Home
%3CLINGO-SUB%20id%3D%22lingo-sub-811760%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Agent%3A%20Collecting%20telemetry%20from%20on-prem%20and%20IaaS%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-811760%22%20slang%3D%22en-US%22%3E%3CDIV%3E%0A%3CP%3E%3CSPAN%3EMy%20previous%20blog%20posts%20discussed%20collecting%20events%20from%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FCollecting-Azure-PaaS-services-logs-in-Azure-Sentinel%2Fba-p%2F792669%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EAzure%20PaaS%20resources%3C%2FA%3E%3CSPAN%3Eand%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FThe-Syslog-and-CEF-source-configuration-grand-list%2Fba-p%2F803891%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Enetworking%20and%20security%20sources.%3C%2FA%3E%3CSPAN%3E%20But%20what%20about%20collecting%20from%20servers%3F%20Whether%20deployed%20in%20the%20cloud%2C%20on-prem%20VMs%20or%20even%20physical%20machines%2C%20those%20are%20probably%20still%20the%20biggest%20attack%20surface%20and%20therefore%20the%20most%20common%20sources%20of%20events.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20collect%20events%20from%20servers%20wherever%20those%20are%20deployed%2C%20use%20the%20Azure%20Log%20Analytics%20agent%20(also%20called%20%22MMA%22%20for%20Microsoft%20Monitoring%20Agent).%20The%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Flog-analytics-agent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eagent%3C%2FA%3E%3CSPAN%3Esupports%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecollecting%20from%20Windows%20machines%3C%2FA%3E%3CSPAN%3Eas%20well%20as%20Linux.%20The%20agent%20can%20be%20installed%20manually%20or%20provisioned%20in%20Azure%20using%20Microsoft%20VM%20extensions%20for%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Fextensions%2Foms-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWindows%3C%2FA%3E%3CSPAN%3Eor%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Fextensions%2Foms-linux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELinux.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20agent%20supports%20the%20following%20Sentinel%20connectors%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-dns%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20DNS%20servers%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-firewall%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWindows%20Firewall%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EWindows%20Security%20Events%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3EOnce%20you%20enabled%20them%20through%20the%20Sentinel's%20Data%20Connectors%2C%20they%20will%20be%20collected%20by%20every%20agent%20configured%20to%20send%20data%20to%20the%20workspace.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHowever%2C%20the%20agent%20is%20not%20limited%20to%20this%20telemetry%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWhen%20installed%20on%20a%20domain%20controller%2C%20the%20agent%20collects%20AD%20events.%3C%2FLI%3E%0A%3CLI%3EYou%20can%20configure%20the%20agents%20to%20send%20any%20Windows%20event%20type%2C%20not%20just%20security%20events%2C%20such%20as%20Sysmon.%26nbsp%3BRead%20the%20blog%20post%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmedium.com%2F%2540olafhartong%2Fusing-sysmon-in-azure-sentinel-883eb6ffc431%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUsing%20Sysmon%20in%20Azure%20Sentinel%3C%2FA%3E%26nbsp%3Bto%20learn%20how%20to%20do%20that.%20One%20specific%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EThe%20agent%20can%20also%20collect%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-iis-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EIIS%3C%2FA%3E%26nbsp%3Blogs%3C%2FLI%3E%0A%3CLI%3ELastly%2C%20it%20can%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecollect%20events%20from%20files%20on%20the%20server%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIn%20addition%20you%20can%20collect%20on-prem%20telemetry%20not%20using%20the%20agent%20for%20the%20following%20sources%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fupdate%2Fupdate-compliance-using%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EWindows%20Defender%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Freview-logs-using-azure-monitor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EIntune%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EA%20few%20more%20tips%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EYou%20can%20select%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-enable-data-collection%23data-collection-tier%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edata%20collection%20tier%3C%2FA%3Eto%20control%20how%20many%20Windows%20Security%20events%20are%20collected.%3C%2FLI%3E%0A%3CLI%3EYou%20can%20send%20telemetry%20from%20an%20agent%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-manage%23adding-or-removing-a-workspace%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%3Emultiple%20destination%20workspaces.%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3ENo%20direct%20internet%20access%20for%20the%20agent%3F%20Use%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fgateway%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ELog%20Analytics%20gateway%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EAnd%2C%20rest%20assured%2C%20the%20agent%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Flog-faq%23q-how-much-network-bandwidth-is-used-by-the-microsoft-management-agent-mma-when-sending-data-to-log-analytics%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ecompresses%3C%2FA%3Edata%20when%20sending%20it%20to%20the%20cloud%20to%20reduce%20the%20network%20load.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-811760%22%20slang%3D%22en-US%22%3E%3CP%3EWhether%20deployed%20in%20the%20cloud%2C%20on-prem%20VMs%20or%20even%20physical%20machines%2C%20those%20are%20probably%20still%20the%20most%20significant%20attack%20surface%20and%20therefore%20the%20most%20common%20sources%20of%20events.%20In%20this%20post%2C%20you%20will%20learn%26nbsp%3Bhow%20to%20collect%20events%20and%20additional%20telemetry%20from%20them.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-811760%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIaaS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn%20Premises%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

My previous blog posts discussed collecting events from Azure PaaS resources and networking and security sources. But what about collecting from servers? Whether deployed in the cloud, on-prem VMs or even physical machines, those are probably still the biggest attack surface and therefore the most common sources of events.

 

To collect events from servers wherever those are deployed, use the Azure Log Analytics agent (also called "MMA" for Microsoft Monitoring Agent). The agent supports collecting from Windows machines as well as Linux. The agent can be installed manually or provisioned in Azure using Microsoft VM extensions for Windows or Linux.

 

The agent supports the following Sentinel connectors:

Once you enabled them through the Sentinel's Data Connectors, they will be collected by every agent configured to send data to the workspace. 

 

However, the agent is not limited to this telemetry:

In addition you can collect on-prem telemetry not using the agent for the following sources:

A few more tips: