You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/connect-windows-hosts-to-azure-sentinel/includes/2b-connect-windows-hosts.md
+13-10Lines changed: 13 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,16 +1,17 @@
1
-
The *Windows Security Events via AMA* connector lets you stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. These events give you more insight into your organization’s network and improves your security operation capabilities.
1
+
The *Windows Security Events via AMA* connector lets you stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. These events give you more insight into your organization’s network and improve your security operation capabilities.
2
2
3
3
- All Security Events - All Windows security and AppLocker events.
4
4
5
5
- Common - A standard set of events for auditing purposes. A full user audit trail is included in this set. For example, it contains both user sign-in and user sign-out events (event IDs 4624, 4634). There are also auditing actions such as security group changes, key domain controller Kerberos operations, and other types of events in line with accepted best practices.
6
6
7
-
- The Common event set may contain some types of events that aren't so common. This is because the main point of the Common set is to reduce the volume of events to a more manageable level while still maintaining full audit trail capability.
7
+
- The Common event set can contain some types of events that aren't so common. This is because the main point of the Common set is to reduce the volume of events to a more manageable level while still maintaining full audit trail capability.
8
8
9
9
- Minimal - A small set of events that might indicate potential threats. This set doesn't contain a full audit trail. It covers only events that might indicate a successful breach and other significant events with low rates of occurrence. For example, it contains successful and failed user logons (event IDs 4624, 4625). Still, it doesn't contain sign-out information (4634), which, while important for auditing, isn't meaningful for breach detection and has a relatively high volume. Most of this set's data volume comprises sign-in events and process creation events (event ID 4688).
10
10
11
11
- Custom - Custom allows you to specify other logs or to filter events using XPath queries.
12
12
13
-
>**Note:** Query the *SecurityEvents* table in Microsoft Sentinel *Logs* to see the events collected by the connector.
13
+
> [!NOTE]
14
+
> Query the *SecurityEvents* table in Microsoft Sentinel *Logs* to see the events collected by the connector.
14
15
15
16
- The *Windows Security Events via AMA* connector uses Data Collection Rules (DCRs) to define the data to collect, and installs the Azure Monitor Agent (AMA) extension on the selected machines.
16
17
@@ -32,11 +33,12 @@ To view the connector page:
32
33
33
34
1. Enter a *Rule name*, select the appropriate *Subscription* and *Resource group* where the data collection rule (DCR) will be created.
34
35
35
-
1.vSelect**Next: Resources**.
36
+
1. Select**Next: Resources**.
36
37
37
38
1. Expand your *Subscription* under *Scope* on the *Resources* tab.
38
39
39
-
>**Hint:** You can expand the whole *Scope* hierarchy by selecting the ">" before the *Scope* column.
40
+
> [!TIP]
41
+
> You can expand the whole *Scope* hierarchy by selecting the ">" before the *Scope* column.
40
42
41
43
1. Expand the resource group, and then select Azure virtual machines.
42
44
@@ -54,9 +56,8 @@ To view the connector page:
54
56
55
57
In this task, you add an Azure Arc connected, non-Azure Windows virtual machine to Microsoft Sentinel.
56
58
57
-
>**Note:** The *Windows Security Events via AMA* data connector requires Azure Arc for non-Azure devices.
58
-
59
-
1. Make sure you are in the *Windows Security Events via AMA* data connector configuration in your Microsoft Sentinel workspace.
59
+
> [!NOTE]
60
+
> The *Windows Security Events via AMA* data connector requires Azure Arc for non-Azure devices.
60
61
61
62
To view the connector page:
62
63
@@ -72,11 +73,13 @@ To view the connector page:
72
73
73
74
1. Expand your *Subscription* under *Scope* on the *Resources* tab.
74
75
75
-
>**Hint:** You can expand the whole *Scope* hierarchy by selecting the ">" before the *Scope* column.
76
+
> [!TIP]
77
+
> You can expand the whole *Scope* hierarchy by selecting the ">" before the *Scope* column.
76
78
77
79
1. Expand the resource group, and then select Azure virtual machines.
78
80
79
-
>**Important:** If you do not see any non-Azure Windows machines, open *Azure Arc* to verify the machines are connected to Azure Arc.
81
+
> [!IMPORTANT]
82
+
> If you don't see any non-Azure Windows machines, open *Azure Arc* to verify the machines are connected to Azure Arc.
0 commit comments