Share via

Sentinel security event collection and dual homing

Chris 26 Reputation points
2022-03-15T18:04:48.8+00:00

Hi I am trying to figure out how (where) to set collection for Windows Security events for Microsoft Sentinel.

The environment consists of 2 workspaces, one for performance data, and one for Sentinel. They are in different subscriptions.

The goal is to collect Security data from Domain Controllers for Active Directory who have a dual homing configuration.

From what I can find out from documentation, I need to set the security event collection in the "Autoprovisioning" configuration to collect "Common" events to gather the required logs.

The current configuration on the subscription where Sentinels LAW exists is to auto provision agents, and connect them to the performance data workspace in the other subscription with "none" for security events. I believe I just need to enable "Common" security log collection. Will the end result be that only the Sentinel workspace gets these Security logs, or will it feed both workspaces? Or will it feed the workspace set in the autoprovisioning settings and not the LAW in the subscription?

I chose to not use the data connector in Sentinel as it seems to have the same effect from what documentation indicates.

Microsoft Security | Microsoft Sentinel
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Blumhardt 10,051 Reputation points Microsoft Employee
    2022-03-15T19:42:26.137+00:00

    Auto provisioning is a feature in Defender for Cloud. It does allow you to collect Windows security events. As long as MDFC is pointed to the same workspace you can configure the setup here if you like. Just make sure the correct workspace is linked. Though this is an uncommon choice.

    I recommend using the Sentinel connector instead to avoid confusion. The auto provisioning settings are rather obscure. If you are collecting the data for Sentinel, other operators will expect to see it there. Soon you may also consider using the AMA agent and the new data ingestion filtering. Which will also be better to visualize and manage in Sentinel.

    To your main question, each workspace will send a separate set of instructions to the dual-homed agents. The data should not overlap and you can easily verify this in the logs.

    I recommend using the cost and usage workbooks to monitor the ingestion volume and cost after enabling event collection. This is one of the top feeds in terms of cost. Also consider that security events are the result of your audit policy configuration.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.