Feb 14 2019 03:09 AM
Feb 14 2019 03:09 AM
We have a workspace with all our DCs. I am trying to find a specific eventID (5139) which occur when someone mode an AD object.
At first I tried the simplest query :
SecurityEvent | where EventID == "5139"
But it returned nothing.
I went to a specific DC, moved computers in AD, and I was able to clearly see the events in the Security log on the DC.
After a few minutes, I went back in Log Analytics
and used this query :
SecurityEvent | where Computer == "xxxxxxxxxxx" and EventID == "5139"
xxxxxxxxxxx is the DC.
Again, nothing has been found.
I reduced the time range with 2 minutes before and 2 minute atfer the event occured.
I removed the eventid in the where clause to see all the events in the 4 minutes time lapse and evry events where there except the 5139 !!
I tried on another DC and had the exact same problem.
All the events an be found except the 5139.
I can find the events 4624, 4648, 4672, 5137 but no 5139.
What am I missing here ?
How is it possible that a single eventID number cannot be found in Log Analytics.
Can someone help me please ?
Feb 14 2019 06:39 AM
What events are collected by Azure Security Center depends on what data collection level you have set. This is described here:
Probably your ASC workspace is not configured to collect all security events.
Feb 14 2019 06:55 AM
Thanks for your answer.
I took a look at your link and if I try to go to the Security Center, everything is greyed out and I have the message Start your free trial.
FYI, the workspace I am in was created months ago when it was still OMS but we never really used the log analytics part.
So I need to ask my admin to buy a supplemental plan to have access to the Azure Security Center ?
Sorry if my question sounds silly.
Feb 14 2019 07:00 AMSolution
No problem. Basically now you are using ASC already as that functionality is under ASC now. From security center dashboard if you open Security policy blade you will see your subscriptions and your workspaces. Click on edit settings for workspace should take you to the configuration of the workspace for ASC setting. There you can set the workspace data collection settings without having to explicitly enable ASC Standard tier as well. There are two options there: pricing tier - when set to standard basically deploys the Security and Audit solution (when it was in OMS). Data collection will allow you to set the settings on events collection. Hope this helps.