MicrosoftHello paulberg ,
Thank you for your article.
I am currently testing Windows events ingestion into Sentinel and have a few questions.
There is an on-premises test server connected to Azure Arc and Sentinel LAW (There is a regular stable heartbeat) and Data Collection Rule configured (to forward all events). The Connector status on Sentinel appears as connected.
But unfortunately, no events are reaching Sentinel LAW.
From the article, I see, that Windows Event Collector (WEC) server can be used to forward events from multiple servers. But what if I would like to send events directly from each server without using WEC? Should I still create a subscription and forward events to a WEC server?
Update: Found the second connector "Windows Security Events via AMA" (I tried to use "Windows Forwarded Events (Preview)") I assume it should be used to connect standalone servers.
