Forum Discussion

csmits's avatar
csmits
Copper Contributor
Jun 12, 2020

Log Collection using a Log Analytics Agent from a Windows Event Collector

Hi,   To collect Security events from multiple windows hosts, a Windows Event Collector has been set up in the environment that we want to monitor. Can we forward all events from this collector usi...
Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Jun 15, 2020

csmits:

  • Support for WEF is in private preview, to explore it and provide feedback, Join our Private Previews program.
  • A new generation of the Log Analtytics agent that will suppport filtering is also expected to start preview in the next few months. 
  • srikrame's avatar
    srikrame
    Copper Contributor
    Oct 28, 2020

    Ofer_Shezaf , I can see the option to enable collection for forwarded events in Sentinel once Log analytics is deployed, is till still not in GA ? if not any ETA on when its expected to be in GA.

  • milkmix_'s avatar
    milkmix_
    Copper Contributor
    Oct 20, 2020

    Hi Ofer_Shezaf ,

     

    Do you have more news about WEF support ?

     

    I installed LA agent on a WEC server and I can retrieve events from the WEC host itself but adding other sources (ex: ForwardedEvents, custom channels from the subscriptions, ...) from `Log Analytics workspaces > ... > Advanced Settings > Data > Windows Event Logs > Collect events from the following event logs` is not working. Note that ForwardedEvents is suggested in the dropdown from this blade.

     

    Any suggestions ?

     

    Best regards

     

    • Laurent_Cardon's avatar
      Laurent_Cardon
      Former Employee
      Oct 23, 2020

      I'm just discovering this topic and the question may be stupid...

      Which use cases are we targeting using WEF collector to push info to Sentinel ? In case we have Windows Defender on the client couldn't we consider this is sufficient to guarantee the endpoint security?

      Laurent 

      • Ofer_Shezaf's avatar
        Ofer_Shezaf
        Icon for Microsoft rankMicrosoft
        Oct 26, 2020

        Windows Events and EDR events have overlap but also have a distinct value. How much would naturally be specific to the EDR used. There are two primary areas in which Windows Events add value not found in EDR:

        • Windows events are used for logging events by many subsystems. For example, SQL server and printing would both generate Windows events.
        • An EDR does not report many security-related windows events. For example, typically, an EDR would not report on local user management activity.

Resources