SOLVED

WEF forwarding to Azure Security Centre / Log Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-665585%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-665585%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EWEF%20isn%E2%80%99t%20supported%20at%20the%20moment.%3CBR%20%2F%3EA%20possible%20workaround%20is%20to%20write%20a%20custom%20powershell%20eventhandler%20and%20send%20the%20information%20periodically%20to%20log%20analytics.%3CBR%20%2F%3E%3CBR%20%2F%3EI%E2%80%99ve%20created%20a%20similar%20solution%20for%20a%20NetApp%20filer%20in%20the%20past.%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3EHannes%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694855%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694855%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4821%22%20target%3D%22_blank%22%3E%40Andrew%20Huddleston%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWEF%20support%20is%20currently%20in%20preview%20and%20still%20has%20some%20limitations.%20Contact%20me%20directly%20if%20you%20would%20like%20to%20join%2C%20and%20we%20can%20discuss%20whether%20the%20current%20support%20would%20work%20for%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20an%20alternative%2C%20you%20can%20continue%20to%20use%20CEF%20and%20winlogbeat%20and%20connect%20it%20to%20Sentinel%20using%20Logstash%20and%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fyokawasa%2Flogstash-output-azure_loganalytics%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ELogstash%20Log%20Analytics%20output%20plugin.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E~%20Ofer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769275%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769275%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4821%22%20target%3D%22_blank%22%3E%40Andrew%20Huddleston%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%20Andrew%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20get%20a%20response%20from%20Microsoft%20on%20this%20-%20I'm%20looking%20at%20similar%20scenario%20and%20I'd%20like%20to%20get%20access%20to%20the%20WEF%20connector%20also%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20reach%20out%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3Bbut%20I'm%20yet%20to%20hear%20back%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EDanny%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769369%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769369%22%20slang%3D%22en-US%22%3EHi%20Danny%3A%20sorry%2C%20missed%20your%20message.%20Can%20you%20send%20me%20an%20e-mail%20to%20discuss%20the%20private%20preview%20(ofer.shezaf%40microsoft.com)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769376%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769376%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3BNo%20worries%20-%20will%20do%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1249916%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1249916%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3Bis%20this%20WEF%20preview%20still%20available%2Faccessible%3F%20I'm%20looking%20at%20forwarding%20our%20current%20WEF%20setup%20to%20Azure%20Sentinel%20for%20easier%20analysis%20and%20came%20across%20this%20post%20when%20trying%20to%20configure%20the%20setup.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1252059%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1252059%22%20slang%3D%22en-US%22%3E%3CP%3EYes%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F255877%22%20target%3D%22_blank%22%3E%40SimonR%3C%2FA%3E%26nbsp%3B.%20I%20will%20send%20you%20a%20personal%20message%20to%20discuss.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1347192%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1347192%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3BHi%2C%20is%20there%20any%20update%20on%20this%20WEF%20integration%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1448258%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1448258%22%20slang%3D%22en-US%22%3EHi%2C%20Any%20news%20on%20the%20WEF%20support%3F%20Can%20you%20please%20add%20to%20the%20private%20discussion%3F%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%3CBR%20%2F%3EBj%C3%B8rn%20Andre%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1454504%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1454504%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F180491%22%20target%3D%22_blank%22%3E%40Bj%C3%B8rn%20Andr%C3%A9%20Kaland%3C%2FA%3E%20%3A%20if%20you%20want%20to%20look%20into%20the%20private%20preview%2C%20send%20me%20an%20e-mail%20to%20ofer%20dot%20shezaf%20at%20microsoft%20dot%20com%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1527270%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1527270%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%20interested%20in%20the%20private%20preview%20for%20WEF%20collection.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1531825%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1531825%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F731068%22%20target%3D%22_blank%22%3E%40otuser810%3C%2FA%3E%3A%20we%20now%20have%20a%20more%20structured%20process%20in%20place.%20Please%20join%20our%20private%20preview%20program%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FSecurityPrP%22%20data-cke-saved-href%3D%22https%3A%2F%2Faka.ms%2FSecurityPrP%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FSecurityPrP%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1936633%22%20slang%3D%22de-DE%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1936633%22%20slang%3D%22de-DE%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%20interested%2C%20any%20updates%20%3F%20John%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2001596%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2001596%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3Bwhat%20is%20a%20current%20status%20of%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2005387%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2005387%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F906505%22%20target%3D%22_blank%22%3E%40AdamPRD%3C%2FA%3E%26nbsp%3B%3A%20We%20have%20decided%20to%20move%20a%20head%20with%20the%20Azure%20Monitor%20Agent%20(AMA)%20version%2C%20and%20the%20current%20Log%20Analytics%20Agent%20(MMA)%20version%20will%20not%20become%20public.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2109816%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2109816%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3Bthe%20AMA%20is%20supposed%20to%20replace%20your%203%20current%20agents%2C%20right%3F%20Reading%20security%20events%20is%20also%20a%20functionality%20of%20the%20new%20product.%20Can%20we%20expect%20the%20desired%20functionality%3A%20Forwarding%20events%20to%20LAW%2FSentinel%20that%20are%20stored%20under%20'ForwardedEvents'%20with%20the%20AMA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2109836%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2109836%22%20slang%3D%22en-US%22%3EI%20am%20not%20sure%20about%20the%20compete%20plans%20for%20the%20AMA.%20I%20focus%20on%20the%20Security%20use%20cases.%20Specifically%20for%20WEF%2C%20yet%2C%20as%20stated%20above%2C%20it%20would%20be%20supported%20by%20the%20AMA.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2403575%22%20slang%3D%22en-US%22%3ERe%3A%20WEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2403575%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3ETwas%20Jun%2001%202019%2C%20when%20i%20first%20asked%20the%20question%2C%20how%20are%20we%20going%20MS%20with%20the%20WEF%20support%20for%20AMA%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-662369%22%20slang%3D%22en-US%22%3EWEF%20forwarding%20to%20Azure%20Security%20Centre%20%2F%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-662369%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20-%20I%20am%20hoping%20this%20is%20possible%20and%20a%20viable%20option.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20currently%20use%20Windows%20Event%20Forwarding%20(WEF)%20with%20Winlogbeat%20sending%20events%20off%20to%20Elasticsearch.%20Epic%2C%20this%20works%20great%2C%20why%20would%20i%20change%20this%20right%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EWell%20i%20want%20to%20use%20Azure%20Log%20Analytics%20for%20my%20search%20platform%2C%20because%20i%20enjoy%20KutsoQL%3C%2FLI%3E%3CLI%3EI%20want%20to%20use%20the%20Azure%20security%20centre%20and%20Sentinel.%3C%2FLI%3E%3CLI%3EI%20already%20have%20Office365%20Signin%2C%20Audit%20and%20Mailbox%20logs%20in%20Azure%20Log%20Analytics.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3EIs%20it%20possible%20to%20simply%20stick%20the%20OMS%20agent%20on%20my%20WEC%2FWEF%20server%20and%20send%20events%20into%20my%20Logs%20Analytics%20workspace%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20not%2C%20what%20is%20the%20best%20practice%20(and%20MS%20Solution)%20for%20Windows%20Event%20Management%20and%20Analysis%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-662369%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Contributor

Hello - I am hoping this is possible and a viable option.

 

I currently use Windows Event Forwarding (WEF) with Winlogbeat sending events off to Elasticsearch. Epic, this works great, why would i change this right?

 

  • Well i want to use Azure Log Analytics for my search platform, because i enjoy KutsoQL
  • I want to use the Azure security centre and Sentinel.
  • I already have Office365 Signin, Audit and Mailbox logs in Azure Log Analytics.

Is it possible to simply stick the OMS agent on my WEC/WEF server and send events into my Logs Analytics workspace?

 

If not, what is the best practice (and MS Solution) for Windows Event Management and Analysis?

18 Replies
Hi,

WEF isn’t supported at the moment.
A possible workaround is to write a custom powershell eventhandler and send the information periodically to log analytics.

I’ve created a similar solution for a NetApp filer in the past.

Regards,
Hannes
best response confirmed by Andrew Huddleston (Frequent Contributor)
Solution

@Andrew Huddleston 

 

WEF support is currently in preview and still has some limitations. Contact me directly if you would like to join, and we can discuss whether the current support would work for you.

 

As an alternative, you can continue to use CEF and winlogbeat and connect it to Sentinel using Logstash and the Logstash Log Analytics output plugin.

 

~ Ofer

@Andrew Huddleston 

 

Hey Andrew

 

Did you get a response from Microsoft on this - I'm looking at similar scenario and I'd like to get access to the WEF connector also

 

I did reach out to @Ofer_Shezaf but I'm yet to hear back

 

Thanks

Danny

Hi Danny: sorry, missed your message. Can you send me an e-mail to discuss the private preview (ofer.shezaf@microsoft.com)

@Ofer_Shezaf No worries - will do

 

Many Thanks!

@Ofer_Shezaf is this WEF preview still available/accessible? I'm looking at forwarding our current WEF setup to Azure Sentinel for easier analysis and came across this post when trying to configure the setup.

Yes @SimonR . I will send you a personal message to discuss.

@Ofer_Shezaf Hi, is there any update on this WEF integration?

Hi, Any news on the WEF support? Can you please add to the private discussion?

Best regards
Bjørn Andre

@Bjørn André Kaland : if you want to look into the private preview, send me an e-mail to ofer dot shezaf at microsoft dot com 

Also interested in the private preview for WEF collection.  @Ofer_Shezaf 

@otuser810: we now have a more structured process in place. Please join our private preview program at https://aka.ms/SecurityPrP  

@Ofer_Shezaf also interested, any updates ? Johannes

Hi @Ofer_Shezaf what is a current status of it?

@AdamPRD : We have decided to move a head with the Azure Monitor Agent (AMA) version, and the current Log Analytics Agent (MMA) version will not become public.

@Ofer_Shezaf the AMA is supposed to replace your 3 current agents, right? Reading security events is also a functionality of the new product. Can we expect the desired functionality: Forwarding events to LAW/Sentinel that are stored under 'ForwardedEvents' with the AMA?

I am not sure about the compete plans for the AMA. I focus on the Security use cases. Specifically for WEF, yet, as stated above, it would be supported by the AMA.
Hi,

Twas Jun 01 2019, when i first asked the question, how are we going MS with the WEF support for AMA?