Plan for Windows hosts security events connector

Completed

You have three Windows security events connector options to stream events from Windows devices to Microsoft Sentinel.

Based on your organization requirements, you have the option of installing an agent on each windows device to forward events to Microsoft Sentinel. There are two agents available:

  • Windows Security Events via AMA Connector
  • Security Events via Legacy Agent Connector

The second option is to configure a Windows Event Collector device to receive events from the Windows devices. The Windows Event Collector device would then forward events to Microsoft Sentinel with the Windows Forwarded Events connector.

Windows Security Events via AMA Connector vs. Security Events via Legacy Agent Connector

The Windows Security Events via AMA Connector has the following differences from the Security Events via Legacy Agent Connector:

Benefits:

  • Manage collection settings at scale
  • Azure Monitoring Agent shared with other solutions
  • Performance improvements
  • Security improvements

Limitations:

  • The Azure Monitor Agent is released in preview and is supported with the CSPM plan and Microsoft Defender for Servers Plan 2.

Requirements:

  • non-Azure VM's/devices require Azure Arc.

Azure Arc

Azure Arc is an agent installed on the device or VM that allows the device to be managed the same as an Azure VM. Azure Arc provides other functionality including running Azure based services in a hybrid environment.