cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows event logging to SIEM (Sentinel)

RVC
Brass Contributor

‎Feb 21 2024 09:11 AM

‎Feb 21 2024 09:11 AM

Windows event logging to SIEM (Sentinel)

I am working in a landscape where several old systems are active. Yes, it's a concern that receives attention and is being addressed, but it's separate from this question.

 

For the SOC we need Event logging in SIEM, and thus Sentinel. We only need logging from a few servers, according to our MSSP, as the other logging is already collected by MDE & MDI agents or other log-collection methods. So the setup of the additional logging has the focus on a small amount of systems (max 10).

 

Note, that these systems are OnPrem in our data center.

 

Azure ARC with AMA is the option we want to go for in the end, but we do not want to introduce such new technology (as ARC in general, is not in use in the environment) overnight. But logging needs to be collected before the end of this month due to compliance requirements.

So, we have two other options: using the MMA agent, which we know will be EoS August this year, but is an agent that some admins have experience with within the test/dev environment. No MMA is enabled in production. It will introduce some risks as we must install an agent on old unstable systems. But it is an option.

 

Another method could be using a WEC (windows event collector), which will collect/receive the logging from the system in scope (again, this is a small set of systems). This WEC will be enabled on an Azure Windows server, which allows us to enable AMA on it. The advantage of it, is that we do not need to install software on the old systems. Of course, we need a configuration adjustment to get the logging from these systems. Assuming WEF (windows event forwarder) has less impact than, eg. installing MMA.

 

Main question: will I face compatibility issues if I collect the data via WEC and ingest it into Sentinel via the AMA agent installed on the WEC server, over using MMA on the remote systems?

 

Thanks for any response

Labels:
2,549 Views
1 Like
3 Replies
Reply
3 Replies
Clive_Watson

‎Feb 21 2024 01:41 PM

‎Feb 21 2024 01:41 PM

Re: Windows event logging to SIEM (Sentinel)

Personally I'd do anything to avoid using MMA at this stage. WEC/WEF sounds like a reasonable option, a quick test should confirm any fears - from memory the source machine is listed in the schema so there should be no compatibility issue
1 Like
Reply
RVC

‎Feb 22 2024 12:22 AM

‎Feb 22 2024 12:22 AM

Re: Windows event logging to SIEM (Sentinel)

@Clive_Watson, thanks for your reply.

 

I heard concerns that the format of this content (the content collected via WEF/WEC) seems slightly different than when MMA or AMA is used. Is that correct? Even if the final step is using AMA to ingest the traffic into Sentinel? 

 

That person stated that it may impact at the time we migrate to ARC/AMA for all the systems.

0 Likes
Reply
Clive_Watson

‎Feb 22 2024 02:42 AM

‎Feb 22 2024 02:42 AM

Re: Windows event logging to SIEM (Sentinel)

Given that you have 8 days, I'd look to use WEC for now - I dont have a demo systems anymore, so cant comment on the impact, perhaps others will know.
The WEF process is via AMA on the internet connected Server so that (should) align the schema.
0 Likes
Reply