Failed to resolve table or column expression named 'SecurityEvent'
I am trying to find security events from Azure log analytics. But its not taking the SecurityEvent keyword. It give the error "Failed to resolve table or column expression named 'SecurityEvent'".
// Accounts Failed to Logon
// Counts failed logons by target account.
SecurityEvent
| where EventID == 4625
| summarize count() by TargetAccount
Thanks
As Oleh Tarasenko suggested , if you need security events then they need to be enabled from Security Center.
Kindly note security events are collected from windows machines by Azure Security Center or Azure Sentinel. However, Azure Monitor agent does not support solutions and insights such as VM insights and Azure Security Center as of now. The only scenario currently supported is collecting data using the data collection rules that you configure.
You can use AMA to natively collect Security Events, same as other Windows Events. These flow to the 'Event' table in your Log Analytics workspace.
If you have Sentinel enabled on the workspace, the Security Events flow via AMA into the 'SecurityEvent' table instead (same as using Log Analytics Agent). This will always require the solution to be enabled first.
For your reference , availability of solutions for AMA.
Set up the Windows Security Events connector in Azure Sentinel
To collect your Windows security events in Azure Sentinel:
From the Azure Sentinel navigation menu, select Data connectors. From the list of connectors, click on Security Events, and then on the Open connector page button on the lower right. Then follow the on-screen instructions under the Instructions tab, as described through the rest of this section.
Verify that you have the appropriate permissions as described under the Prerequisites section on the connector page.
Download and install the Log Analytics agent (also known as the Microsoft Monitoring Agent or MMA) on the machines for which you want to stream security events into Azure Sentinel.For Azure Virtual Machines:
- Click on Install agent on Azure Windows Virtual Machine, and then on the link that appears below.
- For each virtual machine that you want to connect, click on its name in the list that appears on the right, and then click Connect.
For non-Azure Windows machines (physical, virtual on-prem, or virtual in another cloud):
Click on Install agent on non-Azure Windows Machine, and then on the link that appears below.
Click on the appropriate download links that appear on the right, under Windows Computers.
Using the downloaded executable file, install the agent on the Windows systems of your choice, and configure it using the Workspace ID and Keys that appear below the download links mentioned above.
For additional installation options and further details, see the Log Analytics agent documentation.
Select which event set (All, Common, or Minimal) you want to stream.
Click Update.
To use the relevant schema in Log Analytics for Windows security events, type SecurityEvent in the query window.
Validate Connectivity
It may take around 20 minutes until your logs start to appear in Log Analytics.
Full documentation : Connect Windows security event data to Azure Sentinel | Microsoft Docs
Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud you can refer this documentation to enable security events to azure security center.
- Azure C# Cosmos DB: Property "id" is missing when it's actually present
- Azure Permission - needed for creating resource group - RBAC
- Unable to locate executable file: 'bash'. Please verify either the file path exists
- Can the Azure Service Bus be delayed before retrying a message?
- azure documentdb create document duplicates Id property
- JWT validation failure error in azure apim
- Azure App Service and Application Insights where is performance test?
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Change Default Service Version of Microsoft Azure Blob - PHP
- Microsoft Graph: How to filter users by domain name
- Azure App Service Plan CPU Spikes to 100%
- Unable to Authenticate to DevOps API with Angual MSAL
- Azure Databricks: Not able to parameterize keys option of dlt.apply_changes
- ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
- Attaching a private static ip address to Azure Container Instance
- Azure Synapse severless SQL pool - query execution fails
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Where can I find the resource id of an Azure function app in the Azure portal?
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Basic SQL commands in Terraform
- Linux Azure Webjob in nodejs referring to node.exe
- Running Azure functions locally gives "No runtime" error after .NET7 upgrade
- Azure DataSync tables not showing up
- Azure ML: Unable to find workspace
- unable to start 'Docker for windows' on Azure Win 10 VM
- How to enable virtualization in Azure VM
- Configuring AppSettings with ASP.Net Core on Azure Web App for Containers: Whither Colons?
- how to get v2 type token using msal python
- The mock in my pester test keeps calling Connect-AzAccount
- HttpResponseError in Azure Ai search