Active Directory Certificate Services XPath Queries

In our previous blog post, we enabled ADCS auditing and we also included the Excel spreadsheet with different event IDs. In Azure Sentinel, we have the Windows Security Events data connector. This new connector allows us to define different XPATH queries and there is no need to ingest everything from your servers.

Today we made our first sets of XPATH queries for Active Directory Certificate Services. All queries are posted under the Azure Sentinel GitHub repository – Kaidja/Azure-Sentinel: Azure Sentinel related content (

Have fun!

Audit NTLM using Azure Sentinel – part 1
Need more information?
Need more information?
  • This field is for validation purposes and should be left unchanged.