If your SIEM is Microsoft Sentinel, then you likely need to collect Windows security events.
If you’ve never heard of ‘Arc’ then you’re likely collecting Windows logs using the legacy ‘Log Analytics Agent (Microsoft Monitoring Agent)’.
Microsoft recommends using the Azure Arc agent, along with the Azure Monitoring Agent, which will get push out automatically once configured in Arc, or Azure Monitor, or Sentinel.
The Arc agent extends the security controls you normally only get from cloud servers to your on-prem servers, and simplifies the number of agents needed for on-prem servers to work with Azure.
A discussion about Arc/CSPM/Azure Policy/Defender for Cloud/Asset Inventory/Attack Surface is out of the scope of this article, but trust me, you want to use Arc for all your on-prem windows and linux servers.
Prerequisites for Arc:
- Local admin access to the on-prem windows/linux server
- Global Admin access to Azure
- On-prem server must have Internet access or a direct connection to Azure.
- Sentinel Log Analytics Workspace
ARC agent installation:
- Portal > Azure Arc > Servers > +Add > Add a single server: Generate script
- Select the Sentinel Resource Group and connectivity method=Public endpoint (if you don’t have an ExpressRoute or gateway)
- Adding tags is recommended
- Copy the provided script to the local server as runme.ps1 or whatever and run it from powershell: .\runme.ps1
- You will be prompted to enter a code at https://microsoft.com/devicelogin and to authenticate the server onboarding
- To view the onboarded server go to:
Azure Monitor Agent (AMA) Installation
- You actually don’t need to install AMA.
- You configure a ‘Data Collection Rule’ in Sentinel or Azure Monitor with the preferred parameters, and this will enable the AMA as an ‘Arc Extension’
Sentinel Connector AMA Setup
- Since most of the topics in this blog are around Sentinel, that will be the configuration discussed here.
- You can also configure this in Azure Monitor and in Azure Arc, but the data might not then be accessible as easily in Sentinel (it may get stored in the Events table vs the SecurityEvents table – see references below)
- In Sentinel go to: Connectors > “Windows Security Events via AMA”
- Create a ‘Data Connection Rule (DCR)’:
- Add your servers
- Select the ‘Common’ filter – this is the best choice for all of the Security Events.
- After a few minutes you should see your on-prem security events in the SecurityEvents table.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/faq#azure-monitor-agent
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client
Simple-Security 