fix: use Microsoft-Event stream with audit keyword xPath filter

Prachig-Microsoft · Prachig-Microsoft · commit fdf9237b4a1a · 2026-05-19T12:46:44.000+05:30
Address PR review: keep the Windows Security event DCR but use the always-available 'Microsoft-Event' stream (Event table) instead of 'Microsoft-SecurityEvent' (which requires Sentinel). Apply the reviewer-suggested xPathQueries filter 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]' in both main.bicep and main_custom.bicep, and add the matching dataflow.
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -586,6 +586,17 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
             name: 'perfCounterDataSource60'
           }
         ]
+        windowsEventLogs: [
+          {
+            name: 'SecurityAuditEvents'
+            streams: [
+              'Microsoft-Event'
+            ]
+            xPathQueries: [
+              'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'
+            ]
+          }
+        ]
       }
       destinations: {
         logAnalytics: [
@@ -604,6 +615,16 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
             'la-${dataCollectionRulesResourceName}'
           ]
         }
+        {
+          streams: [
+            'Microsoft-Event'
+          ]
+          destinations: [
+            'la-${dataCollectionRulesResourceName}'
+          ]
+          transformKql: 'source'
+          outputStream: 'Microsoft-Event'
+        }
       ]
     }
   }
diff --git a/infra/main.json b/infra/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.42.1.51946",
-      "templateHash": "17498808897015217801"
+      "templateHash": "16719390237009495333"
     },
     "name": "Modernize Your Code Solution Accelerator",
     "description": "CSA CTO Gold Standard Solution Accelerator for Modernize Your Code. \r\n"
@@ -13101,11 +13101,11 @@
       },
       "dependsOn": [
         "applicationInsights",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').monitor)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').oms)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').ods)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').agentSvc)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').monitor)]",
         "dataCollectionEndpoint",
         "logAnalyticsWorkspace",
         "virtualNetwork"
@@ -15351,6 +15351,17 @@
                     ],
                     "name": "perfCounterDataSource60"
                   }
+                ],
+                "windowsEventLogs": [
+                  {
+                    "name": "SecurityAuditEvents",
+                    "streams": [
+                      "Microsoft-Event"
+                    ],
+                    "xPathQueries": [
+                      "Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]"
+                    ]
+                  }
                 ]
               },
               "destinations": {
@@ -15369,6 +15380,16 @@
                   "destinations": [
                     "[format('la-{0}', variables('dataCollectionRulesResourceName'))]"
                   ]
+                },
+                {
+                  "streams": [
+                    "Microsoft-Event"
+                  ],
+                  "destinations": [
+                    "[format('la-{0}', variables('dataCollectionRulesResourceName'))]"
+                  ],
+                  "transformKql": "source",
+                  "outputStream": "Microsoft-Event"
                 }
               ]
             }
@@ -40484,8 +40505,8 @@
       },
       "dependsOn": [
         "appIdentity",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageFile)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageFile)]",
         "logAnalyticsWorkspace",
         "virtualNetwork"
       ]
diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep
@@ -497,10 +497,10 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
           {
             name: 'SecurityAuditEvents'
             streams: [
-              'Microsoft-WindowsEvent'
+              'Microsoft-Event'
             ]
             xPathQueries: [
-              'Security!*[System[(EventID=4624 or EventID=4625)]]'
+              'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'
             ]
           }
         ]
@@ -524,6 +524,16 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-
           transformKql: 'source'
           outputStream: 'Microsoft-Perf'
         }
+        {
+          streams: [
+            'Microsoft-Event'
+          ]
+          destinations: [
+            'la-${dataCollectionRulesResourceName}'
+          ]
+          transformKql: 'source'
+          outputStream: 'Microsoft-Event'
+        }
       ]
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -586,6 +586,17 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-`
`586`	`586`	`name: 'perfCounterDataSource60'`
`587`	`587`	`}`
`588`	`588`	`]`
	`589`	`+ windowsEventLogs: [`
	`590`	`+ {`
	`591`	`+ name: 'SecurityAuditEvents'`
	`592`	`+ streams: [`
	`593`	`+ 'Microsoft-Event'`
	`594`	`+ ]`
	`595`	`+ xPathQueries: [`
	`596`	`+ 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'`
	`597`	`+ ]`
	`598`	`+ }`
	`599`	`+ ]`
`589`	`600`	`}`
`590`	`601`	`destinations: {`
`591`	`602`	`logAnalytics: [`
`@@ -604,6 +615,16 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-`
`604`	`615`	`'la-${dataCollectionRulesResourceName}'`
`605`	`616`	`]`
`606`	`617`	`}`
	`618`	`+ {`
	`619`	`+ streams: [`
	`620`	`+ 'Microsoft-Event'`
	`621`	`+ ]`
	`622`	`+ destinations: [`
	`623`	`+ 'la-${dataCollectionRulesResourceName}'`
	`624`	`+ ]`
	`625`	`+ transformKql: 'source'`
	`626`	`+ outputStream: 'Microsoft-Event'`
	`627`	`+ }`
`607`	`628`	`]`
`608`	`629`	`}`
`609`	`630`	`}`
Original file line number	Diff line number	Diff line change
`@@ -497,10 +497,10 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-`
`497`	`497`	`{`
`498`	`498`	`name: 'SecurityAuditEvents'`
`499`	`499`	`streams: [`
`500`		`- 'Microsoft-WindowsEvent'`
	`500`	`+ 'Microsoft-Event'`
`501`	`501`	`]`
`502`	`502`	`xPathQueries: [`
`503`		`- 'Security!*[System[(EventID=4624 or EventID=4625)]]'`
	`503`	`+ 'Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]'`
`504`	`504`	`]`
`505`	`505`	`}`
`506`	`506`	`]`
`@@ -524,6 +524,16 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection-`
`524`	`524`	`transformKql: 'source'`
`525`	`525`	`outputStream: 'Microsoft-Perf'`
`526`	`526`	`}`
	`527`	`+ {`
	`528`	`+ streams: [`
	`529`	`+ 'Microsoft-Event'`
	`530`	`+ ]`
	`531`	`+ destinations: [`
	`532`	`+ 'la-${dataCollectionRulesResourceName}'`
	`533`	`+ ]`
	`534`	`+ transformKql: 'source'`
	`535`	`+ outputStream: 'Microsoft-Event'`
	`536`	`+ }`
`527`	`537`	`]`
`528`	`538`	`}`
`529`	`539`	`}`