Share via

W365 CloudPC Monitoring with AMA and Sentinal

sri 45 Reputation points
2024-10-04T12:22:56.1+00:00

Hi Team,

I have a question on W365 Enterprise CloudPC monitoring customer want to send all the W365 logs to sentinel including Windows event logs, security logs. Is this possible I did not see any documentation in this regards. If it is possible how can I accomplish this ?

Also can I install Azure monitoring agent on W365 VM's ?

Thanks

Sri

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,285 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,146 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. alta94 2,181 Reputation points
    2024-10-06T18:29:53.0333333+00:00

    Hi Sri

    Yes Its possible !! Steps to send your Windows 365 Machine logs to Microsoft Sentinel:

    1. Set Up Log Analytics Workspace

    Create a Log Analytics Workspace:

    • Go to the Azure portal.
    • Navigate to "Log Analytics workspaces".
    • Click "+ Create" and fill in the required details (Subscription, Resource Group, Name, Region).
    • Click "Review + create" and then "Create".
    1. Install the Log Analytics Agent

    Download the Agent:

    Install the Agent:

    • Run the installer.
    • During installation, you will be prompted to provide the "Workspace ID" and "Primary Key". You can find these in the Azure portal under your Log Analytics workspace:
      • Go to your workspace.
      • Under "Settings", select "Agents management".
      • Copy the "Workspace ID" and "Primary Key".
    1. Configure Data Collection

    Configure Windows Event Logs:

    • In the Azure portal, go to your Log Analytics workspace.
    • Under "Settings", select "Agents configuration".
    • Click on "Windows Event Logs".
    • Add the event logs you want to collect (e.g., Application, Security, System).

    Configure Performance Counters:

    • Still under "Agents configuration", select "Performance counters".
    • Add the performance counters you want to monitor (e.g., Processor, Memory, Disk).
    1. Connect Log Analytics to Microsoft Sentinel

    Enable Microsoft Sentinel:

    • In the Azure portal, navigate to "Microsoft Sentinel".
    • Click "+ Add" and select your Log Analytics workspace.

    Configure Data Connectors":

    • In your Sentinel workspace, go to "Configuration" > "Data connectors".
    • Find and configure the "Windows Security Events via AMA" connector:
      • Click on the connector.
      • Follow the instructions to enable the data connector and configure the necessary permissions.
    1. Verify Data Ingestion

    Run Queries in Sentinel:

    • Go to the "Logs" section in your Sentinel workspace.
    • Use Kusto Query Language (KQL) to run queries and verify that logs are being ingested. For example: SecurityEvent | where TimeGenerated > ago(1d) | take 10

    Check for Errors:

    • Ensure there are no errors in the "Agent Health" section of your Log Analytics workspace.
    • Verify that the agent is connected and sending data.

    --- If the answer was helpful and resolved your query , Kindly accept the answer ----

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.