*Thank you to Jing Nghik for assisting with the creation of this toolkit and to the Customer Connection Program for testing this solution.*
*This is going to be a long blog. I recommend reading it but alternatively there will be a video recording soon that will cover the workbook. TLDR: This workbook serves as a toolkit for data collection rules to make creating, editing, and monitoring DCRs in an environment easier. It is available today in the Workbooks Gallery within Microsoft Sentinel.*
It can be a little confusing when it comes to creating, monitoring, and modifying data collection rules from Azure Monitor. These components are split up between Azure Log Analytics, Azure Monitor, and Microsoft Sentinel. To address this, a new workbook has been developed in order to make interacting with data collection rules easier, cleaner, and more efficient. The workbook is broken up into 4 main tabs:
Creating Data Collection Rules
Linux
The Linux options are Syslog and CEF. These buttons open the existing experience for making data collection rules through the wizard provided by Azure Monitor.
To create a new DCR:
Windows
The Windows section is much deeper. The Windows section is broken up into categories that determine which event IDs will be collected. The categories are:
Selecting a category will produce a preconfigured array of event IDs and options for modifying the array. These event IDs are being converted to xPath in the background via a KQL function. This xPath is used when deploying the DCR. The only category that is different will be the file path DCR as it leverages the existing UI for DCR's.
If looking to manually add or exclude events, there is a section for manually adding/excluding events that will modify the xPath.
The number of distinct event IDs is shown with the array of the IDs. Currently, DCRs have a limit of 100 items within xPath. To assist with this, the tool detects when there are more than 100 events and will generate a second set of xPath and a second template to deploy. If more than 200, the same will be done with a third template.
The events and a description of what the events are can be found below this. This section allows users to see exactly what they will be ingesting when configuring the xPath.
If looking for additional logs to consider to ensure coverage, an active effort by the MSTIC team provides a list of events that are similar to events in security events. This data can be referenced to see where else this data can be ingested from.
Once the events have been picked, a workspace destination, data collection endpoint, and name is needed. Once this is all set, the template can be deployed.
To create a new Windows based DCR:
Transformation
The ‘Table Transformation DCR’ button will expand an interface that assists with creating a rule. This interface lists:
The goal of this tab is to allow users to create table specific ingestion transformation rules without having to leave the workbook. To create a new transformation DCR:
Custom Log
This button will just open the existing UI for creating a new custom table with a custom log DCR.
To create a new custom log:
Essentials
The Essentials button provides options to deploy a DCR that contains the key event IDs for using UEBA, Windows based hunting queries, or Windows based analytic rules. The goal for this section is to provide a quick start up for the three core features of Microsoft Sentinel. This can be useful early in a deployment when the team is evaluating which other event IDs should be ingested. To create a new Essential DCR:
Monitoring and Modifying DCRs
The third tab of the workbook allows for users to monitor and review existing DCRs in the environment. The goal is to centralize the DCRs and enable them to be modified without having to leave Microsoft Sentinel.
Monitoring
The workbook leverages the Azure Resource Graph to grab the existing DCRs and parse them out into a user friendly manner.
If looking to make a copy, the ‘export template’ button will open the blade with the ARM template of the selected DCR. This template can be easily be redeployed as a new DCR or saved externally for future use.
Modifying
If looking to modify the existing DCR, the section includes a JSON editor for any selected DCR.
The editor will list the main body of the DCR that was clicked on in the first section. For changes:
Adding a Data Collection Endpoint:
If looking to point an existing DCR to a data collection endpoint, it can be manually entered. For this, it would appear as so:
{
“properties”: {
“immutableId”: “DCR IMMUTABLE ID”,
“dataCollectionEndpointId”: “AZURE RESOURCE ID PATH HERE”,
“dataSources”: {…..
Ingestion Time Transformation:
If looking to add ingestion time transformation, a DCE will need to be attached. If this is already done, the transformKql item will need to be entered. It will appear as so:
"dataFlows": [
{
"streams": [
"Microsoft-SecurityEvent"
],
"destinations": [
"WORKSPACE NAME"
],
“transformKql”: “source | KQL QUERY BODY HERE”
}
]….
If looking to verify the KQL, the workspace editor can be opened by clicking on the ‘write transformation KQL’ button. Once everything is ready to go, click on the ‘deploy update’ button.
Further Breakdown
The fourth tab allows for further review of a selected DCR. This tab dissects the selected DCR to highlight the source, streams, transformation KQL, and destination.
The goal of this tab is to help break down selected DCRs in order to better see the main components of it. This allows users to isolate a DCR of interest while being able to easily view the configuration.
DCR Reporting
The next tab is a simple reporting table that will highlight which events are being collected by DCRs and how much ingestion they are generating. This report will cover Windows security events, Syslog, and custom logs.
The goal of the reporting is to highlight if there are more than one DCR's that are collecting an event and reporting it to the same workspace. Unfortunately, DCR templates do not track which machines are provisioned under them so it is not possible at this time to report which machines may be reporting the same event twice. The closest that can be done is via KQL.
Additional Tooling
The final tab of the tool lists potentially relevant and useful tools that exist today in relation to data collection. Tools like workbooks can be opened within the DCR Toolkit without having to leave. Additional tools such as a DCR library and MMA to AMA migration script can be used.
With that, the tool is covered. Begin utilizing this tool when looking to speed up data collection and DCR creation. For more information on everything covered in this toolkit, please refer to the public documents:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.