Winlogbeat Documentation
Windows Event Logging
Microsoft 365 Management Activity Configuration
Microsoft Entra ID Configuration
- Stream events from Microsoft Entra ID to Event Hubs
- Create a resource group in Azure Portal
- Create an Event Hubs namespace within the new resource group
- Create an event hub in the new namespace
- Create a consumer group in the new event hub
- Set up streaming from Microsoft Entra ID logs to event hub
Microsoft 365 Defender Configuration
- Stream events from Microsoft 365 Defender to Event Hubs
- Create a resource group in Azure Portal
- Create a Microsoft Entra App Registration
- Create an Event Hubs namespace within the new resource group
- Create an event hub in the new namespace
- Create a consumer group in the new event hub
FAQs
- Can AARNet provide guidance on the sizing of the WEC server?
- Do we need to build multiple WEC servers for redundancy purposes?
- Can I set up load balancing between multiple WEC servers?
- How are logs/events collected at the WEC server exported to the AARNet SIEM?
- Which events should we log?
- What happens if the WEC server is not able to communicate with the AARNet SIEM?