You have computers that run Windows 10 and connect to an Azure Log Analytics workspace. The workspace is configured to collect all available events from the Windows event logs.
The computers have the logged events shown in the following table.
Which events are collected in the Log Analytics workspace?
Since the Azure Log Analytics workspace is configured to collect all available events from the Windows event logs, it will collect events from the Application, System, and Security logs, including all types of events (Success, Information, Audit Success, and Error). Therefore, all the listed events will be collected in the Log Analytics workspace.
Need to be careful of the wording as well. "Success" is not an event log type. Critical. Warning, Error, Information and Verbose are the event log types. There is Audit Success and Audit Failure in Security event logs (which cant be collected). But in the scenario, there is no 2 & 4 option, so D.
I think answer is E. Security events can be collected by Azure Monitor Agent and Data Collection rules. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent?tabs=portal
yes that's true but how do we know the Azure Monitor Agent is in use, it could be just the log analytics agent which is being deprecated 2024.
We know the Azure Monitor is in use by definition of the Log Analytics workspace. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview#:~:text=A%20Log%20Analytics%20workspace%20is%20a%20unique%20environment%20for%20log%20data%20from%20Azure%20Monitor%20and%20other%20Azure%20services%2C%20such%20as%20Microsoft%20Sentinel%20and%20Microsoft%20Defender%20for%20Cloud.
D is correct. You can't configure collection of security events from the workspace by using the Log Analytics agent. You must use Microsoft Defender for Cloud or Microsoft Sentinel to collect security events. The Azure Monitor agent can also be used to collect security events. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events
Since the Azure Log Analytics workspace is configured to collect all available events from the Windows event logs, it will collect events from the Application, System, and Security logs, including all types of events (Success, Information, Audit Success, Error). Therefore, all the listed events will be collected in the Log Analytics workspace. The correct answer is: E. 1, 2, 3, and 4
Answer is correct. You can't configure collection of security events from the workspace by using the Log Analytics agent. You must use Microsoft Defender for Cloud or Microsoft Sentinel to collect security events. The Azure Monitor agent can also be used to collect security events.
You can't configure collection of security events from the workspace by using the Log Analytics agent. You must use Microsoft Defender for Cloud or Microsoft Sentinel to collect security events. The Azure Monitor agent can also be used to collect security events. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events
Based on the image you sent, all the events in the table will be collected by the Log Analytics workspace.** This is because the workspace is configured to collect all available events from the Windows event logs, and the table shows events from standard Windows logs: System, Security and Application. Here's a breakdown of the events: Event ID 1: This event could be from any application and is most likely logged in the Application log. Event ID 2: This event is from the System log and provides informational messages about the system. Event ID 3: This event is a security success audit from the Security log. While the reference material I found says Security events are not collected by default, it appears all events are being collected in this scenario. Event ID 4: This event is from the System log and indicates an error condition. Since the workspace is configured to collect all available events from these standard Windows logs, all the events in the table will be collected.
You can collect all logs except security
Security logs are collected by Microsoft Sentinel and Microsoft Defender & populate the Log Analytics workspace.
They say all events in the question - Why not E ?
Security audit events, including successful security audits, are essential for monitoring and maintaining the security posture of your systems. In Azure Log Analytics Workspace, these events can be collected and analyzed to ensure that you have a comprehensive view of security-related activities. Types of Security Audit Events Collected Windows Security Event Logs Description: These logs capture security-related events on Windows systems, which include audit success and failure events. Examples: Event ID 4624: An account was successfully logged on (successful logon).
Am I not right in thinking that Audit logs are disabled by default anyway?
Event ID 3 (Security log) is included. Don't confuse the agent with the workspace. "A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud." https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview#:~:text=A%20Log%20Analytics%20workspace%20is%20a%20unique%20environment%20for%20log%20data%20from%20Azure%20Monitor%20and%20other%20Azure%20services%2C%20such%20as%20Microsoft%20Sentinel%20and%20Microsoft%20Defender%20for%20Cloud.
You can't configure collection of security events from the workspace by using the Log Analytics agent. You must use Microsoft Defender for Cloud or Microsoft Sentinel to collect security events. The Azure Monitor agent can also be used to collect security events. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events
You're confusing the Log Analytics agent with the Log Analytics workspace when it comes to events that are collected. The limitations of the agent are compensated for in the workspace. The workspace contains data from Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud.
E. 1, 2, 3, and 4 It doesn't explicitly mention which type of agent is being used. The Log Analytics Agent is being deprecated whereas the Azure Monitor Agent is being encouraged. The Azure Monitor Agent has the ability to collect all the logs so I'm going with that.
E - As per data collection rule feed to LA
"You can't configure collection of security events from the workspace by using the Log Analytics agent. You must use Microsoft Defender for Cloud or Microsoft Sentinel to collect security events. The Azure Monitor agent can also be used to collect security events." https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events
Windows event logs all and the workspace is configured to collect all available events from the windows event logs Information: Indicates an application or service is operating well. For example, when Windows loads the network driver, the incident will be logged as an information event. Warning: Unimportant events hinting toward potential issues in the future. A warning event will get logged for a problem like low disk space. Error: Describes a significant issue when a system cannot function normally—for example, the operating system stops responding. Success Audit: Records valid attempt of audited security access for security log. For example, a login attempt that goes well will come under a success audit event. Failure Audit: Indicates the failure of audited security access under the security log, such as the inability to access the network drive.