![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 54%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFN%3C/text%3E%3C/svg%3E)
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,324 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 63%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Hi Fabian,
Welcome to Microsoft Q&A Forum, thank you for posting your query here!
How to configure Security Events collection with Azure Monitor Agent please refer link below which has more information
If the above link doesn't help you, please try to follow the below steps.
If the Azure Monitor Agent (AMA) isn't capturing specific Security Events like EventID 4672, despite being deployed and configured, this could be due to a few possible issues in the data collection configuration, agent permissions, or limitations with the agent. Here’s a targeted troubleshooting guide:
- Confirm Event ID Collection in Data Collection Rules (DCR)
Verify Explicit Inclusion of EventID 4672: In your DCR settings, confirm that EventID 4672 (and any other missing Event IDs) are explicitly listed. By default, not all Security Events may be captured, so you must specify each relevant Event ID if you're targeting specific types.
Review DCR Target Scope: Make sure the DCR scope applies to the correct machines or resource group. Double-check if the DCR is indeed linked to the servers in question to ensure proper data flow.
- Check Permissions for Accessing Security Logs
- Security Log Read Permissions: The AMA must have adequate permissions to access the Security event logs. If permissions are restricted, AMA may miss certain events. Verify that the assigned permissions for AMA include read access to the Security logs, which can be set up in the following way:
- Assign the Log Analytics Contributor role or ensure equivalent permissions.
- If needed, configure an additional Log Analytics Reader or a custom role if only specific permissions are desired.
- Assign the Log Analytics Contributor role or ensure equivalent permissions.
- Validate Event Generation on the Server
Test Event Generation for EventID 4672: Manually create a Security Event with EventID 4672 on one of the target servers to ensure the event is logged locally. This can be done using PowerShell or through actions that typically trigger EventID 4672 (privileged logon events).
Confirm Local Event Logs: After triggering, check that EventID 4672 appears in the server’s local Event Viewer under Security logs. If the event doesn’t appear, it could indicate an issue with the event source rather than the agent.
- Run Targeted Queries in Log Analytics Workspace
Query for Security Events: In your Log Analytics Workspace, run a direct query to look for the specific EventID:
SecurityEvent
| where EventID == "4672"
| take 10
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.