Log Analytics Workspace - event4625

Question

Buenas,

Espero que se encuentren bien.

Me gustaría escalar esta pregunta, tengo un LAW para su respectiva ingesta de logs, pero no logro realizar la ingesta de fallos de inicio de sesión a través del evento 4625 y generar una alerta.

Estoy ejecutando la siguiente consulta:

SecurityEvent
| where EventID == 4625
| summarize FailedLogins = count() by Account,Computer, IpAddress
| sort by FailedLogins desc

Me gustaría saber si estoy omitiendo alguna configuración, ya que me indica que no tiene data.

No results found from the last 24 hours. (Se intenta con diferente rango)

Saludos.

Answer

Hi @Alexis Salazar Núñez ,

As mentioned in this official Azure document, we can't configure collection of security events from the workspace using Log Analytics agent. We must use Microsoft Defender for Cloud or Microsoft Sentinel to collect security events. Azure Monitor agent can also be used to collect security events.

Few other related resources:
https://learn.microsoft.com/en-us/azure/architecture/framework/security/monitor-logs-alerts
https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/securityevent
https://learn.microsoft.com/en-us/answers/questions/235333/index.html
https://learn.microsoft.com/en-us/answers/questions/787544/index.html

Log Analytics Workspace - event4625

1 answer