"Security Events Storage" option is greyed out in Microsoft Defender for Cloud

Ram Kumar Cheekoti 141 Reputation points
2023-09-09T05:17:18.6066667+00:00

Dear Team,

The security events storage option is disabled. Attempting to change the value from none to all events, but this option is greyed out despite having owner and contributor permissions.

Have read/write permissions for the workspace on subscription-level, such as the Owner & Contributor roles. as prescribed in the following link.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions

Please help.User's image

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,386 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Tushar Kumar 3,326 Reputation points MVP
    2023-09-09T07:41:37.95+00:00

    Hi, Thanks for asking your question! When you autoprovision the Log Analytics agent in Defender for Cloud, you can choose to collect other security events to the workspace. When you autoprovision the Azure Monitor agent in Defender for Cloud, the option to collect other security events to the workspace isn't available. Defender for Cloud doesn't rely on these security events, but they can be helpful for investigations through Microsoft Sentinel.

    If you want to collect security events when you autoprovision the Azure Monitor Agent, you can create a Data Collection Rule to collect the required events. So the option will remain grayed out Here is the reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/auto-deploy-azure-monitoring-agent#deploy-the-azure-monitor-agent-with-defender-for-cloud . Please "Accept as Answer" if this helps.


  2. JamesTran-MSFT 36,626 Reputation points Microsoft Employee
    2023-09-21T19:31:20.72+00:00

    @Ram Kumar Cheekoti

    Thank you for your post and I apologize for the delayed response!

    I understand that you're trying to change the Security events storage configuration from None to All Events, but the option is greyed out even though you have the correct permissions. To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.


    Findings:

    When it comes to changing the Security events storage configuration, I was able to reproduce your issue and to change my Security events storage configuration from None to All Events, I had to:

    1. Navigate to Defender for Cloud, select Environment settings.
    2. Select the relevant workspace.

    Note: If you configured the Security Events within Azure Sentinel to change the tier, you'll need to do this in Azure Sentinel, and it will apply for Microsoft Defender for Cloud.

    User's image

    Additional Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.