From 52007d3f69fa3da8cc8d8511d12aec01f1902c05 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 25 May 2019 12:59:38 +0500 Subject: [PATCH 01/10] Collection of Logs via Azure Monitor I have added a section to collect the logs using Azure Monitor Service. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/2376 --- .../collect-wip-audit-event-logs.md | 30 +++++++++++++++++-- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 137f60c277..1f21a222aa 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -163,16 +163,40 @@ Use Windows Event Forwarding to collect and aggregate your WIP audit events. You 2. In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**. +## Collect WIP audit logs using Azure Monitor +You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs) +**To view the WIP events in Azure Monitor** +1. Use existing or create new Log Analytics Workspace. +2. In Log Analytics->Advanced Settings, go to Data, in Windows Event Logs, add logs to receive: +``` +Microsoft-Windows-EDP-Application-Learning/Admin +Microsoft-Windows-EDP-Audit-TCB/Admin +``` +>[!NOTE] +>The Event logs names can be found if using "Windows Events", go to Events folder and go to Properties of the event (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB) +3. Download Microsoft [Monitoring Agent.](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation) +4. To get MSI for Intune installation, as stated in Azure Monitor article, please extract: MMASetup-.exe /c /t: +Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. Workspace ID and Primary key info can be received from "Log Analytics->Advanced Settings" +5. To deploy MSI via Intune, in installation parameters add: /q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID= OPINSIGHTS_WORKSPACE_KEY= AcceptEndUserLicenseAgreement=1 +>[!NOTE] +>(Replace & received from step 5. In installation parameters, don't place & in quotas "" or '') +6. After agent deployed, data will be received within some 10 minutes. +7. To search for logs, go to Log Analytics Workspace->Logs, in search type: Event +***Example*** +``` +Event | where EventLog == "Microsoft-Windows-EDP-Audit-TCB/Admin" +``` - - - +## Additional resources +- [How to deploy app via Intune](https://docs.microsoft.com/intune/apps-add) +- [How to create Log workspace](https://docs.microsoft.com/azure/azure-monitor/learn/quick-create-workspace) +- [How to use Microsoft Monitoring Agents for Windows](https://docs.microsoft.com/azure/azure-monitor/platform/agents-overview) From 1a1b94ff36bf54b6dea106527fcf810186d1d9cd Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 27 May 2019 23:16:21 +0500 Subject: [PATCH 02/10] Update windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md changes commit. Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../collect-wip-audit-event-logs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 1f21a222aa..b13fc3c4ca 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -167,7 +167,7 @@ Use Windows Event Forwarding to collect and aggregate your WIP audit events. You You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs) **To view the WIP events in Azure Monitor** -1. Use existing or create new Log Analytics Workspace. +1. Use an existing or create a new Log Analytics workspace. 2. In Log Analytics->Advanced Settings, go to Data, in Windows Event Logs, add logs to receive: ``` From 7d18ae3a36cfe8c3b3ac866fcf33ae392bf9cf72 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 27 May 2019 23:16:38 +0500 Subject: [PATCH 03/10] Update windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md Meryljoyce Ypil Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../collect-wip-audit-event-logs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index b13fc3c4ca..7d44a1d1a0 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -169,7 +169,7 @@ You can collect audit logs using Azure Monitor. See [Windows event log data sour **To view the WIP events in Azure Monitor** 1. Use an existing or create a new Log Analytics workspace. -2. In Log Analytics->Advanced Settings, go to Data, in Windows Event Logs, add logs to receive: +2. In **Log Analytics** > **Advanced Settings**, select **Data**. In Windows Event Logs, add logs to receive: ``` Microsoft-Windows-EDP-Application-Learning/Admin Microsoft-Windows-EDP-Audit-TCB/Admin From 1db05383c40f304b3957588b29ccc3b5e6a8619f Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 27 May 2019 23:17:01 +0500 Subject: [PATCH 04/10] Update windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md Changes applied. Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../collect-wip-audit-event-logs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 7d44a1d1a0..e76eb1fc71 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -175,7 +175,7 @@ Microsoft-Windows-EDP-Application-Learning/Admin Microsoft-Windows-EDP-Audit-TCB/Admin ``` >[!NOTE] ->The Event logs names can be found if using "Windows Events", go to Events folder and go to Properties of the event (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB) +>If using Windows Events Logs, the event logs names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB) 3. Download Microsoft [Monitoring Agent.](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation) From 2aaa710ee6a1c3f2fd5491c27a64ee7aaaebde40 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 27 May 2019 23:17:16 +0500 Subject: [PATCH 05/10] Update windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md Changes applied. Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../collect-wip-audit-event-logs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index e76eb1fc71..04b6a2a477 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -179,7 +179,7 @@ Microsoft-Windows-EDP-Audit-TCB/Admin 3. Download Microsoft [Monitoring Agent.](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation) -4. To get MSI for Intune installation, as stated in Azure Monitor article, please extract: MMASetup-.exe /c /t: +4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: MMASetup-.exe /c /t: Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. Workspace ID and Primary key info can be received from "Log Analytics->Advanced Settings" 5. To deploy MSI via Intune, in installation parameters add: /q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID= OPINSIGHTS_WORKSPACE_KEY= AcceptEndUserLicenseAgreement=1 From 2d9890412532dbf20e8ebe26066d3603cf192278 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 27 May 2019 23:17:31 +0500 Subject: [PATCH 06/10] Update windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md Changes applied. Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../collect-wip-audit-event-logs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 04b6a2a477..d2432e3fbc 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -180,7 +180,7 @@ Microsoft-Windows-EDP-Audit-TCB/Admin 3. Download Microsoft [Monitoring Agent.](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation) 4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: MMASetup-.exe /c /t: -Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. Workspace ID and Primary key info can be received from "Log Analytics->Advanced Settings" +Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**. 5. To deploy MSI via Intune, in installation parameters add: /q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID= OPINSIGHTS_WORKSPACE_KEY= AcceptEndUserLicenseAgreement=1 From a8729380df411670933078e2ce7a567b0a91c110 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 27 May 2019 23:17:54 +0500 Subject: [PATCH 07/10] Update windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md Changes applied. Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../collect-wip-audit-event-logs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index d2432e3fbc..257a4cef1c 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -185,7 +185,7 @@ Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary 5. To deploy MSI via Intune, in installation parameters add: /q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID= OPINSIGHTS_WORKSPACE_KEY= AcceptEndUserLicenseAgreement=1 >[!NOTE] ->(Replace & received from step 5. In installation parameters, don't place & in quotas "" or '') +>Replace & received from step 5. In installation parameters, don't place & in quotes ("" or ''). 6. After agent deployed, data will be received within some 10 minutes. From 527387d16b1c95c915e571c56654573bbf5d7155 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 27 May 2019 23:20:24 +0500 Subject: [PATCH 08/10] Update windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md Changes applied. Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../collect-wip-audit-event-logs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 257a4cef1c..fdaf7c6a9f 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -187,7 +187,7 @@ Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary >[!NOTE] >Replace & received from step 5. In installation parameters, don't place & in quotes ("" or ''). -6. After agent deployed, data will be received within some 10 minutes. +6. After the agent is deployed, data will be received within approximately 10 minutes. 7. To search for logs, go to Log Analytics Workspace->Logs, in search type: Event From 71d1c8265a8627627937923ecaa06e86662f7ea2 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 27 May 2019 23:21:11 +0500 Subject: [PATCH 09/10] Update windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md Changes applied. Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../collect-wip-audit-event-logs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index fdaf7c6a9f..cad9316e72 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -189,7 +189,7 @@ Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary 6. After the agent is deployed, data will be received within approximately 10 minutes. -7. To search for logs, go to Log Analytics Workspace->Logs, in search type: Event +7. To search for logs, go to **Log Analytics workspace** > **Logs**, and type **Event** in search. ***Example*** ``` From 409781af37c31bd1b389803b5cace1fa71811384 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 28 May 2019 09:49:52 -0700 Subject: [PATCH 10/10] Update collect-wip-audit-event-logs.md --- .../collect-wip-audit-event-logs.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index cad9316e72..6648747efc 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -170,14 +170,15 @@ You can collect audit logs using Azure Monitor. See [Windows event log data sour 1. Use an existing or create a new Log Analytics workspace. 2. In **Log Analytics** > **Advanced Settings**, select **Data**. In Windows Event Logs, add logs to receive: -``` -Microsoft-Windows-EDP-Application-Learning/Admin -Microsoft-Windows-EDP-Audit-TCB/Admin -``` ->[!NOTE] ->If using Windows Events Logs, the event logs names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB) -3. Download Microsoft [Monitoring Agent.](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation) + ``` + Microsoft-Windows-EDP-Application-Learning/Admin + Microsoft-Windows-EDP-Audit-TCB/Admin + ``` + >[!NOTE] + >If using Windows Events Logs, the event log names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB). + +3. Download Microsoft [Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation). 4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: MMASetup-.exe /c /t: Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**.