Forum Discussion

Copper Contributor

Apr 13, 2020

Solved

Audit-Failed Events not reaching Workspace

I have a test VM in Azure and one running on my home PC, Both have the MMA agent are are sending Security Events to Sentinel's Log Analytics Workspace via ASC connector configuration, Audi-Su...

YanivSh
Apr 13, 2020
if you are seeing the event 4625 in the event viewer from one machine that sending other events i will recommend that you will open support ticket Neil2020

Icon for Microsoft rank

Microsoft

Apr 13, 2020

Neil2020 if the workspace is shared between ASC and sentinel you can configure the log level ( minimal\command\full) only on one side: ASC or sentinel.

https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events

can you please share print screen from the defintion on the security event connector (on sentinel side)

and the ASC workspace setting (under settings).

see relevant pic from sentinel configuration

Neil2020
Copper Contributor
Apr 13, 2020
YanivSh see below screens:

In ASC under Pricing and Settings I have the below options:

I seem to have 1 machine residing in each:
Sentinel Workspace configuration below:

Although to clarify they are both appearing in ASC:

Appreciate the guidance

Thanks,
Neil
- YanivSh
  Microsoft
  Apr 13, 2020
  based on your pic the workspace is not define to collect security event at-all, because it is not on standard tier (paid).
  
  please show how the sentinel security event collector define?
  
  it must be connected and the log level must be at-least as minimal
  - Neil2020
    Copper Contributor
    Apr 13, 2020
    YanivSh They are both on standard as per the pic?
    
    Not sure what your second question means, "please show how the sentinel security event collector define?" Pretty sure I showed it as first pic in my previous post:
    
    Thanks
    Neil

Resources