Currently today you can ingest Windows Security Events to Microsoft Sentinel using the Windows Security Events via AMA data connector. This data connector will send events directly to the SecurityEvent table.
When it comes to Windows event log collection its fairly important that events generally land in the SecurityEvent table. Most of the out of box features in Sentinel such as UEBA, Scheduled Analytic Rules, and Anomalies leverage the SecurityEvent table as a primary source.
However as of today if you try to create a similar data collection rule from Azure Monitor we only have the option to send events to the Event table. Personally, I prefer working out of the Azure Monitor portal as it contains all other data collection rules and is easier to manage at scale.
To that extent I created a PowerShell script you can use to update a data collection rule created from Azure Monitor to send to the SecurityEvent table. Lets take a look
Skip to Step 2 if you just need to run script and grab it from here - update-dcrdatastream.ps1
Step 1 – Create a Data Collection Rule
You will initially create a data collection from the Azure Monitor Portal.
From the Azure Portal navigate to Data Collection Rules under Azure Monitor
Create a new Windows based Data Collection Rule
Assign any windows machine, although not required at this point and can be assigned after creation
Add a new Data Source and Select Windows Event Logs. In the example below I used a few XPath Queries
Add the corresponding data source for your Sentinel workspace
Step 2 – Update the DCR using update-dcrdatastream
Ensure you have the latest version of PowerShell and Az.Accounts module installed After the data collection rule is updated to Microsoft-SecurityEvent you will no longer be able to manage the data sources from the Azure Monitor UI. This currently does not work for Microsoft-SecurityEvent based DCRs. If you need to modify the data sources in the future you can leverage the Set-AzDataCollectionRule cmdlet
- Download the script from GitHub update-dcrdatastream.ps1
- Run the script against the the applicable rule like below
.\update-dcrdatastream.ps1 -subscriptionId ada06e68-375e-4210-be3a-c6cacebf41c5 ` -resourceGroup sentinel-dcrs -ruleName windows-security-events
You can verify the DCR was modified by checking the output of the script. You should see a StatusCode of 200 and the streams updated like below.
You can also verify the DCR was updated by checking the data collection rule stream via the Azure Portal
- Navigate to Data Collection Rules in the Azure Portal under Azure Monitor
- Select the Data Collection Rule you just updated
- Select JSON View and verify the stream(s) have been updated