Using Log Analytics workspace to record Windows VM logins.

%3CLINGO-SUB%20id%3D%22lingo-sub-1149359%22%20slang%3D%22en-US%22%3EUsing%20Log%20Analytics%20workspace%20to%20record%20Windows%20VM%20logins.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1149359%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20how%20to%20use%20a%20Log%20Analytics%20workspace%20to%20record%20Windows%20VM%20logins.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20connected%20the%20workspace%20to%20the%20VM%20but%20this%20didn't%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F168860i425099F5F2074F41%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1149359%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1149742%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Log%20Analytics%20workspace%20to%20record%20Windows%20VM%20logins.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1149742%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F544069%22%20target%3D%22_blank%22%3E%40NathanQGE%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fms.portal.azure.com%23%4072f988bf-86f1-41af-91ab-2d7cd011db47%2Fblade%2FMicrosoft_Azure_Monitoring_Logs%2FDemoLogsBlade%2FresourceId%2F%252FDemo%2Fsource%2FLogsBlade.AnalyticsShareLinkToQuery%2Fq%2FH4sIAAAAAAAAAwtOTS4tyiypdC1LzSvh5apRKM9ILUpVAHM9XRRsbRVMzIxMQRLFpbm5iUWZVakKyfmleSUamgpJlTB1XADznw1gRwAAAA%25253D%25253D%2Ftimespan%2FP1D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGo%20to%20Log%20Analytics%20and%20run%20query%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20'looks'%20like%20you%20don't%20have%20the%20%3CSTRONG%3ESecurityEvent%3C%2FSTRONG%3E%20table%20in%20your%20workspace%20yet%20-%20to%20connect%20this%20you%20need%20to%20point%20Azure%20Security%20Center%20-%20%3CSTRONG%3EStandard%3C%2FSTRONG%3E%20(not%20free)%20to%20the%20workspace%20you%20are%20running%20that%20query.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20test%20the%20syntax%20in%20the%20free%20workspace%20(see%20link%20above)%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22clipboard_image_0.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F168898i10CF52A271E039AB%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22clipboard_image_0.png%22%20alt%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-data-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-data-security%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eand%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-enable-data-collection%23data-collection-tier%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-enable-data-collection%23data-collection-tier%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hi,

 

Does anyone know how to use a Log Analytics workspace to record Windows VM logins. 

I have connected the workspace to the VM but this didn't 

 

clipboard_image_0.png

1 Reply
Highlighted

@NathanQGE 

 

Go to Log Analytics and run query

 

It 'looks' like you don't have the SecurityEvent table in your workspace yet - to connect this you need to point Azure Security Center - Standard (not free) to the workspace you are running that query. 

 

You can test the syntax in the free workspace (see link above)

clipboard_image_0.png

https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security

 

and 

 

https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection#data-c...