Forum Discussion
Adding On-Prem Domain Controller Event Logs
A good way would be to use Azure ATP and connect Sentinel to that solution.
Additionally, you could install the on-prem Log Analytics agent:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-windows-computer
Hi, so you had proposed two solution for this... As we have installed Azure ATP sensor in our DC's, will that be fine to forward all the events to Azure ATP to Sentinel?
Can you please provide me the method which is apart for Log analytics?
Or Log Analytics is the only solution as now?
mayilragavan, AATP won't forward the logs from the machines. Just roll-up alerts from AATP itself. That's why you still have to put the MMA agent on the DC VMs; that will load the raw logs into the workspace.
- Thank you, great ideas. Appreciate the response.
I was just wondering the same thing.
I found a document about setting up the Windows security events connector (https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events) but it didn't say what else needs to be done.
In your Sentinel workspace if you click 'Workspace Settings' there's a "Get started with Log Analytics" section and link "Windows, Linux and other sources" where you can download the agent and get the workspace ID.
I've hit my free tier limit so I can't quite test it yet, but I'll try it later.
