Forum Discussion
SecurityEvent table gets populated with events altough data collection not configured?
Rod_Trent Thank you for looking into this !
The events in the SecurityEvent table are actually from today (and older) plus it shows the Category for all the events as "Direct Agent" (I guess it is the MMA agent):
Just had a look at the Heartbeat table and same as above, getting events from today + dcount() returns the same count for VM's as the count in the Defender for Cloud - Auto provisioning view
What's going on ? I really have no explanation for this ....
MicrosoftHeartbeat
| distinct Computer, Category, Solutions
The word "security" in the solutions results, means something somewhere is configured to send security events to the workspace.
Rod_Trent Please find the data below:
What else could it be sending the security event log ?
Looking at https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/securityevent solutions list Security and Audit and Microsoft Sentinel?
EDIT:
When I search https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/tables-resourcetype Azure Monitor Logs table reference organized by resource type, the SecurityEvent table is listed under the following resource types: Azure Stack HCI, System Center Virtual Machine Manager, Virtual Machine Scale Sets, Virtual machines, VMware. The subscription contains only Virtual machines from the list.
EDIT:
Just discovered, that the following is configured on the Log Analytics workspace from within Defender for Cloud:
Is this setting == to the one when configuring auto provisioning ? And if yes, why two places to configure it?