Microsoft Active-Directory Domain Controllers Security Event Logs connector for Microsoft Sentinel

Статия
04.12.2024 г.

[Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute	Description
Log Analytics table(s)	SecurityEvent
Data collection rules support	Not currently supported
Supported by	Community

Query samples

All Audit logs

Kusto

SecurityEvent 
| sort by TimeGenerated

Prerequisites

To integrate with Microsoft Active-Directory Domain Controllers Security Event Logs make sure you have:

****: Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more
Detailed documentation: >NOTE: Detailed documentation on Installation procedure and usage can be found here

Vendor installation instructions

Бележка

This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independent for one from the other. To learn more about each option: 'Microsoft Exchange Security' wiki

This Data Connector is the option 3 and 4 of the wiki.

Download and install the agents needed to collect logs for Microsoft Sentinel

Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.

Security logs of Domain Controllers

Select how to stream Security logs of Domain Controllers. If you want to implement Option 3, you just need to select DC on same site as Exchange Servers. If you want to implement Option 4, you can select all DCs of your forest.

Next steps

For more information, go to the related solution in the Azure Marketplace.

Допълнителни ресурси

Документация

Windows security event sets that can be sent to Microsoft Sentinel

Learn about the pre-built sets of Windows security events that you can collect and stream from your Windows systems to your Microsoft Sentinel workspace.
Find your Microsoft Sentinel data connector

Learn about specific configuration steps for Microsoft Sentinel data connectors.
Windows Security Events via AMA connector for Microsoft Sentinel

Learn how to install the connector Windows Security Events via AMA to connect your data source to Microsoft Sentinel.
Best practices for data collection in Microsoft Sentinel

Learn about best practices to employ when connecting data sources to Microsoft Sentinel.
Windows Forwarded Events connector for Microsoft Sentinel

Learn how to install the connector Windows Forwarded Events to connect your data source to Microsoft Sentinel.
Connect Microsoft Sentinel to Azure, Windows, and Microsoft services

Learn how to connect Microsoft Sentinel to Azure and Microsoft 365 cloud services and to Windows Server event logs.
Microsoft Sentinel data connectors

Learn about supported data connectors, like Microsoft Defender XDR (formerly Microsoft 365 Defender), Microsoft 365 and Office 365, Microsoft Entra ID, ATP, and Defender for Cloud Apps to Microsoft Sentinel.
Cisco ASA/FTD via AMA (Preview) connector for Microsoft Sentinel

Learn how to install the connector Cisco ASA/FTD via AMA (Preview) to connect your data source to Microsoft Sentinel.

Обучение

Модул

Connect Windows hosts to Microsoft Sentinel - Training

Connect Windows hosts to Microsoft Sentinel

Сертифициране

Microsoft Certified: Security Operations Analyst Associate - Certifications

Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.

Споделяне чрез