Azure Security Data Event Collection

This blog is focused on what Azure Security service is authoritative for managing the event collection settings.

The two ways of selecting security events in Azure are Security center and Azure Sentinel, so what i discovered was event collection could be managed from either Sentinel or Security settings, and the chosen authoritative service would then be responsible for managing the event collection settings for the other.

If in the event you open security center and the Data collection is grayed out, this will indicate that the Security Events tier configuration is shared with “Azure Sentinel” and was already configured there to “Desired Event Tier” for the selected workspace. Then by browsing to Azure Sentinel and opening up Data Connectors, searching for Security Events then opening the “Connector page”.

Once in the Connector page, you will see the event collection settings under Configuration

One thing to note is, if you have configured Security Center to control the Event Collection’s, you will find the below warning within Azure Sentinel!!

Should you wish to change the authoritative Event Collection service, you must first set the current Event Collection to None, this will then enable you to chose which Azure Security service you want to control your Event Collection Data.