Windows Events, how to collect them in Sentinel and which way is preferred to detect Incidents.

I started blogging again, but this time the article is on the Microsoft Tech Community platform. I’ve been working with Microsoft Sentinel for 3 years now, from its start as Azure Sentinel. The contents of this blog are the result of my experience delivering migrations to Sentinel from other SIEMs and green-field adoption projects where SOC teams learn and adopt Microsoft Sentinel as their SIEM. On several of these projects the three main ways of ingesting Windows Server OS logs for IaaS architectures is a recurring theme. Even in multi-cloud environments. This article outline the main 3 ways to ingest OS events, which ones are considered Security Events, and the gotchas when utilizing a Windows Event Collector.

my Azure Security refences

If you’re an Azure Security Ninja learning about Sentinel (Azure cloud native SIEM) here’s a free Azure Sentinel Webminar.

Here’s a video on Azure Sentinel from Azure Fridays:

For those of you learning about the Kusto Querying Language here’s a good online free class:

More on KQL (Kusto Querying Language) and its use in Azure Sentinel:

If you want a full list of all the webminars and the assets/files shared on these webminars, take a look here ->

If you wonder how to integrate App Gateway WAFv1 and ASC:

If you want to learn more about Logic Apps to use them in one of our Security Services, star here ->

Azure Fridays Azure Security Center video:

Use of Logic Apps: