How to query multiple Managed Device event logs?

CourtneyEdwards-321 46 Reputation points
2022-03-26T12:13:11.17+00:00

Hi All,

How do I get the security event logs from a managed device into Azure for querying? Can you please tell me the best way to query managed device's Event Logs? What Azure resource should I use Azure Monitor, Log Analytics, Azure Sentinal, or another resource? Can you please give me basic instruction with a few demo queries? Should I be using Log Analytics with Kusto Query Language?

Can you please tell me the difference between the following resources, with examples on when I should use them:

  • Log Analytics
  • Azure Monitor
  • Microsoft Graph
  • Azure Graph

Many thanks
Colin

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,938 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,124 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,026 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andrew Blumhardt 9,676 Reputation points Microsoft Employee
    2022-03-26T15:41:34.073+00:00

    Security event logs can be collected by Sentinel, Defender for Cloud, or by a Data Collection Rule. The DCR rule required the new Azure Monitor Agent (AMA). These solutions will centrally collect security event logs into a Log Analytics Workspace for further analysis.

    Which to choose really depends on what you have currently deployed. Sentinel is the best choice from a security perspective and the most expensive. Using a DCR rule to a standard workspace is less expensive but you have to create your own rules and dashboards.

    https://learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference
    https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview


  2. AnuragSingh-MSFT 20,996 Reputation points
    2022-03-30T06:09:15.113+00:00

    Hi @CSunny789,

    The following content is an extension to Andrew's answer above.

    Here are some basics to help you understand different services/solutions:

    Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. The analysis and threat intelligence are based on the data collected in Log Analytics workspace.

    Log Analytics Workspace is a service which stores the monitoring data. You can think of it as a DB to store and query monitorig data. All the monitoring services/agents forward the data to this workspace, which is used for querying, alerting and analyzing.

    Azure Monitor is an umbrella name for a collection of tools designed to provide visibility into the state of your system. It helps you understand how your cloud-native services are performing and proactively identifies issues affecting them. Log analytics also comes under Azure Monitor. Please refer to this link to understand all the other services included in Azure monitor.

    Microsoft Graph provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows 10, and Enterprise Mobility + Security. In short, it provides a single endpoint to query data from Microsoft services (not event logs from VMs).

    Azure Resource Graph is a service in Azure that is designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment.

    ---
    To collect event logs from Managed Devices, you will have to use an agent. For Windows machines, you can either use AMA (Azure Monitor Agent) or Log Analytics agent (also called OMS agent or Microsoft Monitoring Agent). The collected data will be forwarded to "Log Analytics Workspace" and can be used either in Microsoft Sentinel OR directly by querying the logs from workspace (which does not require Microsoft Sentinel to be enabled).

    Here are some links that should help you:

    1. Azure Monitor agent - this can be used for Azure VM, scale sets and Azure Arc-enabled servers. Please refer to this video for a walkthough.

    2. Log Analytics Agent - this can be used for Azure VM, scalesets, Azure Arc enabled servers as well as on-premise machines. Please follow this learn module to get step by step guidance on getting started.

    3. Querying data - Once you have the data in Log Analytics workspace, you may query it using KQL. This doc gives a good starting point for querying this data.

    4. Microsoft Sentinel - please refer the following link - Collect Security Events in Microsoft Sentinel with the new AMA agent and DCR

    I hope these resources will be helpful to you. Please let us know if you have any questions.

    ---
    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.