How can I collect Security Event Logs from a windows-based Azure VM and create an alert on top of them?

The following is more of an academic question. I don’t think there is much of pratical value in it as there are better out-of-the-box solution to it.

Question

How can I collect the Security Events from a windows-based Azure Virtual Machine and create an alert on top of it. So that an email is sent out if there are more then lets say 30 Security Events per minute?

Take 1

• Create a Log Analytics workspace
• Add a virtual machine as data source (Workspace Data Sources > Virtual machines)
• Configure data that should be collected (Advanced Settings > Data > Windows Event Logs)

This however doesn’t allow me to add Security Events (only Application and System events).

‘Security’ event log cannot be collected by this intelligence pack
because Audit Success and Audit Failure event types are not currently
supported.

Take 2

• From the VM itself enable Diagnostic settings and from "Logs" ensure "Audit Success" and "Audit failure" are selected.
• Enable "Azure Monitor" under data sink

When querying now for something like Event or Event | where ComputerName == "vm1" no results are returned. It seems that this approach only sends metrics and not logs to Azure Monitor

---

Edit

Okay here is what I have found out so far.

With the use of VM Diagnostic settings, one could write the security events to a storage account table and then later use a Log Analytics Workspace and add the storage account as a source.

This however still doesn’t give the ability to query the events. At least for me the Events table was always empty. It seems the data would need transformation first, through an Azure Solution. However I couldn’t find one the transforms windows events.

To collect and react on Security Event Logs coming from Windows the go-to-solution would be Azure Security Center. Still don’t know though how to create an alert based on that… so confusing.