Log Analytics WindowsFirewall - table transformation not working

Adam Karas 0 Reputation points
2024-10-01T07:28:37.23+00:00

Hello,

I am collecting Windows Firewall logs via AMA from servers - that is working fine, I have ingested logs. But what I am trying to set up is transformation with DCR to collect only DROP records. Transformation KQL source | where FirewallAction != "ALLOW" or source | where FirewallAction == "DROP" (tried both). But still getting all records (ALLOW, DROP) to WindowsFirewall table. I have also tried different queries, filter, but still the same - looks like that transformation is not working.

Any hints where I should take a look, what could be configured wrong ?

Thanks a lot.

BR, AK

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,275 questions
Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
419 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.