Forum Discussion

Neil2020's avatar
Neil2020
Copper Contributor
Apr 13, 2020
Solved

Audit-Failed Events not reaching Workspace

I have a test VM in Azure and one running on my home PC,   Both have the MMA agent are are sending Security Events to Sentinel's Log Analytics Workspace via ASC connector configuration,   Audi-Su...
  • YanivSh's avatar
    YanivSh
    Apr 13, 2020

    if you are seeing the event 4625 in the event viewer from one machine that sending other events i will recommend that you will open support ticket Neil2020 

Neil2020's avatar
Neil2020
Copper Contributor
Apr 13, 2020

YanivSh They are both on standard as per the pic?

 

 

 

Not sure what your second question means, "please show how the sentinel security event collector define?" Pretty sure I showed it as first pic in my previous post:

 

 

 
 

Thanks 

Neil

 

 

 

 
 

 

 

 

 

 

 

Neil2020's avatar
Neil2020
Copper Contributor
Apr 13, 2020

@Yaniv Shasha

 

Also for clarity, I am receiving security events from both VM's, I am not getting Audit-Failed events,

 

Thanks,

Neil

  • YanivSh's avatar
    YanivSh
    Icon for Microsoft rankMicrosoft
    Apr 13, 2020

    if you are seeing the event 4625 in the event viewer from one machine that sending other events i will recommend that you will open support ticket Neil2020 

    • Neil2020's avatar
      Neil2020
      Copper Contributor
      Apr 14, 2020

      YanivSh 

       

      Just to complete this thread when I raised a call with MS we eventually worked out there was an issue with the KQL query I was using, != instead of using EventID == 4625 so the events were there all along,

       

      Next issue is alerting on similar eventID's as they seem to be missing AlertSeverity field,

       

      Thanks,

      Neil

Resources