Microsoftskochavi Is it possible to collect logs using the WEF connector but send it to SecurityEvent table? We did not want to onboard all of our on-prem windows servers to Azure Arc and install AMA individually as that is a lot of effort and also needs additional network configuration and potentially more resource usage due to both Arc and AMA installed on every endpoint. So instead, we deployed WEF setup and we are collecting Windows Security logs using WEF but they end up on the WindowsEvent table, not SecurityEvent.
Hello Ciyaresh, as skochavi noted. Yes, you can do this using the ingest time transform in your DCR.
Here is a step-by-step guide describing the entire process. Collect Windows Firewall Logs and Windows Security logs to Microsoft Sentinel.
And here is the DCR that you want to transform the collected logs and send them to the "SecurityEvent" table. This DCR should be associated to the WEF Server(s) deployed with Azure Arc/AMA.
"dataSources": {
"windowsEventLogs": [
{
"streams": [
"Microsoft-SecurityEvent"
],
"xPathQueries": [
"ForwardedEvents!*[System[(EventID=4624 or EventID=4625 or EventID=4688 or EventID=4672 or EventID=4775 or EventID=4777)]]"
],
"name": "SecurityEventsDataSource"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-SecurityEvent"
],
"destinations": [
"la-1107757644"
],
"transformKql": "source | where SubjectUserSid !in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20')",
"outputStream": "Microsoft-SecurityEvent"
}
]