Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,247 questions
Log Analytics WindowsFirewall - table transformation not working
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 55.00000000000001%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Adam Karas
0
Reputation points
Hello,
I am collecting Windows Firewall logs via AMA from servers - that is working fine, I have ingested logs. But what I am trying to set up is transformation with DCR to collect only DROP records. Transformation KQL source | where FirewallAction != "ALLOW" or source | where FirewallAction == "DROP" (tried both). But still getting all records (ALLOW, DROP) to WindowsFirewall table. I have also tried different queries, filter, but still the same - looks like that transformation is not working.
Any hints where I should take a look, what could be configured wrong ?
Thanks a lot.
BR, AK
Sign in to answer