Monitor security events in Azure Virtual Machine

Question

Monitor security events in Azure Virtual Machine

Rahul 296

Hello Team,

I'm looking way to Monitor Azure VM Sign-in logs. I need to set an alert if any user try to RDP into Azure VM it should get fired with his name with Computer name,Date and Time.

The SecurityEvent command is not working in Azure Monitor Log analytics Workspace. Also, I found Azure Monitor is not integrated with security Events.

Anyone knows other way to get alert if RDP users Successful sign-in. The below is predefined Query in Log Analytics workspace but it wont work on Azure VM.

SecurityEvent
| where EventID == 4624
| summarize arg_max(TimeGenerated) by Computer

Accepted answer

1 additional answer

Your answer

Answer 1

Maxim Sergeev 6,586 Microsoft Employee

Basically, sign-in logs are generated in Operating System level, it means you have to collect the events somehow somewhere. Azure Monitor and its Azure Monitoring Agent provide the capability to collect security logs without Microsoft Defender for Cloud enabling. But it's required to install the agent and configure Log Analytics workspace to collect the event logs. After completing the task, you will be able to create alerts based on your query.

Rahul 296 Reputation points

2022-08-04T08:22:47+00:00

. Yes Sign-in logs generated in Security section of ?event Viewer only. The Monitoring agent extension is already installed in the VM with Log analytics workspace. I tried to run above under log analytics--> Logs but it shows 0 results to me.
Maxim Sergeev 6,586 Reputation points Microsoft Employee

2022-08-04T16:21:35.8+00:00

Installed Agent != Configured Agent
What type of agent are you using? Microsoft Monitoring Agent or Azure Monitoring Agent? They use absolutely different approaches to collect data.

If you use Microsoft Monitoring Agent, it requires to enable Microsoft Defender for Cloud, because without that you will not be able to see any security logs.
If you use Azure Monitoring Agent, you need to configure Data Collection Rules that will collect Security logs for you

https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent?tabs=portal
Rahul 296 Reputation points

2022-08-05T08:17:47.123+00:00

Many Thanks. I have already installed Microsoft Monitoring Agent as a Extension. I configured Data Collection Rules and applied on Subscription yesterday but it wont show me any results?

Does it like only one agent work at a a time?

The SecurityEvent table at least shows latest events
Maxim Sergeev 6,586 Reputation points Microsoft Employee

2022-08-05T16:08:03.407+00:00

If you configured Azure Monitoring Agent with DCRs to collect security logs, you need to use Event table instead of SecurityEvent
Rahul 296 Reputation points

2022-08-05T21:38:36.637+00:00

Thanks I used Events Table, It shows me successful login Info for Event ID 4624. This table wont store any Info related to the Account. Is there any way to see which user account try to login the Azure VM?

Thanks in advance
Maxim Sergeev 6,586 Reputation points Microsoft Employee

2022-08-06T02:15:15.407+00:00

AFAIK, UserName is a property that shows who requested, it could be an application for example.
Rahul 296 Reputation points

2022-08-09T10:49:40.317+00:00

I don't think it's possible to track which user is try to login into Azure VM though RDP (3389).

i tried to enable sign-in logs under Diagnostic Settings --> Azure AD. But it wont shows me the required information.

My organization using common account to sign in into Azure VM called "Maintenance" Not the Azure Ad account.

Does it possible to track users for RDP (3389) Sign in to Azure VM though Log analytics workspace?

Answer 2

George Moise 2,361 Microsoft Employee

Hello,

When a user is successfully connecting remotely (RDP - TCP 3389) to a Windows Operating System, an event with EventID 4624 will be generated in that Operating System - Security Event Log.
In that Event, the LogonType will be 10 (RemoteInteractive).

Now, if you want to collect those events in the SecurityEvent table of a Log Analytics Workspace, you will need to follow the bellow note from this article :

"You can't configure collection of security events from the workspace using Log Analytics agent. You must use Microsoft Defender for Cloud or Microsoft Sentinel to collect security events. Azure Monitor agent can also be used to collect security events."

If you are using Microsoft Sentinel, then you can enable the Security Event data Connectors (either the "old" one via Log Analytics Agent or the new one via the Azure Monitor Agent) and once the events are collected, you can create there an Analytic (detection) Rule.
If you are using Defender for Cloud, then you can configure from there that your agents will push events from the Security Event Logs, and then you can simply create an Azure Monitor Alert Rule.

Without Sentinel or Defender for Cloud, from a simple Log Analytics Workspace, you cannot collect the Security Events.

I hope it helped.
Let me know if more info is required.

BR,
George

Rahul 296 Reputation points

2022-08-09T14:04:39.953+00:00

Hello,

The event 4624 does not shows the User Information which tried to login to Windows. The main aim to track the end user information which try to access the Azure VM using RDP (3389) using Log Analytics
Maxim Sergeev 6,586 Reputation points Microsoft Employee

2022-08-09T15:34:33.813+00:00
@George Moise you can collect Security Logs without Sentinel and Defender for Cloud by using Azure Monitoring Agent. Please use the information more accurate :)

There are two ways you can collect Security events using the new agent, when sending to a Log Analytics workspace:

You can use AMA to natively collect Security Events, same as other Windows Events. These flow to the Event table in your Log Analytics workspace.

If you have Sentinel enabled on the workspace, the Security Events flow via AMA into the SecurityEvent table instead (same as using Log Analytics Agent). This will always require the solution to be enabled first.
Rahul 296 Reputation points

2022-08-09T20:24:53.253+00:00

Hello,

Please note, I'm using only Azure Virtual Machine not the Azure Sentinel. Did you read my post? :) I need information of end user who RDP into Azure VM. I know AMA and MMA agents records the Logs for security events but it wont capture who try to access the VM

In my case I'm focusing on Azure Virtual machine not the Azure Sentinel.
George Moise 2,361 Reputation points Microsoft Employee

2022-08-10T08:08:54.75+00:00

You are correct @Maxim Sergeev !

I haven't presented that option as the queries presented were looking for the event in the SecurityEvent table.

BR,
George
George Moise 2,361 Reputation points Microsoft Employee

2022-08-10T08:13:00.773+00:00

@Rahul
In the Security Event Log of a Windows Operating System, you will get many 4624 events, as these are generated for any logon activity.
Beside the ones presenting Interactive (local) or Remote Interactive (RDP) logons, usually you will have many other events generated by Network logons.
To find out which are the ones from RDP sessions, you need to look for those 4624 events that have the Logon Type property equal with 10 (Remote Interactive).

Have a look at this article to find out more information about each logon type value presented in these events.

BR,
George

Share via

Monitor security events in Azure Virtual Machine

1 additional answer

Your answer