Digest Sysmon Logs in Sentinel with Azure Arc

Question

I've got some new servers with Server 2022. I've got Azure Arc setup and they are receiving all security logs Windows Security Events via AMA. I would also like to send the Sysmon logs to Sentinel. I've done this in the past using the legacy Agent and it seems like the logs end up in the Logmanagement Events table. For the new servers I added a rule to the Windows Security Events via AMA connector to collect "Microsoft-Windows-Sysmon/Operational!*". This seems to pull in the events but they are going to the Sentinel SecurityEvent table. I'm afraid this will through off some of the normalization routines as they are looking in the Events table.

I've tried changing the resource group on the rule to Sentinel and "LogAnalyticsDefaultResources" but it does not seem to make a difference. (Does this matter for anything?)

My question is am I setting it up the Sysmon collection correctly, I could not find any real good directions on how to do this. And if the SecurityEvent table is where the data goes now would I just correct the Functions to look there now. I guess this could be a hassle as I would still need to look in the old location as most are still there.

Thanks for your help!

Answer 1

Hi Sean,

I can't say I've tried sysmon with AMA yet but everything you're doing sounds like you're doing it right.

I see you've figured out the right xpath filter to use in your data collection rule.

I haven't heard that AMA allows you to change which table your data ends up in so your observation is interesting.

I agree that you will have to change your functions to work with the new table.

Hopefully someone from Microsoft is listening so they can consider your experience when thinking about enhancements to the data collection rule and/or AMA.

Answer 2

@Sean Kuchle Thank you for reaching out to us, regarding your ask I have come across this blog: https://jeffreyappel.nl/deploy-sysmon-and-collect-data-with-sentinel-and-the-ama-agent/ which has detailed steps which might help you.

Let me know if you have any further questions, feel free to post back.

Answer 3

Thank you for your help and confirmation @David Broggy

@Givary-MSFT Thank you for your help, I did find the article and used it to get my solution setup, although I could not get it to work on the Forwarding connector and used the Windows Security Events via AMA. Either way the forwarding goes to another table "WindowsEvent" which is different that the legacy client used to use.

I'm wondering is there any offical documentation like there way for the legacy client?

Answer 4

Event if Microsoft wrote up some official documentation I'd wager it wouldn't be better than what Jeffrey Appel does!

I'm familiar with his docs - he taught me everything I know about sentinel-az commands.

So Givary has put you on the right path I'm happy to see!

That said I will put a comment on the internal Sentinel chat group asking about more documentation and if I hear back I'll let you know.