Forum Discussion

Neil2020's avatar
Neil2020
Copper Contributor
Apr 13, 2020

Audit-Failed Events not reaching Workspace

I have a test VM in Azure and one running on my home PC,

 

Both have the MMA agent are are sending Security Events to Sentinel's Log Analytics Workspace via ASC connector configuration,

 

Audi-Success events written to the security log on both machines are being sent to the Workspace but not Audit-Failure, eg: failed logon attempts to either machine,

 

When I query for that EventID 4625 no results, (no syntax errors)

 

I have tested clearing the Security log on both machines which produces an event in the workspace and I have an alert, also creating a new user and then adding them into loacla administrator group has expected results,

 

What am I missing regarding Aufit-Failed events to have them flow through/from ASC to the Workspace?

 

Diagnostic settings for the VM in Azure are set as below, although I have "All Events" configured Sentinel side via the connector:

 

 

Any guidance would be appreciated before I raise another support ticket,

 

Thanks,

Neil

 

 

  • if you are seeing the event 4625 in the event viewer from one machine that sending other events i will recommend that you will open support ticket Neil2020 

    • Neil2020's avatar
      Neil2020
      Copper Contributor

      YanivSh see below screens:

       

       

      In ASC under Pricing and Settings I have the below options:

       

       

       

       

      I seem to have 1 machine residing in each:

      Sentinel Workspace configuration below:

       

      Although to clarify they are both appearing in ASC:

       

      Appreciate the guidance

       

      Thanks,

      Neil

       

       

       

       

       

       

       

       

       

       

       

      • YanivSh's avatar
        YanivSh
        Icon for Microsoft rankMicrosoft

        based on your pic the workspace is not define to collect security event at-all, because it is not on standard tier (paid).

        please show how the sentinel security event collector define?

        it must be connected and the log level must be at-least as minimal