Forum Discussion

Neil2020's avatar
Neil2020
Copper Contributor
Apr 13, 2020
Solved

Audit-Failed Events not reaching Workspace

I have a test VM in Azure and one running on my home PC,   Both have the MMA agent are are sending Security Events to Sentinel's Log Analytics Workspace via ASC connector configuration,   Audi-Su...
  • YanivSh's avatar
    YanivSh
    Apr 13, 2020

    if you are seeing the event 4625 in the event viewer from one machine that sending other events i will recommend that you will open support ticket Neil2020 

Neil2020's avatar
Neil2020
Copper Contributor
Apr 13, 2020

@Yaniv Shasha

 

Also for clarity, I am receiving security events from both VM's, I am not getting Audit-Failed events,

 

Thanks,

Neil

YanivSh's avatar
YanivSh
Icon for Microsoft rankMicrosoft
Apr 13, 2020

if you are seeing the event 4625 in the event viewer from one machine that sending other events i will recommend that you will open support ticket Neil2020 

  • Neil2020's avatar
    Neil2020
    Copper Contributor
    Apr 14, 2020

    YanivSh 

     

    Just to complete this thread when I raised a call with MS we eventually worked out there was an issue with the KQL query I was using, != instead of using EventID == 4625 so the events were there all along,

     

    Next issue is alerting on similar eventID's as they seem to be missing AlertSeverity field,

     

    Thanks,

    Neil

Resources