SOLVED

Adding Windows Srecurity Logs into Azure sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2821473%22%20slang%3D%22en-US%22%3EAdding%20Windows%20Srecurity%20Logs%20into%20Azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2821473%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20wanted%20to%20add%20a%20the%20windows%20security%20log%20into%20ingestion%20but%20it%20cannot%20be%20done%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PawelB1645_0-1633599072795.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F315846iBBAD4A7CAE63BF49%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22PawelB1645_0-1633599072795.png%22%20alt%3D%22PawelB1645_0-1633599072795.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Ealthough%2C%20no%20security%20events%20are%20sent%20into%20my%20sentinel%20by%20default%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PawelB1645_1-1633599123075.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F315847iF7DC142F42F85BB6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22PawelB1645_1-1633599123075.png%22%20alt%3D%22PawelB1645_1-1633599123075.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PawelB1645_2-1633599196282.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F315849i9A0E09B3B85427F0%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22PawelB1645_2-1633599196282.png%22%20alt%3D%22PawelB1645_2-1633599196282.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThe%20events%20with%20the%20ID%204625%20are%20of%20course%20created%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PawelB1645_3-1633599261780.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F315850i5AE3D9E256098AEA%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22PawelB1645_3-1633599261780.png%22%20alt%3D%22PawelB1645_3-1633599261780.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20could%20I%20do%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2821784%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20Windows%20Srecurity%20Logs%20into%20Azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2821784%22%20slang%3D%22en-US%22%3ESecurity%20Logs%20are%20collected%20via%20a%20different%20route%2C%20see%20the%20%22Security%20Events%22%20data%20connector%2C%20in%20the%20Sentinel%20portal%2C%20or%20%22Windows%20Security%20Events%20(Preview).%20These%20specific%20logs%20are%20then%20written%20to%20the%20SecuityEvent%20table%2C%20rather%20than%20the%20Events%20table.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

I wanted to add a the windows security log into ingestion but it cannot be done:

PawelB1645_0-1633599072795.png

although, no security events are sent into my sentinel by default:

 

PawelB1645_1-1633599123075.png

PawelB1645_2-1633599196282.png

The events with the ID 4625 are of course created:

PawelB1645_3-1633599261780.png

 

What could I do?

 

Best regards

2 Replies
best response confirmed by PawelB1645 (Occasional Contributor)
Solution
Security Logs are collected via a different route, see the "Security Events" data connector, in the Sentinel portal, or "Windows Security Events (Preview). These specific logs are then written to the SecuityEvent table, rather than the Events table.

@Clive Watson 

Thank you. I had the the security Windows security Events(preview) conector instead of the SecurityEvents