Question regarding Azure Sentinel Security Logs

Question

Hi All,

We are using azure policy to install AMA and assign data collection rule. the Log analytic workspace is linked to the sentinel.

Now, to collect windows security logs via Sentinel connector "Windows Security Events via AMA", do we have to specify the each resource that we need to collect security logs from? Or just creating DCR and enabling data connector is enough since we are already installing AMA and DCR seperately using azure policy. Because specifying resources or subscriptions in this new DCR will be very tedious task since we have lot of exceptions etc. and it also says you must select already selected resources.

Below is the screenshot of "Windows Security Events via AMA" DCR page.

Answer 1

Hi Shinde, Balaji, I want to help you with this question.

Yes, you need to select all possible resources in the settings mask shown, which will be linked to azure sentinal via the respective dcr.

However, my recommendation is not to do this directly in the dcr configuration, as not all scopes (.e.g management groups etc). can be selected. So the scalability lacks here.

The better alternative is to use the policy set "Deploy Windows Azure Monitor Agent with user-assigned managed identity-based auth and associate with Data Collection Rule". It is a builtIn PolicySet and configures the non compliant VMs to link to the defined dcr.

---

If the reply was helpful, please don’t forget to upvote or accept it as an answer, thank you.

Answer 2

You can target the rule to a subscription or resource group.

The data connectors create special DCR rule that sends these events to the SecurityEvents table. A standard DCR rules sends events to the Events table unless you use a transformation to redirect this to SecurityEvents. Note that URBA and all of the rules and workbooks in Sentinel are looking at SecurityEvents not Events.