Sentinel: Creating Data Collection Rules to send to the SecurityEvent table

Currently today you can ingest Windows Security Events to Microsoft Sentinel using the Windows Security Events via AMA data connector. This data connector will send events directly to the SecurityEvent table.

When it comes to Windows event log collection its fairly important that events generally land in the SecurityEvent table. Most of the out of box features in Sentinel such as UEBA, Scheduled Analytic Rules, and Anomalies leverage the SecurityEvent table as a primary source.

However as of today if you try to create a similar data collection rule from Azure Monitor we only have the option to send events to the Event table. Personally, I prefer working out of the Azure Monitor portal as it contains all other data collection rules and is easier to manage at scale.

To that extent I created a PowerShell script you can use to update a data collection rule created from Azure Monitor to send to the SecurityEvent table. Lets take a look

Skip to Step 2 if you just need to run script and grab it from here - update-dcrdatastream.ps1

Step 1 – Create a Data Collection Rule

You will initially create a data collection from the Azure Monitor Portal.

From the Azure Portal navigate to Data Collection Rules under Azure Monitor
Create a new Windows based Data Collection Rule

Assign any windows machine, although not required at this point and can be assigned after creation

Add a new Data Source and Select Windows Event Logs. In the example below I used a few XPath Queries

Add the corresponding data source for your Sentinel workspace

Step 2 – Update the DCR using update-dcrdatastream

Ensure you have the latest version of PowerShell and Az.Accounts module installed

After the data collection rule is updated to Microsoft-SecurityEvent you will no longer be able to manage the data sources from the Azure Monitor UI. This currently does not work for Microsoft-SecurityEvent based DCRs. If you need to modify the data sources in the future you can leverage the Set-AzDataCollectionRule cmdlet
  1. Download the script from GitHub update-dcrdatastream.ps1
  2. Run the script against the the applicable rule like below
.\update-dcrdatastream.ps1 -subscriptionId ada06e68-375e-4210-be3a-c6cacebf41c5 `
-resourceGroup sentinel-dcrs -ruleName windows-security-events

You can verify the DCR was modified by checking the output of the script. You should see a StatusCode of 200 and the streams updated like below.

You can also verify the DCR was updated by checking the data collection rule stream via the Azure Portal

  1. Navigate to Data Collection Rules in the Azure Portal under Azure Monitor
  2. Select the Data Collection Rule you just updated
  3. Select JSON View and verify the stream(s) have been updated

Exit mobile version