Forum Discussion
Ingest logs from specific event channels using the AMA
Hello everyone!
We have recently implemented the https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-monitor feature. Now we are trying to get these logs on Sentinel but not sure how to define a custom log collection policy to do so? Using the AMA, how can I define a policy to collect the logs below?
\Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin
\Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Operational
Thanks a lot!
1 Reply
- You'll probably want to create a Data Collection rule or if you have an existing one your using to filter events on your machines that is using Custom option under the "Collect" option in the Data Collection Rule.
You would simple add these 2 queries to the DCR to bring in all logs for those.
Format for the query: LogName!XPathQuery
For the above you'd add these 2 queries in the DCR:
Microsoft-AzureADPasswordProtection-DCAgent/Admin!*
Microsoft-AzureADPasswordProtection-DCAgent/Operational!*
