

Azure Resource Graph is a service in Azure that is designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment.


To collect event logs from Managed Devices, you will have to use an agent. For Windows machines, you can either use AMA (Azure Monitor Agent) or Log Analytics agent (also called OMS agent or Microsoft Monitoring Agent). The collected data will be forwarded to "Log Analytics Workspace" and can be used either in Microsoft Sentinel OR directly by querying the logs from workspace (which does not require Microsoft Sentinel to be enabled).

Here are some links that should help you:

1. Azure Monitor agent - this can be used for Azure VM, scale sets and Azure Arc-enabled servers. Please refer to this video for a walkthough.

2. Log Analytics Agent - this can be used for Azure VM, scalesets, Azure Arc enabled servers as well as on-premise machines. Please follow this learn module to get step by step guidance on getting started.

3. Querying data - Once you have the data in Log Analytics workspace, you may query it using KQL. This doc gives a good starting point for querying this data.

4. Microsoft Sentinel - please refer the following link - Collect Security Events in Microsoft Sentinel with the new AMA agent and DCR

I hope these resources will be helpful to you. Please let us know if you have any questions.


Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@CSunny789, I wanted to check if you had a chance to review my answer above. Please let me know if you have any queries or concerns.

Please 'Accept as answer' if it helped so that it can help others in the community looking for help on similar topics.

0 Votes 0 ·