Create Data Collection Rules for Azure Sentinel
This article shows you how to create Data Collection Rules for the Windows Security Events data connector in Azure Sentinel. Before you continue, please read the older articles around Azure Arc and how to collect “Security Events” from on-premises servers.
- Deploying Azure Arc agent using PowerShell + AMA + Tagging – Lakeforest Consulting
- Active Directory Certificate Services XPath Queries – Lakeforest Consulting
- Audit Active Directory Certificate Services using Azure Sentinel – Lakeforest Consulting
So now that we have the environment up and running, we can create our first Data Collection Rule for Active Directory Certificate Services.
Convert XPath queries
I already have the XPath queries for the ADCS on my GitHub account, but we cannot copy and paste these to Data Collection Rules. To use these in your DCR configurations, I made a small script. This script reads the XPath queries from the GitHub account and converts them for DCR.
This script should print out the following output
You can download the script from here Azure-Sentinel/Convert-XPathQueriesToDCR.ps1 at main · Kaidja/Azure-Sentinel (github.com)
Create Data Collection Rules in Azure Sentinel
Now that we have the queries for DCR´s we can continue with the rest of the steps.
- Open Azure Sentinel
- Select Data Connectors and choose Windows Security Events (Preview)
- Click +Add data collection rule
- On the Create Data Collection Rule page, fill out the following information:
- Rule Name: Collect-ADCS-Security-Events
- Select your Subscription
- Select your Resource Group
- Click Next
- On the Resources page, choose your ADCS servers
- Click Next
- On the Collect page, copy and paste the XPATH queries from the PowerShell window, for example
- Click Add and Next
- On the Review + create page, Create