πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-200 Domain 1
Domain 1 β€” Module 2 of 12 17%
2 of 28 overall

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server
Domain 1: Manage a Security Operations Environment Premium ⏱ ~13 min read

Get Windows Events Into Sentinel

Windows security events are the bread and butter of any SOC. Learn how to select the right data connectors, configure Windows Security Events via AMA with data collection rules, and plan Windows Event Forwarding for legacy environments.

Why Windows events come first

β˜• Simple explanation

Imagine a building with 10,000 employees and 500 security cameras.

Before you can investigate a break-in, those cameras need to be recording and sending footage to the control room. No footage = no investigation.

Windows security events are your cameras. Every login, failed password attempt, privilege escalation, process launch, and file access generates an event. Getting these events into Sentinel is the first step in any SOC β€” without them, your analytics rules have nothing to detect and your hunters have nothing to query.

There are two main ways to get Windows events into Sentinel: AMA (the modern agent) and WEF (the legacy forwarding method).

Windows security events from the Security, System, and Application event logs are the most common data source for Microsoft Sentinel. They capture authentication events (Event IDs 4624, 4625), privilege use (4672, 4673), process creation (4688), object access, policy changes, and more.

Microsoft provides two primary methods for ingestion: the Azure Monitor Agent (AMA) with data collection rules (DCRs), and Windows Event Forwarding (WEF) for environments with centralised event collection. AMA is the recommended modern approach; WEF is used in hybrid/legacy scenarios where agents cannot be deployed on every endpoint.

The connector you choose depends on: whether endpoints are Azure-hosted or on-premises, whether you need granular filtering (DCRs), and whether WEF infrastructure already exists.

Choosing the right connector

Not all data connectors are equal. The exam tests whether you can select the right connector based on the data source requirements.

Data SourceRecommended ConnectorWhy
Azure VMs (Windows)Windows Security Events via AMADirect agent-based collection with DCR filtering
On-premises Windows serversWindows Security Events via AMA (with Azure Arc)Arc extends AMA to non-Azure machines
Large on-prem estate with existing WEFWindows Event Forwarding + AMA on collectorCentralise events first, then forward to Sentinel
Microsoft Defender for Endpoint devicesXDR connector (built-in)Device events flow through Defender XDR automatically
Azure platform logsDiagnostic settingsNot Windows events β€” covered in the next module
πŸ’‘ Exam tip: the legacy MMA connector

The older Microsoft Monitoring Agent (MMA) connector still appears in some documentation. It is deprecated. The exam expects you to recommend AMA for new deployments.

If a question mentions β€œan organisation is migrating from MMA to the current recommended agent,” the answer is Azure Monitor Agent (AMA).

Windows Security Events via AMA

The Azure Monitor Agent (AMA) is the modern, recommended way to collect Windows events. It uses Data Collection Rules (DCRs) to control exactly what gets sent to Sentinel.

How it works

  1. Install AMA on the Windows machine (Azure VMs get it automatically; on-prem machines need Azure Arc)
  2. Create a Data Collection Rule that specifies which event IDs or categories to collect
  3. Associate the DCR with the target machines
  4. Events flow from the machine β†’ AMA β†’ Log Analytics workspace β†’ Sentinel

Data collection rule filtering

DCRs let you filter events at the source β€” before they even leave the machine. This saves ingestion costs and reduces noise.

PresetWhat It CollectsEvents per Day (approx.)
MinimalCritical security events only (failed logins, privilege escalation)Low
CommonMost security-relevant events (logins, logoffs, account management, policy changes)Medium
All EventsEvery event from the Security logHigh (can be very noisy)
Custom (XPath)Specific Event IDs you define using XPath queriesYou control
πŸ’‘ Scenario: Anika's DCR strategy for 40 clients

Anika at Sentinel Shield manages ingestion for 40 MSSP clients. She cannot send β€œAll Events” for every client β€” the cost would be astronomical.

Her DCR strategy:

  • All clients get β€œCommon” as the baseline β€” covers authentication, account changes, and policy modifications
  • Financial services clients get a custom DCR adding Event ID 4688 (process creation) for threat hunting
  • Healthcare clients get a custom DCR adding object access events for PHI compliance
  • Small businesses get β€œMinimal” β€” just failed logins and privilege escalation

Each client’s DCR is associated with their specific machines via Azure Arc. One machine can only be associated with one DCR for a given data type.

Custom XPath filtering

For precise control, you write XPath queries in the DCR to select specific Event IDs:

Security!*[System[(EventID=4624 or EventID=4625 or EventID=4672 or EventID=4688)]]

This collects only:

  • 4624 β€” successful logon
  • 4625 β€” failed logon
  • 4672 β€” special privileges assigned
  • 4688 β€” new process created

Everything else stays on the machine.

Windows Event Forwarding (WEF)

WEF is Microsoft’s built-in mechanism for centralising Windows events before they reach Sentinel. It uses a collector server that pulls events from source machines.

When to use WEF

  • Large on-premises environments with thousands of servers where installing AMA on every machine is impractical
  • Environments that already have a WEF infrastructure in place
  • Scenarios requiring event aggregation before cloud ingestion (reduces direct internet connections)

WEF architecture

Source machines β†’ push events β†’ WEF Collector β†’ AMA on collector β†’ Sentinel

The collector server runs the Windows Event Collector (WEC) service and has AMA installed. Source machines push events to the collector using subscriptions configured via Group Policy.

AMA direct is simpler; WEF is better for large on-prem environments
FeatureAMA (Direct)WEF + AMA (via Collector)
Agent required on each machineYes β€” AMA on every sourceNo β€” only AMA on the collector
FilteringDCR-based (XPath) at sourceWEF subscription filters + DCR on collector
Best forAzure VMs, Arc-connected on-prem, smaller environmentsLarge on-prem estates, air-gapped networks, existing WEF setups
LatencyNear real-time (seconds)Slightly higher (depends on WEF subscription interval)
ManagementAzure Policy can auto-deploy AMA + DCRGroup Policy manages WEF subscriptions
Recommended by MicrosoftYes β€” preferred for new deploymentsYes β€” for large-scale on-prem with existing WEF
πŸ’‘ Exam tip: WEF is NOT deprecated

Unlike MMA, WEF is still a supported and recommended approach for specific scenarios. The exam may present a scenario with 5,000 on-premises servers and ask the best approach. If AMA on every machine is impractical, WEF + AMA on a collector is the answer.

Question

What is a Data Collection Rule (DCR) and why does it matter?

Click or press Enter to reveal answer

Answer

A DCR defines which events to collect from a source machine using the Azure Monitor Agent. It filters events at the source before ingestion, reducing costs and noise. You can use presets (Minimal, Common, All Events) or custom XPath queries for specific Event IDs.

Click to flip back
Question

When should you use WEF instead of AMA direct?

Click or press Enter to reveal answer

Answer

Use WEF when: 1) You have a large on-premises estate where installing AMA on every machine is impractical. 2) WEF infrastructure already exists. 3) You need to aggregate events before cloud ingestion. WEF uses a collector server with AMA to forward centralised events to Sentinel.

Click to flip back
Question

What replaced the Microsoft Monitoring Agent (MMA) for Windows event collection?

Click or press Enter to reveal answer

Answer

The Azure Monitor Agent (AMA). MMA is deprecated. AMA is the recommended agent for new deployments, using Data Collection Rules for granular filtering.

Click to flip back
Knowledge Check

Anika needs to collect only failed logon events (Event ID 4625) and process creation events (Event ID 4688) from a client's servers. Which approach should she use?
Knowledge Check

James at Pacific Meridian has 5,000 on-premises Windows servers in a datacenter with an existing WEF infrastructure. What is the most efficient way to get their security events into Sentinel?

🎬 Video coming soon

Next up: Windows events are flowing. Now let’s connect the rest β€” Syslog from Linux, CEF from firewalls, and Azure activity logs.

← Previous

Sentinel Workspace: Roles & Retention

Next β†’

Syslog, CEF & Azure Data Ingestion

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.