Forum Discussion
adampra86
Aug 23, 2022Copper Contributor
SecurityEvent table gets populated with events altough data collection not configured?
Hi,
I’ve inherited in my new workplace an Azure environment with multiple subscriptions. I’m trying to create an inventory of what is logged and where.
What I’m doing now is to get for each subscription is the auto provisioning status.
The script is simple:
Connect-AzAccount
$azSubs = Get-AzSubscription
# Set array
$Results = @()
foreach($azSub in $azSubs){
$azSub | Set-AzContext
Write-Host "Processing subscription: " $azSub.Name
$autoProvisioningSettings = Get-AzSecurityAutoProvisioningSetting
$SecurityWorkspaceSetting = Get-AzSecurityWorkspaceSetting
$foo = [PSCustomObject]@{
Subscription = $azSub.Name
AutoProvision = $autoProvisioningSettings.AutoProvision
SecurityWorkspaceSetting = $SecurityWorkspaceSetting.WorkspaceId
}
$Results += $foo
}
$Results
AzSecurityAutoProvisioningSetting - https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecurityautoprovisioningsetting?view=azps-8.2.0
Automatic Provisioning Settings let you decide whether you want Azure Security Center to automatically provision a security agent that will be installed on your VMs. The security agent will monitor your VM to create security alerts and monitor the security compliance of the VM.
Get-AzSecurityWorkspaceSetting - https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecurityworkspacesetting?view=azps-8.2.0
This cmdlet lets you discover the configured workspace that will hold the security data that was collected by the security agent that is installed in VMs inside this subscription.
So basically, I’m aiming to get the following details but programmatically rather than clicking 10000 times:
Now, here comes the weird part. Take the two below:
The first, has auto provisioning set to on, a selected workspace, and security events set to common (basically a 1 to 1 with what I can see in the portal):
The second, has also auto provisioning set to on, but no workspace or security events configured:
What I don’t understand why for the second if I browse the Log Analytics in that given subscription I can see the SecurityEvent table ?!
The table description states “security events collected from windows machines by Azure Security Center or Azure Sentinel”. We don’t have Sentinel in use…. What am I missing ??
- Rod_Trent
Microsoft
The table will show up when data exists in it and will remain until the data is retired out based on the configured retention setting. Could it be that it's just data that hasn't expire yet?
Another thing you can do is query the Hearbeat table to see if any agents are actually deployed and sending data.
Heartbeat
| distinct Computer, Category- adampra86Copper Contributor
Rod_Trent Thank you for looking into this !
The events in the SecurityEvent table are actually from today (and older) plus it shows the Category for all the events as "Direct Agent" (I guess it is the MMA agent):
Just had a look at the Heartbeat table and same as above, getting events from today + dcount() returns the same count for VM's as the count in the Defender for Cloud - Auto provisioning view
What's going on ? I really have no explanation for this ....
- Rod_Trent
Microsoft
Add "solutions" to the query to see what else is installed to see if the agent is necessary.
Heartbeat
| distinct Computer, Category, Solutions
The word "security" in the solutions results, means something somewhere is configured to send security events to the workspace.