Blog Post

Core Infrastructure and Security Blog
11 MIN READ

Forward On-Premises Windows Security Event Logs to Microsoft Sentinel

paulberg's avatar
paulberg
Icon for Microsoft rankMicrosoft
Dec 16, 2021
  Hello, It has been a while since Raven, and I have blogged on security. My little buddy Raven (miniature Schnauzer) has been dealing with genetic back problems that have made it difficult to ru...
Updated Jan 04, 2022
Version 6.0
PaulBergson
bujhie's avatar
bujhie
Copper Contributor
Sep 05, 2023

jeremyhAUS  markj995 To split Security logs into SecurityEvent and non-Security logs into WindowsEvent tables you'll need two DCRs created manually and associated with the AMA agent installed on your WECs. I went with bicep, but you can use ARM, Terraform or there are blog posts how to update existing DCRs using Azure Resource Manager REST API. Some links to get started: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview

 

Below are relevant sections of the DCRs - you should be able to figure out the rest

 

dataSources definition for DCR1:

 

windowsEventLogs: [
        {
          name: 'nonSecurityEvents'
          streams:[
            'Microsoft-WindowsEvent'
          ]
          xPathQueries: [
            /*Filter out Security logs*/
            '''ForwardedEvents!*[System[(Channel!='Security') and (Channel!='Microsoft-Windows-AppLocker/EXE and DLL') and (Channel!='Microsoft-Windows-AppLocker/MSI and Script') ]]'''
          ]
        }
      ]

 

 

dataSources definition for DCR2:

 

 

windowsEventLogs: [
        {
          name: 'SecurityEvents'
          streams:[
            'Microsoft-SecurityEvent'
          ]
          xPathQueries: [
            '''ForwardedEvents!*[System[(Channel='Security')]]'''
            '''ForwardedEvents!*[System[(Channel='Microsoft-Windows-AppLocker/EXE and DLL') or (Channel='Microsoft-Windows-AppLocker/MSI and Script')]]'''
          ]
        }
      ]

 

 

Hope this helps you and others.