cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Setting the security event option - 'Common' events

challengelogic
Copper Contributor

‎Feb 13 2021 10:51 AM

‎Feb 13 2021 10:51 AM

Setting the security event option - 'Common' events

Hello community

 

I wonder if you can help me out? I am trying to find where to set the security event option for Windows events (All, Common, Minimal, None). The documentation states: Go to Security Center's menu in the Azure portal, select Pricing & settings, on Data Collection set the event level you need.

 

However when I do that all my options are greyed out.

 

There is a message that reads "Security Events tier configuration is shared with Azure Sentinel and was already configured there to 'Common' for the selected workspace. Please change the tier in Azure Sentinel and it will apply for Azure Security Center as well. Please note that Security events will be collected once and used in both solutions."

 

When I go to my Azure Sentinel workspace I cannot find where these settings are located.

 

Thanks in advance.

 

Preview file
68 KB
10.9K Views
0 Likes
6 Replies
Reply
6 Replies
ibnmbodji

‎Feb 13 2021 11:20 AM - edited ‎Feb 13 2021 11:21 AM

‎Feb 13 2021 11:20 AM - edited ‎Feb 13 2021 11:21 AM

Re: Setting the security event option - 'Common' events

@challengelogic 

 

Hi the options are greyed out because of this : 

Users of Azure Sentinel: note that security events collection within the context of a single workspace can be configured from either Azure Security Center or Azure Sentinel, but not both.

 

If you want to stick to Azure Security Center you have to do the following :

 

Disable Security Events collection in Azure Security Center (by setting Windows security events to None in the configuration of your Log Analytics agent). Then add the Security Events connector in Azure Sentinel. As with the first option, you will be able to query and analyze events in both Azure Sentinel and Azure Defender/ASC, but you will now be able to monitor the connector's connectivity status or change its configuration in - and only in - Azure Sentinel

 

Doc Ref : https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

1 Like
Reply
challengelogic

‎Feb 14 2021 02:23 AM - edited ‎Feb 14 2021 02:28 AM

‎Feb 14 2021 02:23 AM - edited ‎Feb 14 2021 02:28 AM

Re: Setting the security event option - 'Common' events

@ibnmbodji 

 

Thank you for taking the time to reply to my question, appreciated!

 

I understand that those security event settings need to be either ASC or Sentinel and not both. 

 

How do we instruct the client agents to use Common or All events? This is the part I'm not understanding as I cannot find where we make that 'choice' from the Sentinel blade / config pages.

 

If I want my client Agents to use 'common' (over all, minimal or none) - where is this defined? And how do I determine what the configuration is set to (for example, where I inherit an existing Sentinel deployment etc)

 

thank you.

0 Likes
Reply
ibnmbodji

‎Feb 14 2021 03:44 AM - edited ‎Feb 14 2021 03:53 AM

‎Feb 14 2021 03:44 AM - edited ‎Feb 14 2021 03:53 AM

Re: Setting the security event option - 'Common' events

@challengelogic 

Hi it is defined in Security Center  so you need to  disable it from security center to be able to use it in Sentinel  . 

 Disable  Security event collecton  in Azure Security Center

 

  1. From Security Center's menu, select Pricing & settings.
  2. Select the relevant subscription.
  3. In the Auto provisioning page, set the agent's status to On.
  4. From the configuration options pane, define the workspace to use.

Ref :  Auto-deploy agents for Azure Security Center | Microsoft Docs

 

 

Preview file
34 KB
0 Likes
Reply
best response confirmed by challengelogic (Copper Contributor)
ibnmbodji

‎Feb 14 2021 03:55 AM

‎Feb 14 2021 03:55 AM

Solution

Re: Setting the security event option - 'Common' events

@challengelogic 

Set up the Windows Security Events connector

To collect your Windows security events in Azure Sentinel:

  1. From the Azure Sentinel navigation menu, select Data connectors. From the list of connectors, click on Security Events, and then on the Open connector page button on the lower right. Then follow the on-screen instructions under the Instructions tab, as described through the rest of this section.
  2. Verify that you have the appropriate permissions as described under the Prerequisites section on the connector page.
  3. Download and install the Log Analytics agent (also known as the Microsoft Monitoring Agent or MMA) on the machines for which you want to stream security events into Azure Sentinel.For Azure Virtual Machines:
    1. Click on Install agent on Azure Windows Virtual Machine, and then on the link that appears below.
    2. For each virtual machine that you want to connect, click on its name in the list that appears on the right, and then click Connect.
    For non-Azure Windows machines (physical, virtual on-prem, or virtual in another cloud):
    1. Click on Install agent on non-Azure Windows Machine, and then on the link that appears below.
    2. Click on the appropriate download links that appear on the right, under Windows Computers.
    3. Using the downloaded executable file, install the agent on the Windows systems of your choice, and configure it using the Workspace ID and Keys that appear below the download links mentioned above.

    4. For additional installation options and further details, see the Log Analytics agent documentation.

    5. Select which event set (All, Common, or Minimal) you want to stream.

    6. Click Update.

    7. To use the relevant schema in Log Analytics for Windows security events, type SecurityEvent in the query window.

      Validate Connectivity

      It may take around 20 minutes until your logs start to appear in Log Analytics.

Full documentation :  Connect Windows security event data to Azure Sentinel | Microsoft Docs

0 Likes
Reply
challengelogic

‎Feb 14 2021 06:44 AM

‎Feb 14 2021 06:44 AM

Re: Setting the security event option - 'Common' events

@ibnmbodji - Again, thank you for the clarification around this. Many thanks!

1 Like
Reply
ibnmbodji

‎Feb 14 2021 06:47 AM

‎Feb 14 2021 06:47 AM

Re: Setting the security event option - 'Common' events

@challengelogic 

 

You're welcome .Happy to see that it's helpful 

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by challengelogic (Copper Contributor)
ibnmbodji

‎Feb 14 2021 03:55 AM

‎Feb 14 2021 03:55 AM

Solution

Re: Setting the security event option - 'Common' events

@challengelogic 

Set up the Windows Security Events connector

To collect your Windows security events in Azure Sentinel:

  1. From the Azure Sentinel navigation menu, select Data connectors. From the list of connectors, click on Security Events, and then on the Open connector page button on the lower right. Then follow the on-screen instructions under the Instructions tab, as described through the rest of this section.
  2. Verify that you have the appropriate permissions as described under the Prerequisites section on the connector page.
  3. Download and install the Log Analytics agent (also known as the Microsoft Monitoring Agent or MMA) on the machines for which you want to stream security events into Azure Sentinel.For Azure Virtual Machines:
    1. Click on Install agent on Azure Windows Virtual Machine, and then on the link that appears below.
    2. For each virtual machine that you want to connect, click on its name in the list that appears on the right, and then click Connect.
    For non-Azure Windows machines (physical, virtual on-prem, or virtual in another cloud):
    1. Click on Install agent on non-Azure Windows Machine, and then on the link that appears below.
    2. Click on the appropriate download links that appear on the right, under Windows Computers.
    3. Using the downloaded executable file, install the agent on the Windows systems of your choice, and configure it using the Workspace ID and Keys that appear below the download links mentioned above.

    4. For additional installation options and further details, see the Log Analytics agent documentation.

    5. Select which event set (All, Common, or Minimal) you want to stream.

    6. Click Update.

    7. To use the relevant schema in Log Analytics for Windows security events, type SecurityEvent in the query window.

      Validate Connectivity

      It may take around 20 minutes until your logs start to appear in Log Analytics.

Full documentation :  Connect Windows security event data to Azure Sentinel | Microsoft Docs

View solution in original post

0 Likes
Reply