Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Security Event connector - Azure Sentinel

Copper Contributor

Hello,

 

Few days back I enabled security Events connector on Sentinel and now I am successfully getting all the security events, but I do not require all security events from the devices because it is just being too expensive. Instead I want the security logs for few of the event Id's mentioned below:

Lock: 4800

Unlock: 4801

Shutdown, restart event ids : 1074

Signin : 4648, 4624

Signout/logoff : 4647

UAC: 4673, 4688

 

Is there any way by which security events can be collected with respect to specific event id(s) as mentioned above? 

 

@Rod_Trent Thanks for your reply to my previous post. It was really helpful! and yes, you rightly said the cost for collecting logs on all is expensive. Looking for some help here as well!

 

2 Replies
best response confirmed by RaghavJain (Copper Contributor)
Solution

@RaghavJain There's 2 connectors...

 

nowga.png

It sounds like the Legacy Agent is the one that you have connected. To provide filtering and to minimize the data that is sent, you have a couple options.

 

1. Use the Windows Security Events via AMA connector. This requires a different agent and also requires the ARC agent installed. But, once implemented you can be very specific about what you collect.  That said, this is still something you don't want to deploy across all Windows devices - only servers, possibly.

 

2. There's also a new option, the On-Prem Security Monitoring for Sentinel (http://aka.ms/SentinelHybrid). This requires an active SCOM installation on-premises. 

Thank you for the detailed information. My main goal is to get those events for AzureAD join windows 10 laptops. This configuration has worked well for Azure VMs. Is my only option to get those logs from these Azure AD windows 10 devices using Azure Arc with AMA?
1 best response

Accepted Solutions
best response confirmed by RaghavJain (Copper Contributor)
Solution

@RaghavJain There's 2 connectors...

 

nowga.png

It sounds like the Legacy Agent is the one that you have connected. To provide filtering and to minimize the data that is sent, you have a couple options.

 

1. Use the Windows Security Events via AMA connector. This requires a different agent and also requires the ARC agent installed. But, once implemented you can be very specific about what you collect.  That said, this is still something you don't want to deploy across all Windows devices - only servers, possibly.

 

2. There's also a new option, the On-Prem Security Monitoring for Sentinel (http://aka.ms/SentinelHybrid). This requires an active SCOM installation on-premises. 

View solution in original post