Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,275 questions
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
I am collecting Windows Firewall logs via AMA from servers - that is working fine, I have ingested logs. But what I am trying to set up is transformation with DCR to collect only DROP records. Transformation KQL source | where FirewallAction != "ALLOW"
or source | where FirewallAction == "DROP"
(tried both). But still getting all records (ALLOW, DROP) to WindowsFirewall table. I have also tried different queries, filter, but still the same - looks like that transformation is not working.
Any hints where I should take a look, what could be configured wrong ?
Thanks a lot.
BR, AK