Create Data Collection Rules for Azure Sentinel

This article shows you how to create Data Collection Rules for the Windows Security Events data connector in Azure Sentinel. Before you continue, please read the older articles around Azure Arc and how to collect “Security Events” from on-premises servers.

Deploying Azure Arc agent using PowerShell + AMA + Tagging – Lakeforest Consulting
Active Directory Certificate Services XPath Queries – Lakeforest Consulting
Audit Active Directory Certificate Services using Azure Sentinel – Lakeforest Consulting

So now that we have the environment up and running, we can create our first Data Collection Rule for Active Directory Certificate Services.

Convert XPath queries

I already have the XPath queries for the ADCS on my GitHub account, but we cannot copy and paste these to Data Collection Rules. To use these in your DCR configurations, I made a small script. This script reads the XPath queries from the GitHub account and converts them for DCR.

This script should print out the following output

You can download the script from here Azure-Sentinel/Convert-XPathQueriesToDCR.ps1 at main · Kaidja/Azure-Sentinel (github.com)

Create Data Collection Rules in Azure Sentinel

Now that we have the queries for DCR´s we can continue with the rest of the steps.

Open Azure Sentinel
Select Data Connectors and choose Windows Security Events (Preview)
Click +Add data collection rule
On the Create Data Collection Rule page, fill out the following information:
Rule Name: Collect-ADCS-Security-Events
Select your Subscription
Select your Resource Group
Click Next
On the Resources page, choose your ADCS servers
Click Next
On the Collect page, copy and paste the XPATH queries from the PowerShell window, for example
Click Add and Next
On the Review + create page, Create

Deploying Azure Arc agent using PowerShell + AMA + Tagging

Azure Arc - Add servers from Update Management

Need more information?