New Blog Post | How to configure Security Events collection with Azure Monitor Agent

How to configure Security Events collection with Azure Monitor Agent - Microsoft Community Hub

 

Although https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers (part of the Microsoft Defender for Cloud suite) does not rely on security events collection to provide its protection capabilities, customers may want to collect this valuable data to bring additional context to their server security investigations or alerts. For this reason, Defender for Servers Plan 2 users benefit from a https://learn.microsoft.com/en-us/azure/defender-for-cloud/faq-defender-for-servers#is-the-free-allowance-applied-per-workspace-or-per-machine- (per day, per server) into Log Analytics, as long as the https://learn.microsoft.com/en-us/azure/defender-for-cloud/faq-defender-for-servers#do-i-need-to-enable-defender-for-servers-on-the-subscription-and-on-the-workspace-.

 

Security events collection (for Windows systems only) is done with the help of a guest agent. This has been possible so far with the https://learn.microsoft.com/en-us/azure/defender-for-cloud/working-with-log-analytics-agent, and is also possible for Microsoft Sentinel users, via the https://learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference. However, if you are not a Sentinel user yet and you are using Defender for Servers with the new AMA experience, it is still possible to collect security events, as you will learn next.

 

Original post: New Blog Post | How to configure Security Events collection with Azure Monitor Agent - Microsoft Community Hub