Integration of centralised Log Analyst workspace to Azure Security Center

Christopher Lee - Server Admin 1 Reputation point
2020-11-09T15:31:09.593+00:00

I have a centralised Log Analyst Workspace created under a subscription and have it connected to other subscriptions for events/logs collection.

Would appreciate some expertise insights if and how the centralised workspace can be integrated into Azure Security Center (ASC).

Some additional background of my current environment:

We are at the beginning deployment state. The tenants/resources are still in AAD free version. They will be upgraded to Premium P2 in a month or 2.

Currently, when monitoring the logs of the centralised workspace, only the following Log Management data are available:

  1. AuditLogs
  2. AzureActivity
  3. Operation
  4. SigninLogs
  5. Usage

The data not yet captured include the following:

  1. Alert
  2. Event
  3. Syslog

Would also appreciate comments if those current unavailable data will be captured once the tenants have been upgraded to P2.

Thank you.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,212 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Christopher Lee 1 Reputation point
    2020-11-16T05:30:47.027+00:00

    I was referencing many Azure-related Microsoft documents but had difficulty in forming a full picture on (what) the events from the resources (like VMs) get into Security Center for monitoring.

    Please let me know if this screenshot helps in your understanding of my question.

    39925-image.png


  2. Christopher Lee 1 Reputation point
    2020-11-19T07:28:11.22+00:00

    Thank you for the response and advice given, James & Bharathn. Looking at our setting, the auto-provisioning of Log Analytics agent has been turned on but currently, the centralised workspace is not specified, and types of raw data of the Windows security events has not been selected.

    40936-image.png

    However, we do have a centralised Log Analytics workspace created, mentioned earlier, and connected to all subscriptions, as shown below. What is the difference of the workspace connection between these 2 setups?

    41002-image.png

    Do I still need to specify the connection to the centralised workspace by individual subscription in the setting shown on the first screenshot?

    Without selecting the type of raw data to store, is "None" the default? Please advise if selecting the raw data storage option is essential as our Security Center currently has been providing recommendations on some controls, as shown in the screenshot below. Just wonder what other security events are missing or unavailable at this juncture. Your additional input will be very much appreciated.

    41013-image.png

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.