Share via

MS Defender in Log Analytics through Azure Monitoring Agent

angelsm84 41 Reputation points
2021-01-18T15:15:36.16+00:00

Hello, Does anyone know if it is possible to collect MS Defender logs (AV only, not ATP) through Azure Monitoring Agent on Windows 10 systems (not Azure) and then centralise them in Log Analytics or Event Hub and send them to a third party SIEM? You may have asked some nonsense, I'm a bit lost on this subject. Thank you very much in advance and best regards,

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,658 questions
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
0 comments
Accepted answer
  1. SwathiDhanwada-MSFT 18,996 Reputation points Moderator
    2021-01-20T11:59:34.307+00:00

    @angelsm84 Kindly note Microsoft Monitoring Agent can be installed on non-Azure services to collect logs. As MS Defender logs can be sent to Log Analytics workspace as the log events are stored in Event viewer. To enable the event viewer logs to be stored in Log Analytics workspace. Go to Log Analytics workspace -> Advanced Settings -> Data -> Windows Event Logs -> Add the Log name in the highlighted section as shown in image and the click + ( You can get it from event viewer by clicking on Properties of the Log). For more information, refer this article.

    58671-ev.png

    To send Log Analytics data to third party tools , you can refer this article which provides detail steps and also the list of third part tools that are supported.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jenny Feng 14,246 Reputation points
    2021-01-19T07:09:56.607+00:00

    Hi,
    You could refer to the following link:
    https://learn.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-agent-using-dsc-in-azure-automation
    Hope above information can help you.

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. angelsm84 41 Reputation points
    2021-01-19T10:48:02.61+00:00

    The questions are:

    Is the installation of Azure Monitoring Agent supported on non-VDI Windows 10 systems?

    According to the requirements I see no problem:
    https://learn.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview#supported-operating-systems

    Afterwards, can antivirus events also be sent to Log Analytics with this agent?

    And finally, how can I send Log Analytics events to a third party SIEM?

    As you can see, there are many questions. I can't find an answer anywhere.

    Thanks in advance.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.