SOLVED

Missing security events 5139, all other events are there

Iron Contributor

Hello,
We have a workspace with all our DCs. I am trying to find a specific eventID (5139) which occur when someone move an AD object.
At first I tried the simplest query :
SecurityEvent | where EventID == "5139"
But it returned nothing.
I went to a specific DC, moved computers in AD, and I was able to clearly see the events in the Security log on the DC.
After a few minutes, I went back in Log Analytics
and used this query :
SecurityEvent | where Computer == "xxxxxxxxxxx" and EventID == "5139"
xxxxxxxxxxx is the DC.
Again, nothing has been found.
I reduced the time range with 2 minutes before and 2 minutes after the event occured.
Again nothing.
I removed the eventid in the where clause to see all the events in the 4 minutes time lapse and every events where there except the 5139 !!
I tried on another DC and had the exact same problem.
All the events can be found except the 5139.
I can find the events 4624, 4648, 4672, 5137 but no 5139.

What am I missing here ?
How is it possible that a single eventID number cannot be found in Log Analytics ?

Can someone help me please ?
Thanks
Marc

5 Replies

Hi,

What events are collected by Azure Security Center depends on what data collection level you have set. This is described here:

https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

Probably your ASC workspace is not configured to collect all security events.

Hello, 

Thanks for your answer.

I took a look at your link and if I try to go to the Security Center, everything is greyed out and I have the message Start your free trial.

FYI, the workspace I am in was created months ago when it was still OMS but we never really used the log analytics part.

 

So I need to ask my admin to buy a supplemental plan to have access to the Azure Security Center ?

Sorry if my question sounds silly.

 

Marc

 

 

best response confirmed by Marc Vanderhaegen (Iron Contributor)
Solution

No problem. Basically now you are using ASC already as that functionality is under ASC now. From security center dashboard if you open Security policy blade you will see your subscriptions and your workspaces. Click on edit settings for workspace should take you to the configuration of the workspace for ASC setting. There you can set the workspace data collection settings without having to explicitly enable ASC Standard tier as well. There are two options there: pricing tier - when set to standard basically deploys the Security and Audit solution (when it was in OMS). Data collection will allow you to set the settings on events collection. Hope this helps.

Thanks, I will try that

 

Marc

 

Thanks again for your help, it is perfectly working now.

 

Marc

1 best response

Accepted Solutions
best response confirmed by Marc Vanderhaegen (Iron Contributor)
Solution

No problem. Basically now you are using ASC already as that functionality is under ASC now. From security center dashboard if you open Security policy blade you will see your subscriptions and your workspaces. Click on edit settings for workspace should take you to the configuration of the workspace for ASC setting. There you can set the workspace data collection settings without having to explicitly enable ASC Standard tier as well. There are two options there: pricing tier - when set to standard basically deploys the Security and Audit solution (when it was in OMS). Data collection will allow you to set the settings on events collection. Hope this helps.

View solution in original post