Forum Discussion

adampra86's avatar
adampra86
Copper Contributor
Aug 23, 2022

SecurityEvent table gets populated with events altough data collection not configured?

Hi,

 

I’ve inherited in my new workplace an Azure environment with multiple subscriptions. I’m trying to create an inventory of what is logged and where.

What I’m doing now is to get for each subscription is the auto provisioning status.

The script is simple:

 

Connect-AzAccount

$azSubs = Get-AzSubscription 

# Set array
$Results = @()

foreach($azSub in $azSubs){
    $azSub | Set-AzContext
    Write-Host "Processing subscription: " $azSub.Name

    $autoProvisioningSettings = Get-AzSecurityAutoProvisioningSetting
    $SecurityWorkspaceSetting = Get-AzSecurityWorkspaceSetting

    $foo = [PSCustomObject]@{
            Subscription = $azSub.Name
            AutoProvision = $autoProvisioningSettings.AutoProvision
            SecurityWorkspaceSetting = $SecurityWorkspaceSetting.WorkspaceId
            }

            $Results += $foo
        }
$Results

 

 

AzSecurityAutoProvisioningSetting - https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecurityautoprovisioningsetting?view=azps-8.2.0

 

Automatic Provisioning Settings let you decide whether you want Azure Security Center to automatically provision a security agent that will be installed on your VMs. The security agent will monitor your VM to create security alerts and monitor the security compliance of the VM.

 

Get-AzSecurityWorkspaceSetting - https://docs.microsoft.com/en-us/powershell/module/az.security/get-azsecurityworkspacesetting?view=azps-8.2.0

 

This cmdlet lets you discover the configured workspace that will hold the security data that was collected by the security agent that is installed in VMs inside this subscription.

 

So basically, I’m aiming to get the following details but programmatically rather than clicking 10000 times:

 

Now, here comes the weird part. Take the two below:

 

 

The first, has auto provisioning set to on, a selected workspace, and security events set to common (basically a 1 to 1 with what I can see in the portal):

The second, has also auto provisioning set to on, but no workspace or security events configured:

 

What I don’t understand why for the second if I browse the Log Analytics in that given subscription I can see the SecurityEvent table ?!

The table description states “security events collected from windows machines by Azure Security Center or Azure Sentinel”. We don’t have Sentinel in use…. What am I missing ??

 

 

 

  • The table will show up when data exists in it and will remain until the data is retired out based on the configured retention setting. Could it be that it's just data that hasn't expire yet?

    Another thing you can do is query the Hearbeat table to see if any agents are actually deployed and sending data.

    Heartbeat
    | distinct Computer, Category
    • adampra86's avatar
      adampra86
      Copper Contributor

      Rod_Trent Thank you for looking into this !

       

      The events in the SecurityEvent table are actually from today (and older) plus it shows the Category for all the events as "Direct Agent" (I guess it is the MMA agent):

       

      Just had a look at the Heartbeat table and same as above, getting events from today + dcount() returns the same count for VM's as the count in the Defender for Cloud - Auto provisioning view

       

       

      What's going on ? I really have no explanation for this .... 

       

      • Rod_Trent's avatar
        Rod_Trent
        Icon for Microsoft rankMicrosoft
        Add "solutions" to the query to see what else is installed to see if the agent is necessary.

        Heartbeat
        | distinct Computer, Category, Solutions

        The word "security" in the solutions results, means something somewhere is configured to send security events to the workspace.

Resources