如何在 Azure Log Analytics 工作区中获取 Windows 安全事件？

Question

I have several virtual machines and virtual machine scale sets in Azure for which I want to collect Windows Security event logs. I attempted to add these events to the Log Analytics workspace used by Sentinel through the portal.

This produces the following error message.

'Security' event log cannot be collected by this intelligence pack because Audit Success and Audit Failure event types are not currently supported.

It's a hard requirement for me that Sentinel has access these Security logs. I've been trying to figure out what my options are, and I haven't found a good one yet.

The prescribed approach appears to be setting up a Data Connector in Sentinel for the Security Events. I hit a couple of interesting things attempting this.

Virtual machine scale sets support is limited. No actions are available at this moment.

It looks like I can't connect virtual machine scale sets, which is a big problem. Additionally, I can't even select the tier of the security events (see below) from this context.

So it looks like I have to use Azure Security Center. From within Azure Security Center the only way I can add these Security Events is to turn on Auto-Provisioning and install the Microsoft Monitoring agent (MMA) on every VM, something I don't want to do. I'm also concerned about costs using ASC.

Are there any other options? Am I going about this the wrong way?

Answer 1

The Security event log is automatically added behind the scenes when adding the monitoring agent on the VM.

In regards to the VMSS, I am not sure what your options are there.