Connect Windows Virtual Desktop data to Azure Sentinel

This article describes how you can monitor your Windows Virtual Desktop (WVD) environments using Azure Sentinel.

For example, monitoring your Windows Virtual Desktop environments can enable you to provide more remote work using virtualized desktops, while maintaining your organization's security posture.

Windows Virtual Desktop data in Azure Sentinel

Windows Virtual Desktop data in Azure Sentinel includes the following types:

Data Description
Windows event logs Windows event logs from the WVD environment are streamed into an Azure Sentinel-enabled Log Analytics workspace in the same manner as Windows event logs from other Windows machines, outside of the WVD environment.

Install the Log Analytics agent onto your Windows machine and configure the Windows event logs to be sent to the Log Analytics workspace.

For more information, see:
- Install Log Analytics agent on Windows computers
- Collect Windows event log data sources with Log Analytics agent
- Connect Windows security events
Microsoft Defender for Endpoint alerts To configure Defender for Endpoint for Windows Virtual Desktop, use the same procedure as you would for any other Windows endpoint.

For more information, see:
- Set up Microsoft Defender for Endpoint deployment
- Connect data from Microsoft 365 Defender to Azure Sentinel
Windows Virtual Desktop diagnostics Windows Virtual Desktop diagnostics is a feature of the Windows Virtual Desktop PaaS service, which logs information whenever someone assigned Windows Virtual Desktop role uses the service.

Each log contains information about which Windows Virtual Desktop role was involved in the activity, any error messages that appear during the session, tenant information, and user information.

The diagnostics feature creates activity logs for both user and administrative actions.

For more information, see Use Log Analytics for the diagnostics feature in Windows Virtual Desktop.

Connect Windows Virtual Desktop data

To start ingesting Windows Virtual Desktop data into Azure Sentinel, use the instructions from the Windows Virtual Desktop documentation.

For more information, see Push Windows Virtual Desktop data to your Log Analytics workspace.

Find your data

After a successful connection is established, run queries in Azure Sentinel against your Log Analytics data.

For example, see sample queries from the Windows Virtual Desktop documentation.

Azure Sentinel also provides built-in queries in the General > Logs > WINDOWS VIRTUAL DESKTOP area:

Windows Virtual Desktop built-in queries in Azure Sentinel.

Next steps

For more information, see the Azure Monitor for Windows Virtual Desktop glossary.