Skip to content

Commit e905a5f

Browse files
yelevinyelevin
committed
Last edits before publish
1 parent de19d77 commit e905a5f

File tree

1 file changed

+7
-7
lines changed

1 file changed

+7
-7
lines changed

articles/sentinel/connect-windows-security-events.md

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -20,20 +20,20 @@ ms.author: yelevin
2020
---
2121
# Connect Windows security events
2222

23-
The Security Events connector lets you stream all security events from your Windows systems (servers and workstations, physical and virtual) to your Azure Sentinel workspace. This enables you to view Windows security events in your dashboards, to use them in creating custom alerts, and to rely on them to improve your investigations, giving you more insight into your organization's network and expanding your security operations capabilities. You can select, from among the following sets of events, which events to stream:
23+
The Security Events connector lets you stream all security events from your Windows systems (servers and workstations, physical and virtual) to your Azure Sentinel workspace. This enables you to view Windows security events in your dashboards, to use them in creating custom alerts, and to rely on them to improve your investigations, giving you more insight into your organization's network and expanding your security operations capabilities. You can select which events to stream from among the following sets: <a name="event-sets"></a>
2424

2525
- **All events** - All Windows security and AppLocker events.
26-
- **Common** - A standard set of events for auditing purposes. A full user audit trail is included in this set. For example, it contains both user sign-in and user sign-out events (event IDs 4624, 4634). There are also auditing actions such as security group changes, key domain controller Kerberos operations, and other events that are recommended by industry organizations.
26+
- **Common** - A standard set of events for auditing purposes. A full user audit trail is included in this set. For example, it contains both user sign-in and user sign-out events (event IDs 4624, 4634). There are also auditing actions such as security group changes, key domain controller Kerberos operations, and other types of events in line with accepted best practices.
2727

28-
Events that typically have very low rates of occurrence were nevertheless included in the **Common** set, as the main motivation to choose it over the **All events** set is the reduction of the volume of events, as opposed to the highlighting of specific events.
28+
The **Common** event set may contain some types of events that aren't so common. This is because the main point of the **Common** set is to reduce the volume of events to a more manageable level, while still maintaining full audit trail capability.
2929

3030
- **Minimal** - A small set of events that might indicate potential threats. This set does not contain a full audit trail. It covers only events that might indicate a successful breach, and other important events that have very low rates of occurrence. For example, it contains successful and failed user logons (event IDs 4624, 4625), but it doesn't contain sign-out information (4634) which, while important for auditing, is not meaningful for breach detection and has relatively high volume. Most of the data volume of this set is comprised of sign-in events and process creation events (event ID 4688).
3131

3232
- **None** - No security or AppLocker events. (This setting is used to disable the connector.)
3333

3434
The following list provides a complete breakdown of the Security and App Locker event IDs for each set:
3535

36-
| Event set | Collected event indicators |
36+
| Event set | Collected event IDs |
3737
| --- | --- |
3838
| **Minimal** | 1102, 4624, 4625, 4657, 4663, 4688, 4700, 4702, 4719, 4720, 4722, 4723, 4724, 4727, 4728, 4732, 4735, 4737, 4739, 4740, 4754, 4755, 4756, 4767, 4799, 4825, 4946, 4948, 4956, 5024, 5033, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8222 |
3939
| **Common** | 1, 299, 300, 324, 340, 403, 404, 410, 411, 412, 413, 431, 500, 501, 1100, 1102, 1107, 1108, 4608, 4610, 4611, 4614, 4622, 4624, 4625, 4634, 4647, 4648, 4649, 4657, 4661, 4662, 4663, 4665, 4666, 4667, 4688, 4670, 4672, 4673, 4674, 4675, 4689, 4697, 4700, 4702, 4704, 4705, 4716, 4717, 4718, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4733, 4732, 4735, 4737, 4738, 4739, 4740, 4742, 4744, 4745, 4746, 4750, 4751, 4752, 4754, 4755, 4756, 4757, 4760, 4761, 4762, 4764, 4767, 4768, 4771, 4774, 4778, 4779, 4781, 4793, 4797, 4798, 4799, 4800, 4801, 4802, 4803, 4825, 4826, 4870, 4886, 4887, 4888, 4893, 4898, 4902, 4904, 4905, 4907, 4931, 4932, 4933, 4946, 4948, 4956, 4985, 5024, 5033, 5059, 5136, 5137, 5140, 5145, 5632, 6144, 6145, 6272, 6273, 6278, 6416, 6423, 6424, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8222, 26401, 30004 |
@@ -48,7 +48,7 @@ The Security Events connector lets you stream all security events from your Wind
4848

4949
To collect your Windows security events in Azure Sentinel:
5050

51-
1. From the Azure Sentinel navigation menu, select **Data connectors**. From the list of connectors, click on **Security Events**, and then on the **Open connector page** button on the lower right. Then follow the on-screen instructions under the **Instructions** tab:
51+
1. From the Azure Sentinel navigation menu, select **Data connectors**. From the list of connectors, click on **Security Events**, and then on the **Open connector page** button on the lower right. Then follow the on-screen instructions under the **Instructions** tab, as described through the rest of this section.
5252

5353
1. Verify that you have the appropriate permissions as described under **Prerequisites**.
5454

@@ -63,7 +63,7 @@ To collect your Windows security events in Azure Sentinel:
6363

6464
1. Click on **Install agent on non-Azure Windows Machine**, and then on the link that appears below.
6565
1. Click on the appropriate download links that appear on the right, under **Windows Computers**.
66-
1. Using the downloaded executable file, install the agent on the Windows systems of your choice, and configure it using the **Workspace ID and Keys** that appear below the download links from step b.
66+
1. Using the downloaded executable file, install the agent on the Windows systems of your choice, and configure it using the **Workspace ID and Keys** that appear below the download links mentioned above.
6767

6868
> [!NOTE]
6969
>
@@ -73,7 +73,7 @@ To collect your Windows security events in Azure Sentinel:
7373
7474
For additional installation options and further details, see the [**Log Analytics agent** documentation](../azure-monitor/platform/agent-windows).
7575

76-
1. Select which event set (All, Common, or Minimal) you want to stream. See above for a description of each.
76+
1. Select which event set ([All, Common, or Minimal](#event-sets)) you want to stream.
7777

7878
1. Click **Update**.
7979

0 commit comments

Comments
 (0)