Ask Downloads
Domain 1 β€” Module 2 of 12 17%
2 of 28 overall
Domain 1: Manage a Security Operations Environment Free ⏱ ~13 min read

Get Windows Events Into Sentinel

Windows security events are the bread and butter of any SOC. Learn how to select the right data connectors, configure Windows Security Events via AMA with data collection rules, and plan Windows Event Forwarding for legacy environments.

Why Windows events come first

Simple explanation

Imagine a building with 10,000 employees and 500 security cameras.

Before you can investigate a break-in, those cameras need to be recording and sending footage to the control room. No footage = no investigation.

Windows security events are your cameras. Every login, failed password attempt, privilege escalation, process launch, and file access generates an event. Getting these events into Sentinel is the first step in any SOC β€” without them, your analytics rules have nothing to detect and your hunters have nothing to query.

There are two main ways to get Windows events into Sentinel: AMA (the modern agent) and WEF (the legacy forwarding method).

Choosing the right connector

Not all data connectors are equal. The exam tests whether you can select the right connector based on the data source requirements.

Data SourceRecommended ConnectorWhy
Azure VMs (Windows)Windows Security Events via AMADirect agent-based collection with DCR filtering
On-premises Windows serversWindows Security Events via AMA (with Azure Arc)Arc extends AMA to non-Azure machines
Large on-prem estate with existing WEFWindows Event Forwarding + AMA on collectorCentralise events first, then forward to Sentinel
Microsoft Defender for Endpoint devicesXDR connector (built-in)Device events flow through Defender XDR automatically
Azure platform logsDiagnostic settingsNot Windows events β€” covered in the next module
Exam tip: the legacy MMA connector

The older Microsoft Monitoring Agent (MMA) connector still appears in some documentation. It is deprecated. The exam expects you to recommend AMA for new deployments.

If a question mentions β€œan organisation is migrating from MMA to the current recommended agent,” the answer is Azure Monitor Agent (AMA).

Windows Security Events via AMA

The Azure Monitor Agent (AMA) is the modern, recommended way to collect Windows events. It uses Data Collection Rules (DCRs) to control exactly what gets sent to Sentinel.

How it works

  1. Install AMA on the Windows machine (Azure VMs get it automatically; on-prem machines need Azure Arc)
  2. Create a Data Collection Rule that specifies which event IDs or categories to collect
  3. Associate the DCR with the target machines
  4. Events flow from the machine β†’ AMA β†’ Log Analytics workspace β†’ Sentinel

Data collection rule filtering

DCRs let you filter events at the source β€” before they even leave the machine. This saves ingestion costs and reduces noise.

PresetWhat It CollectsEvents per Day (approx.)
MinimalCritical security events only (failed logins, privilege escalation)Low
CommonMost security-relevant events (logins, logoffs, account management, policy changes)Medium
All EventsEvery event from the Security logHigh (can be very noisy)
Custom (XPath)Specific Event IDs you define using XPath queriesYou control
Scenario: Anika's DCR strategy for 40 clients

Anika at Sentinel Shield manages ingestion for 40 MSSP clients. She cannot send β€œAll Events” for every client β€” the cost would be astronomical.

Her DCR strategy:

  • All clients get β€œCommon” as the baseline β€” covers authentication, account changes, and policy modifications
  • Financial services clients get a custom DCR adding Event ID 4688 (process creation) for threat hunting
  • Healthcare clients get a custom DCR adding object access events for PHI compliance
  • Small businesses get β€œMinimal” β€” just failed logins and privilege escalation

Each client’s DCR is associated with their specific machines via Azure Arc. One machine can only be associated with one DCR for a given data type.

Custom XPath filtering

For precise control, you write XPath queries in the DCR to select specific Event IDs:

Security!*[System[(EventID=4624 or EventID=4625 or EventID=4672 or EventID=4688)]]

This collects only:

  • 4624 β€” successful logon
  • 4625 β€” failed logon
  • 4672 β€” special privileges assigned
  • 4688 β€” new process created

Everything else stays on the machine.

Windows Event Forwarding (WEF)

WEF is Microsoft’s built-in mechanism for centralising Windows events before they reach Sentinel. It uses a collector server that pulls events from source machines.

When to use WEF

  • Large on-premises environments with thousands of servers where installing AMA on every machine is impractical
  • Environments that already have a WEF infrastructure in place
  • Scenarios requiring event aggregation before cloud ingestion (reduces direct internet connections)

WEF architecture

Source machines β†’ push events β†’ WEF Collector β†’ AMA on collector β†’ Sentinel

The collector server runs the Windows Event Collector (WEC) service and has AMA installed. Source machines push events to the collector using subscriptions configured via Group Policy.

AMA direct is simpler; WEF is better for large on-prem environments
FeatureAMA (Direct)WEF + AMA (via Collector)
Agent required on each machineYes β€” AMA on every sourceNo β€” only AMA on the collector
FilteringDCR-based (XPath) at sourceWEF subscription filters + DCR on collector
Best forAzure VMs, Arc-connected on-prem, smaller environmentsLarge on-prem estates, air-gapped networks, existing WEF setups
LatencyNear real-time (seconds)Slightly higher (depends on WEF subscription interval)
ManagementAzure Policy can auto-deploy AMA + DCRGroup Policy manages WEF subscriptions
Recommended by MicrosoftYes β€” preferred for new deploymentsYes β€” for large-scale on-prem with existing WEF
Exam tip: WEF is NOT deprecated

Unlike MMA, WEF is still a supported and recommended approach for specific scenarios. The exam may present a scenario with 5,000 on-premises servers and ask the best approach. If AMA on every machine is impractical, WEF + AMA on a collector is the answer.

Question

What is a Data Collection Rule (DCR) and why does it matter?

Click or press Enter to reveal answer

Answer

A DCR defines which events to collect from a source machine using the Azure Monitor Agent. It filters events at the source before ingestion, reducing costs and noise. You can use presets (Minimal, Common, All Events) or custom XPath queries for specific Event IDs.

Click to flip back
Question

When should you use WEF instead of AMA direct?

Click or press Enter to reveal answer

Answer

Use WEF when: 1) You have a large on-premises estate where installing AMA on every machine is impractical. 2) WEF infrastructure already exists. 3) You need to aggregate events before cloud ingestion. WEF uses a collector server with AMA to forward centralised events to Sentinel.

Click to flip back
Question

What replaced the Microsoft Monitoring Agent (MMA) for Windows event collection?

Click or press Enter to reveal answer

Answer

The Azure Monitor Agent (AMA). MMA is deprecated. AMA is the recommended agent for new deployments, using Data Collection Rules for granular filtering.

Click to flip back
Knowledge Check

Anika needs to collect only failed logon events (Event ID 4625) and process creation events (Event ID 4688) from a client's servers. Which approach should she use?
Knowledge Check

James at Pacific Meridian has 5,000 on-premises Windows servers in a datacenter with an existing WEF infrastructure. What is the most efficient way to get their security events into Sentinel?

Next up: Windows events are flowing. Now let’s connect the rest β€” Syslog from Linux, CEF from firewalls, and Azure activity logs.