Forum Discussion

RaghavJain's avatar
RaghavJain
Copper Contributor
Oct 22, 2021
Solved

Security Event connector - Azure Sentinel

Hello,   Few days back I enabled security Events connector on Sentinel and now I am successfully getting all the security events, but I do not require all security events from the devices because i...
  • Rod_Trent's avatar
    Rod_Trent
    Oct 22, 2021

    RaghavJain There's 2 connectors...

     

    It sounds like the Legacy Agent is the one that you have connected. To provide filtering and to minimize the data that is sent, you have a couple options.

     

    1. Use the Windows Security Events via AMA connector. This requires a different agent and also requires the ARC agent installed. But, once implemented you can be very specific about what you collect.  That said, this is still something you don't want to deploy across all Windows devices - only servers, possibly.

     

    2. There's also a new option, the On-Prem Security Monitoring for Sentinel (http://aka.ms/SentinelHybrid). This requires an active SCOM installation on-premises. 

Rod_Trent's avatar
Rod_Trent
Icon for Microsoft rankMicrosoft
Oct 22, 2021

RaghavJain There's 2 connectors...

 

It sounds like the Legacy Agent is the one that you have connected. To provide filtering and to minimize the data that is sent, you have a couple options.

 

1. Use the Windows Security Events via AMA connector. This requires a different agent and also requires the ARC agent installed. But, once implemented you can be very specific about what you collect.  That said, this is still something you don't want to deploy across all Windows devices - only servers, possibly.

 

2. There's also a new option, the On-Prem Security Monitoring for Sentinel (http://aka.ms/SentinelHybrid). This requires an active SCOM installation on-premises. 

RaghavJain's avatar
RaghavJain
Copper Contributor
Oct 26, 2021
Thank you for the detailed information. My main goal is to get those events for AzureAD join windows 10 laptops. This configuration has worked well for Azure VMs. Is my only option to get those logs from these Azure AD windows 10 devices using Azure Arc with AMA?

Resources