Hi guys,

Maybe someone have experience working with entirely cloud infrastructure, without on-prem servers or Active Directory and log collections from such infrastructure?

Hi guys,

Maybe someone have experience working with entirely cloud infrastructure, without on-prem servers or Active Directory and log collections from such infrastructure?

Hi,

This is a very relevant and increasingly common challenge in fully cloud-native environments, especially with a hybrid or remote workforce and without traditional on-prem infrastructure like AD or WinRM collectors.

A few key points and suggestions based on similar implementations:

1. Microsoft Defender for Endpoint (MDE) + Microsoft 365 Defender + Sentinel Integration:

   • You're correct that MDE and XDR focus on alerts, but it's worth noting that Defender for Endpoint Plan 2 does include richer telemetry and can stream process-level information.

   • You can forward raw event logs from Defender to Microsoft Sentinel via Azure Monitor - Sentinel can serve as a log aggregator.

   • From Sentinel, you can forward logs to Event Hub, and then ingest them into QRadar via the QRadar Event Hub Connector.

2. Use of Azure Monitor + Diagnostic Settings:

   • For broader workstation telemetry, Log Analytics agents (legacy) or Azure Monitor Agent (AMA) can be installed on endpoints.

   • Configure Diagnostic Settings on Windows endpoints (especially if enrolled via Intune) to forward key event channels: Security, System, Application into a Log Analytics workspace.

   • From the workspace, route logs to Event Hub → QRadar.

3. Consider Sysmon as a Lightweight Agent for Raw Logs:

   • Deploy Sysmon via Intune (if you manage devices that way), combined with a log shipper like NXLog or Beats.

   • These agents can send logs over HTTPS to a centralized log service or even directly into a forwarder in AWS (if designed securely).

   • This allows capturing richer logs including process creation, network connections, file writes - essential for forensic use cases.

4. On Network Isolation / Accessibility:

   • Since QRadar is in AWS and not publicly accessible, you can consider deploying a small log ingestion proxy (bastion collector) in a secure subnet that accepts inbound logs over HTTPS (from endpoints globally) and forwards internally to QRadar.

5. Zero Trust Logging Architecture Recommendation:

   • Adopt Zero Trust principles for log collection:

     • Agent-based logging (Sysmon, AMA)

     • Endpoint identity-based authentication for log forwarding

     • No assumption of "trusted" networks - everything should use encryption and verification

A practical and tested route would be:

• Azure Monitor Agent on workstations → Log Analytics Workspace

• Forward to Event Hub → QRadar via Event Hub connector

Augment that with Sysmon (deployed via Intune) if you need richer telemetry not captured by default.

You're right to highlight that relying only on alerts won't be sufficient for compliance and forensics. The goal should be to replicate the fidelity of logs you'd have with WinRM collection - and the above options do get you very close in a cloud-native model.

Hi guys,

Maybe someone have experience working with entirely cloud infrastructure, without on-prem servers or Active Directory and log collections from such infrastructure?

Hi Ulf,

Your solution sounds interesting. Could you please provide more information on how it can be implemented?

Am I correct in understanding that the Azure Monitor Agent (AMA) has been tested and adopted for log collection on workstations in your organization (or others)?
From what I understand, AMA is also capable of collecting Sysmon logs. Is it accurate that we can define exactly which log sources to collect from a workstation using this agent?

If so, then its log collection capabilities appear quite similar to using WinRM with a central Windows log collector.

I'm also considering your fourth step - deploying a bastion or event collector in the DMZ that forwards logs to QRadar within a private AWS network.
This approach would also enable comprehensive log collection via WinCollect.

That said, the main questions are: how should this solution be configured securely, and what software can be used to receive logs from WinCollect agents and forward them to QRadar via syslog?

BR

Hi,

This is a very relevant and increasingly common challenge in fully cloud-native environments, especially with a hybrid or remote workforce and without traditional on-prem infrastructure like AD or WinRM collectors.

A few key points and suggestions based on similar implementations:

1. Microsoft Defender for Endpoint (MDE) + Microsoft 365 Defender + Sentinel Integration:

   • You're correct that MDE and XDR focus on alerts, but it's worth noting that Defender for Endpoint Plan 2 does include richer telemetry and can stream process-level information.

   • You can forward raw event logs from Defender to Microsoft Sentinel via Azure Monitor - Sentinel can serve as a log aggregator.

   • From Sentinel, you can forward logs to Event Hub, and then ingest them into QRadar via the QRadar Event Hub Connector.

2. Use of Azure Monitor + Diagnostic Settings:

   • For broader workstation telemetry, Log Analytics agents (legacy) or Azure Monitor Agent (AMA) can be installed on endpoints.

   • Configure Diagnostic Settings on Windows endpoints (especially if enrolled via Intune) to forward key event channels: Security, System, Application into a Log Analytics workspace.

   • From the workspace, route logs to Event Hub → QRadar.

3. Consider Sysmon as a Lightweight Agent for Raw Logs:

   • Deploy Sysmon via Intune (if you manage devices that way), combined with a log shipper like NXLog or Beats.

   • These agents can send logs over HTTPS to a centralized log service or even directly into a forwarder in AWS (if designed securely).

   • This allows capturing richer logs including process creation, network connections, file writes - essential for forensic use cases.

4. On Network Isolation / Accessibility:

   • Since QRadar is in AWS and not publicly accessible, you can consider deploying a small log ingestion proxy (bastion collector) in a secure subnet that accepts inbound logs over HTTPS (from endpoints globally) and forwards internally to QRadar.

5. Zero Trust Logging Architecture Recommendation:

   • Adopt Zero Trust principles for log collection:

     • Agent-based logging (Sysmon, AMA)

     • Endpoint identity-based authentication for log forwarding

     • No assumption of "trusted" networks - everything should use encryption and verification

A practical and tested route would be:

• Azure Monitor Agent on workstations → Log Analytics Workspace

• Forward to Event Hub → QRadar via Event Hub connector

Augment that with Sysmon (deployed via Intune) if you need richer telemetry not captured by default.

You're right to highlight that relying only on alerts won't be sufficient for compliance and forensics. The goal should be to replicate the fidelity of logs you'd have with WinRM collection - and the above options do get you very close in a cloud-native model.

Hi guys,

Maybe someone have experience working with entirely cloud infrastructure, without on-prem servers or Active Directory and log collections from such infrastructure?

Hi Ulf,

Your solution sounds interesting. Could you please provide more information on how it can be implemented?

Am I correct in understanding that the Azure Monitor Agent (AMA) has been tested and adopted for log collection on workstations in your organization (or others)?
From what I understand, AMA is also capable of collecting Sysmon logs. Is it accurate that we can define exactly which log sources to collect from a workstation using this agent?

If so, then its log collection capabilities appear quite similar to using WinRM with a central Windows log collector.

I'm also considering your fourth step - deploying a bastion or event collector in the DMZ that forwards logs to QRadar within a private AWS network.
This approach would also enable comprehensive log collection via WinCollect.

That said, the main questions are: how should this solution be configured securely, and what software can be used to receive logs from WinCollect agents and forward them to QRadar via syslog?

BR

Hi,

This is a very relevant and increasingly common challenge in fully cloud-native environments, especially with a hybrid or remote workforce and without traditional on-prem infrastructure like AD or WinRM collectors.

A few key points and suggestions based on similar implementations:

1. Microsoft Defender for Endpoint (MDE) + Microsoft 365 Defender + Sentinel Integration:

   • You're correct that MDE and XDR focus on alerts, but it's worth noting that Defender for Endpoint Plan 2 does include richer telemetry and can stream process-level information.

   • You can forward raw event logs from Defender to Microsoft Sentinel via Azure Monitor - Sentinel can serve as a log aggregator.

   • From Sentinel, you can forward logs to Event Hub, and then ingest them into QRadar via the QRadar Event Hub Connector.

2. Use of Azure Monitor + Diagnostic Settings:

   • For broader workstation telemetry, Log Analytics agents (legacy) or Azure Monitor Agent (AMA) can be installed on endpoints.

   • Configure Diagnostic Settings on Windows endpoints (especially if enrolled via Intune) to forward key event channels: Security, System, Application into a Log Analytics workspace.

   • From the workspace, route logs to Event Hub → QRadar.

3. Consider Sysmon as a Lightweight Agent for Raw Logs:

   • Deploy Sysmon via Intune (if you manage devices that way), combined with a log shipper like NXLog or Beats.

   • These agents can send logs over HTTPS to a centralized log service or even directly into a forwarder in AWS (if designed securely).

   • This allows capturing richer logs including process creation, network connections, file writes - essential for forensic use cases.

4. On Network Isolation / Accessibility:

   • Since QRadar is in AWS and not publicly accessible, you can consider deploying a small log ingestion proxy (bastion collector) in a secure subnet that accepts inbound logs over HTTPS (from endpoints globally) and forwards internally to QRadar.

5. Zero Trust Logging Architecture Recommendation:

   • Adopt Zero Trust principles for log collection:

     • Agent-based logging (Sysmon, AMA)

     • Endpoint identity-based authentication for log forwarding

     • No assumption of "trusted" networks - everything should use encryption and verification

A practical and tested route would be:

• Azure Monitor Agent on workstations → Log Analytics Workspace

• Forward to Event Hub → QRadar via Event Hub connector

Augment that with Sysmon (deployed via Intune) if you need richer telemetry not captured by default.

You're right to highlight that relying only on alerts won't be sufficient for compliance and forensics. The goal should be to replicate the fidelity of logs you'd have with WinRM collection - and the above options do get you very close in a cloud-native model.

Hi guys,

Maybe someone have experience working with entirely cloud infrastructure, without on-prem servers or Active Directory and log collections from such infrastructure?

Hi guys,

Maybe someone have experience working with entirely cloud infrastructure, without on-prem servers or Active Directory and log collections from such infrastructure?