You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/connect-windows-security-events.md
+47-28Lines changed: 47 additions & 28 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,51 +14,70 @@ ms.devlang: na
14
14
ms.topic: conceptual
15
15
ms.tgt_pltfrm: na
16
16
ms.workload: na
17
-
ms.date: 09/23/2019
17
+
ms.date: 03/22/2020
18
18
ms.author: yelevin
19
19
20
20
---
21
21
# Connect Windows security events
22
22
23
+
The Security Events connector lets you stream all security events from your Windows systems (servers and workstations, physical and virtual) to your Azure Sentinel workspace. This enables you to view Windows security events in your dashboards, to use them in creating custom alerts, and to rely on them to improve your investigations, giving you more insight into your organization's network and expanding your security operations capabilities. You can select which events to stream from among the following sets: <aname="event-sets"></a>
23
24
25
+
-**All events** - All Windows security and AppLocker events.
26
+
-**Common** - A standard set of events for auditing purposes. A full user audit trail is included in this set. For example, it contains both user sign-in and user sign-out events (event IDs 4624, 4634). There are also auditing actions such as security group changes, key domain controller Kerberos operations, and other types of events in line with accepted best practices.
24
27
25
-
You can stream all security events from the Windows Servers connected to your Azure Sentinel workspace. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities. You can select which events to stream:
28
+
The **Common** event set may contain some types of events that aren't so common. This is because the main point of the **Common** set is to reduce the volume of events to a more manageable level, while still maintaining full audit trail capability.
26
29
27
-
-**All events** - All Windows security and AppLocker events.
28
-
-**Common** - A standard set of events for auditing purposes. A full user audit trail is included in this set. For example, this set contains both user sign in and user sign out events (event ID 4634). We include auditing actions like security group changes, key domain controller Kerberos operations, and other events that are recommended by industry organizations.
30
+
-**Minimal** - A small set of events that might indicate potential threats. This set does not contain a full audit trail. It covers only events that might indicate a successful breach, and other important events that have very low rates of occurrence. For example, it contains successful and failed user logons (event IDs 4624, 4625), but it doesn't contain sign-out information (4634) which, while important for auditing, is not meaningful for breach detection and has relatively high volume. Most of the data volume of this set is comprised of sign-in events and process creation events (event ID 4688).
31
+
32
+
-**None** - No security or AppLocker events. (This setting is used to disable the connector.)
29
33
30
-
Events that have very low volume were included in the Common set as the main motivation to choose it over all the events is to reduce the volume and not to filter out specific events.
31
-
-**Minimal** - A small set of events that might indicate potential threats. By enabling this option, you won't be able to have a full audit trail. This set covers only events that might indicate a successful breach and important events that have a very low volume. For example, this set contains user successful and failed login (event IDs 4624, 4625), but it doesn’t contain sign out information which is important for auditing but not meaningful for detection and has relatively high volume. Most of the data volume of this set is the sign in events and process creation event (event ID 4688).
32
-
-**None** - No security or AppLocker events.
34
+
The following list provides a complete breakdown of the Security and App Locker event IDs for each set:
> - Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel.
37
-
> - If Azure Security Center and Azure Sentinel are running on the same workspace, the Security Events connector can only be connected from either Azure Security Center or Azure Sentinel. To manage these events from Azure Sentinel, we recommend that you disconnect it from Azure Security Center and connect it only to Azure Sentinel.
42
+
> Security Events collection within the context of a single workspace can be configured from either Azure Security Center or Azure Sentinel, but not both. If you are onboarding Azure Sentinel in a workspace that is already running Azure Security Center, and is set to collect Security Events, you have two options:
43
+
> - Leave the Security Events collection in Azure Security Center as is. You will be able to query and analyze these events in Azure Sentinel as well as in Azure Security Center. You will not, however, be able to monitor the connector's connectivity status or change its configuration in Azure Sentinel. If this is important to you, consider the second option.
44
+
>
45
+
> -[Disable Security Events collection](../security-center/security-center-enable-data-collection.md) in Azure Security Center, and only then add the Security Events connector in Azure Sentinel. As with the first option, you will be able to query and analyze events in both Azure Sentinel and Azure Security Center, but you will now be able to monitor the connector's connectivity status or change its configuration in - and only in - Azure Sentinel.
46
+
47
+
## Set up the Windows Security Events connector
48
+
49
+
To collect your Windows security events in Azure Sentinel:
38
50
51
+
1. From the Azure Sentinel navigation menu, select **Data connectors**. From the list of connectors, click on **Security Events**, and then on the **Open connector page** button on the lower right. Then follow the on-screen instructions under the **Instructions** tab, as described through the rest of this section.
39
52
40
-
The following list provides a complete breakdown of the Security and App Locker event IDs for each set:
53
+
1. Verify that you have the appropriate permissions as described under **Prerequisites**.
1. Download and install the [Log Analytics agent](../azure-monitor/platform/log-analytics-agent.md) (also known as the Microsoft Monitoring Agent or MMA) on the machines for which you want to stream security events into Azure Sentinel.
53
56
54
-
## Set up the Windows security events connector
57
+
For Azure Virtual Machines:
58
+
59
+
1. Click on **Install agent on Azure Windows Virtual Machine**, and then on the link that appears below.
60
+
1. For each virtual machine that you want to connect, click on its name in the list that appears on the right, and then click **Connect**.
55
61
56
-
To fully integrate your Windows security events with Azure Sentinel:
62
+
For non-Azure Windows machines (physical, virtual on-prem, or virtual in another cloud):
63
+
64
+
1. Click on **Install agent on non-Azure Windows Machine**, and then on the link that appears below.
65
+
1. Click on the appropriate download links that appear on the right, under **Windows Computers**.
66
+
1. Using the downloaded executable file, install the agent on the Windows systems of your choice, and configure it using the **Workspace ID and Keys** that appear below the download links mentioned above.
67
+
68
+
> [!NOTE]
69
+
>
70
+
> To allow Windows systems without the necessary internet connectivity to still stream events to Azure Sentinel, download and install the **OMS Gateway** on a separate machine, using the link on the lower right, to act as a proxy. You will still need to install the Log Analytics agent on each Windows system whose events you want to collect.
71
+
>
72
+
> For more information on this scenario, see the [**Log Analytics gateway** documentation](../azure-monitor/platform/gateway.md).
73
+
74
+
For additional installation options and further details, see the [**Log Analytics agent** documentation](../azure-monitor/platform/agent-windows.md).
75
+
76
+
1. Select which event set ([All, Common, or Minimal](#event-sets)) you want to stream.
57
77
58
-
1. In the Azure Sentinel portal, select **Data connectors** and then click on the **Security Events** tile.
59
-
1. Select which data types you want to stream.
60
78
1. Click **Update**.
61
-
6. To use the relevant schema in Log Analytics for the Windows security events, search for **SecurityEvent**.
79
+
80
+
1. To use the relevant schema in Log Analytics for Windows security events, type `SecurityEvent` in the query window.
62
81
63
82
## Validate connectivity
64
83
@@ -69,5 +88,5 @@ It may take around 20 minutes until your logs start to appear in Log Analytics.
69
88
## Next steps
70
89
In this document, you learned how to connect Windows security events to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
71
90
- Learn how to [get visibility into your data, and potential threats](quickstart-get-visibility.md).
72
-
- Get started [detecting threats with Azure Sentinel](tutorial-detect-threats-built-in.md).
91
+
- Get started detecting threats with Azure Sentinel, using [built-in](tutorial-detect-threats-built-in.md) or [custom](tutorial-detect-threats-custom.md) rules.
0 commit comments