Log Collection using a Log Analytics Agent from a Windows Event Collector

%3CLINGO-SUB%20id%3D%22lingo-sub-1458216%22%20slang%3D%22en-US%22%3ELog%20Collection%20using%20a%20Log%20Analytics%20Agent%20from%20a%20Windows%20Event%20Collector%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1458216%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20collect%20Security%20events%20from%20multiple%20windows%20hosts%2C%20a%20Windows%20Event%20Collector%20has%20been%20set%20up%20in%20the%20environment%20that%20we%20want%20to%20monitor.%20Can%20we%20forward%20all%20events%20from%20this%20collector%20using%20a%20Sentinel%20agent%3F%20If%20so%2C%20is%20there%20an%20additional%20way%20to%20filter%20the%20events%20forwarded%2C%20except%20for%20the%20standard%20set%20of%20options%20(minimal%2C%20full%2C%20recommended)%2C%20for%20example%20based%20on%20original%20host%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1462649%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Collection%20using%20a%20Log%20Analytics%20Agent%20from%20a%20Windows%20Event%20Collector%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1462649%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F697265%22%20target%3D%22_blank%22%3E%40csmits%3C%2FA%3E%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESupport%20for%20WEF%20is%20in%20private%20preview%2C%20to%20explore%20it%20and%20provide%20feedback%2C%20%3CSPAN%3EJoin%20our%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FSecurityPrP%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%20data-cke-saved-href%3D%22%2Fteams%2FAzureSentinelProductInfo%2FSitePages%2FAzure-Sentinel-General-FAQ.aspx%23my-customer-or-i-want-to-join-a-private-preview%22%3EPrivate%20Previews%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bprogram.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EA%20new%20generation%20of%20the%20Log%20Analtytics%20agent%20that%20will%20suppport%20filtering%20is%20also%20expected%20to%20start%20preview%20in%20the%20next%20few%20months.%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1799558%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Collection%20using%20a%20Log%20Analytics%20Agent%20from%20a%20Windows%20Event%20Collector%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1799558%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20more%20news%20about%20WEF%20support%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20installed%20LA%20agent%20on%20a%20WEC%20server%20and%20I%20can%20retrieve%20events%20from%20the%20WEC%20host%20itself%20but%20adding%20other%20sources%20(ex%3A%20ForwardedEvents%2C%20custom%20channels%20from%20the%20subscriptions%2C%20...)%20from%20%60Log%20Analytics%20workspaces%20%26gt%3B%20...%20%26gt%3B%20Advanced%20Settings%20%26gt%3B%20Data%20%26gt%3B%20Windows%20Event%20Logs%20%26gt%3B%20Collect%20events%20from%20the%20following%20event%20logs%60%20is%20not%20working.%20Note%20that%20ForwardedEvents%20is%20suggested%20in%20the%20dropdown%20from%20this%20blade.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20suggestions%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1811108%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Collection%20using%20a%20Log%20Analytics%20Agent%20from%20a%20Windows%20Event%20Collector%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1811108%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20just%20discovering%20this%20topic%20and%20the%20question%20may%20be%20stupid...%3C%2FP%3E%0A%3CP%3EWhich%20use%20cases%20are%20we%20targeting%20using%20WEF%20collector%20to%20push%20info%20to%20Sentinel%20%3F%20In%20case%20we%20have%20Windows%20Defender%20on%20the%20client%20couldn't%20we%20consider%20this%20is%20sufficient%20to%20guarantee%20the%20endpoint%20security%3F%3C%2FP%3E%0A%3CP%3ELaurent%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

To collect Security events from multiple windows hosts, a Windows Event Collector has been set up in the environment that we want to monitor. Can we forward all events from this collector using a Sentinel agent? If so, is there an additional way to filter the events forwarded, except for the standard set of options (minimal, full, recommended), for example based on original host?

 

Thanks in advance!

7 Replies

@csmits:

  • Support for WEF is in private preview, to explore it and provide feedback, Join our Private Previews program.
  • A new generation of the Log Analtytics agent that will suppport filtering is also expected to start preview in the next few months. 

Hi @Ofer_Shezaf ,

 

Do you have more news about WEF support ?

 

I installed LA agent on a WEC server and I can retrieve events from the WEC host itself but adding other sources (ex: ForwardedEvents, custom channels from the subscriptions, ...) from `Log Analytics workspaces > ... > Advanced Settings > Data > Windows Event Logs > Collect events from the following event logs` is not working. Note that ForwardedEvents is suggested in the dropdown from this blade.

 

Any suggestions ?

 

Best regards

 

I'm just discovering this topic and the question may be stupid...

Which use cases are we targeting using WEF collector to push info to Sentinel ? In case we have Windows Defender on the client couldn't we consider this is sufficient to guarantee the endpoint security?

Laurent 

Good point, but only works if the customer is using Microsoft EDR or an EDR at all, which is not necessarily the case for all organisations :)

So far, most environments I see where an EDR is deployed are still centralizing "native" events in a SIEM. Other components to take into account:
- auditing requirements for some cases
- possibility that the EDR gets bypassed/disabled (in which case you might still detect some actions from the events)
- you might have an EDR on endpoints but not on servers and you want system+services events from those (not everybody runs its workload in Azure yet ;))

 

that being said, I agree with strategies like presented here were only curated data from Windows environments are pushed in Sentinel.

Windows Events and EDR events have overlap but also have a distinct value. How much would naturally be specific to the EDR used. There are two primary areas in which Windows Events add value not found in EDR:

  • Windows events are used for logging events by many subsystems. For example, SQL server and printing would both generate Windows events.
  • An EDR does not report many security-related windows events. For example, typically, an EDR would not report on local user management activity.

@Ofer_Shezaf , I can see the option to enable collection for forwarded events in Sentinel once Log analytics is deployed, is till still not in GA ? if not any ETA on when its expected to be in GA.