Oct 22 2021 03:16 PM - edited Oct 22 2021 03:17 PM
Hello,
Few days back I enabled security Events connector on Sentinel and now I am successfully getting all the security events, but I do not require all security events from the devices because it is just being too expensive. Instead I want the security logs for few of the event Id's mentioned below:
Lock: 4800
Unlock: 4801
Shutdown, restart event ids : 1074
Signin : 4648, 4624
Signout/logoff : 4647
UAC: 4673, 4688
Is there any way by which security events can be collected with respect to specific event id(s) as mentioned above?
@Rod_Trent Thanks for your reply to my previous post. It was really helpful! and yes, you rightly said the cost for collecting logs on all is expensive. Looking for some help here as well!
Oct 22 2021 03:45 PM
Solution@RaghavJain There's 2 connectors...
It sounds like the Legacy Agent is the one that you have connected. To provide filtering and to minimize the data that is sent, you have a couple options.
1. Use the Windows Security Events via AMA connector. This requires a different agent and also requires the ARC agent installed. But, once implemented you can be very specific about what you collect. That said, this is still something you don't want to deploy across all Windows devices - only servers, possibly.
2. There's also a new option, the On-Prem Security Monitoring for Sentinel (http://aka.ms/SentinelHybrid). This requires an active SCOM installation on-premises.
Oct 26 2021 05:44 AM
Oct 22 2021 03:45 PM
Solution@RaghavJain There's 2 connectors...
It sounds like the Legacy Agent is the one that you have connected. To provide filtering and to minimize the data that is sent, you have a couple options.
1. Use the Windows Security Events via AMA connector. This requires a different agent and also requires the ARC agent installed. But, once implemented you can be very specific about what you collect. That said, this is still something you don't want to deploy across all Windows devices - only servers, possibly.
2. There's also a new option, the On-Prem Security Monitoring for Sentinel (http://aka.ms/SentinelHybrid). This requires an active SCOM installation on-premises.