Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Audit-Failed Events not reaching Workspace

Copper Contributor

I have a test VM in Azure and one running on my home PC,

 

Both have the MMA agent are are sending Security Events to Sentinel's Log Analytics Workspace via ASC connector configuration,

 

Audi-Success events written to the security log on both machines are being sent to the Workspace but not Audit-Failure, eg: failed logon attempts to either machine,

 

When I query for that EventID 4625 no results, (no syntax errors)

 

I have tested clearing the Security log on both machines which produces an event in the workspace and I have an alert, also creating a new user and then adding them into loacla administrator group has expected results,

 

What am I missing regarding Aufit-Failed events to have them flow through/from ASC to the Workspace?

 

Diagnostic settings for the VM in Azure are set as below, although I have "All Events" configured Sentinel side via the connector:

 

Neil2020_0-1586798868519.png

 

Any guidance would be appreciated before I raise another support ticket,

 

Thanks,

Neil

 

 

7 Replies

@Neil2020  if the workspace is shared between ASC and sentinel you can configure the log level ( minimal\command\full) only on one side: ASC or sentinel.

https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events

can you please share print screen from the defintion on the security event connector (on sentinel side)

and the ASC workspace setting (under settings).

see relevant pic from sentinel configuration 

 

evetr.GIF

@Yaniv Shasha see below screens:

 

Neil2020_0-1586804098162.png

 

In ASC under Pricing and Settings I have the below options:

Neil2020_2-1586804621460.png

 

 

 

 

I seem to have 1 machine residing in each:

Neil2020_3-1586804686646.png

Neil2020_4-1586804729974.pngNeil2020_5-1586804757649.png

Sentinel Workspace configuration below:

Neil2020_6-1586804822866.pngNeil2020_7-1586804849589.png

 

Although to clarify they are both appearing in ASC:

Neil2020_8-1586804925997.png

 

Appreciate the guidance

 

Thanks,

Neil

 

 

 

 

 

 

 

 

 

 

 

based on your pic the workspace is not define to collect security event at-all, because it is not on standard tier (paid).

please show how the sentinel security event collector define?

it must be connected and the log level must be at-least as minimal 

@Yaniv Shasha They are both on standard as per the pic?

 

Neil2020_1-1586805937422.png

 

 

Not sure what your second question means, "please show how the sentinel security event collector define?" Pretty sure I showed it as first pic in my previous post:

 

Neil2020_0-1586805859092.png

 

 
 

Thanks 

Neil

 

 

 

 
 

 

 

 

 

 

 

@Yaniv Shasha

 

Also for clarity, I am receiving security events from both VM's, I am not getting Audit-Failed events,

 

Thanks,

Neil

best response confirmed by Neil2020 (Copper Contributor)
Solution

if you are seeing the event 4625 in the event viewer from one machine that sending other events i will recommend that you will open support ticket @Neil2020 

@Yaniv Shasha 

 

Just to complete this thread when I raised a call with MS we eventually worked out there was an issue with the KQL query I was using, != instead of using EventID == 4625 so the events were there all along,

 

Next issue is alerting on similar eventID's as they seem to be missing AlertSeverity field,

 

Thanks,

Neil

1 best response

Accepted Solutions
best response confirmed by Neil2020 (Copper Contributor)
Solution

if you are seeing the event 4625 in the event viewer from one machine that sending other events i will recommend that you will open support ticket @Neil2020 

View solution in original post