Prerequisites

Windows Security Events via AMA Connector vs. Security Events via Legacy Agent Connector
The Windows Security Events via AMA Connector has the following differences from the Security Events via Legacy Agent Connector:
Benefits:

• Manage collection settings at scale
• Azure Monitoring Agent shared with other solutions
• Performance improvements
• Security improvements

Limitations:
The Azure Monitor Agent is released in preview and is supported with the CSPM plan and Microsoft Defender for Servers Plan 2.
Requirements:
non-Azure VM’s/devices require Azure Arc.

• Windows security events Via AMA
• This will create data collection rule
• You can choose from events.
  

Data collection rules structure

Data collection rules in Azure Monitor – Azure Monitor | Microsoft Learn

We will use the Custom and use the Xpath to choose the specific events.

Custom allows you to specify other logs or to filter events using XPath queries. For XPath queries you can enter up to 20 expressions in a single box, and up to 100 boxes in a rule. The Azure Monitor agent supports XPath queries for XPath version 1.0 only.

This is example

$XPath = ‘*[System[EventID=1035]]’
Get-WinEvent -LogName ‘Application’ -FilterXPath $XPath

To choose the event
Go to event Viewer
Filter current log
Choose the events you need.

Then Go to XML and choose edit query manual
Copy starting from the *[system til ]
“*[System[(EventID=4624 or EventID=4627)]]”

Test with PowerShell

Test it with PowerShell

$XPath = ‘*[System[(EventID=4624 or EventID=4627)]]’

Get-WinEvent -LogName ‘Security’ -FilterXPath $XPath

you must append the log type category followed by an exclamation point (!).
System!*[System[(EventID=4624 or EventID=4627)]]

More details will be found here

Collect events and performance counters from virtual machines with Azure Monitor Agent – Azure Monitor | Microsoft Learn