The following is more of an academic question. I don't think there is much of pratical value in it as there are better out-of-the-box solution to it.
Question
How can I collect the Security Events from a windows-based Azure Virtual Machine and create an alert on top of it. So that an email is sent out if there are more then lets say 30 Security Events per minute?
Take 1
- Create a Log Analytics workspace
- Add a virtual machine as data source (Workspace Data Sources > Virtual machines)
- Configure data that should be collected (Advanced Settings > Data > Windows Event Logs)
This however doesn't allow me to add Security Events (only Application and System events).
'Security' event log cannot be collected by this intelligence pack because Audit Success and Audit Failure event types are not currently supported.
Take 2
- From the VM itself enable Diagnostic settings and from "Logs" ensure "Audit Success" and "Audit failure" are selected.
- Enable "Azure Monitor" under data sink
When querying now for something like Event
or Event | where ComputerName == "vm1"
no results are returned. It seems that this approach only sends metrics and not logs to Azure Monitor
Edit
Okay here is what I have found out so far.
With the use of VM Diagnostic settings, one could write the security events to a storage account table and then later use a Log Analytics Workspace
and add the storage account as a source.
This however still doesn't give the ability to query the events. At least for me the Events
table was always empty. It seems the data would need transformation first, through an Azure Solution
. However I couldn't find one the transforms windows events.
To collect and react on Security Event Logs coming from Windows the go-to-solution would be Azure Security Center
. Still don't know though how to create an alert based on that... so confusing.
I assume you found your answer but for those who don't know:
(and yes I agree it's confusing as Microsoft has links to several locations where this can be done and they've moved the configuration menus. IMO they should hide the non-typical settings or label them 'advanced')
Go to your Log Analytics Workspace.
Open 'Agents Management'.
Download and install the Windows agent.
That's it, now you're collecting all of the security relevant windows events.
Tip: you DON'T need to go into the log analytics advanced section and configure any additional event log types for windows unless you're doing something outside of the typical collection of Event ID related logs.
To see the events run this query:
SecurityEvent
Or if you want something time-relevant:
SecurityEvent
| where TimeGenerated > ago(24h)
| limit 10