Connect Microsoft Sentinel to other Microsoft services with a Windows agent-based data connector

This article describes how to connect Microsoft Sentinel to other Microsoft services Windows agent-based connections. Microsoft Sentinel uses the Azure Monitor Agent to provide built-in, service-to-service support for data ingestion from many Azure and Microsoft 365 services, Amazon Web Services, and various Windows Server services.

The Azure Monitor Agent uses Data collection rules (DCRs) to define the data to collect from each agent. Data collection rules offer you two distinct advantages:

  • Manage collection settings at scale while still allowing unique, scoped configurations for subsets of machines. They are independent of the workspace and independent of the virtual machine, which means they can be defined once and reused across machines and environments. See Configure data collection for the Azure Monitor Agent.

  • Build custom filters to choose the exact events you want to ingest. The Azure Monitor Agent uses these rules to filter the data at the source and ingest only the events you want, while leaving everything else behind. This can save you a lot of money in data ingestion costs!

Important

Some connectors based on the Azure Monitor Agent (AMA) are currently in PREVIEW. See the Supplemental Terms of Use for Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Prerequisites

  • You must have read and write permissions on the Microsoft Sentinel workspace.

  • To collect events from any system that is not an Azure virtual machine, the system must have Azure Arc installed and enabled before you enable the Azure Monitor Agent-based connector.

    This includes:

    • Windows servers installed on physical machines
    • Windows servers installed on on-premises virtual machines
    • Windows servers installed on virtual machines in non-Azure clouds
  • For the Windows Forwarded Events data connector:

  • Install the related Microsoft Sentinel solution from the Content Hub in Microsoft Sentinel. For more information, see Discover and manage Microsoft Sentinel out-of-the-box content.

Create data collection rules via the GUI

  1. From Microsoft Sentinel, select Configuration> Data connectors. Select your connector from the list, and then select Open connector page on the details pane. Then follow the on-screen instructions under the Instructions tab, as described through the rest of this section.

  2. Verify that you have the appropriate permissions as described under the Prerequisites section on the connector page.

  3. Under Configuration, select +Add data collection rule. The Create data collection rule wizard will open to the right.

  4. Under Basics, enter a Rule name and specify a Subscription and Resource group where the data collection rule (DCR) will be created. This does not have to be the same resource group or subscription the monitored machines and their associations are in, as long as they are in the same tenant.

  5. In the Resources tab, select +Add resource(s) to add machines to which the Data Collection Rule will apply. The Select a scope dialog will open, and you will see a list of available subscriptions. Expand a subscription to see its resource groups, and expand a resource group to see the available machines. You will see Azure virtual machines and Azure Arc-enabled servers in the list. You can mark the check boxes of subscriptions or resource groups to select all the machines they contain, or you can select individual machines. Select Apply when you've chosen all your machines. At the end of this process, the Azure Monitor Agent will be installed on any selected machines that don't already have it installed.

  6. On the Collect tab, choose the events you would like to collect: select All events or Custom to specify other logs or to filter events using XPath queries. Enter expressions in the box that evaluate to specific XML criteria for events to collect, then select Add. You can enter up to 20 expressions in a single box, and up to 100 boxes in a rule.

    For more information, see the Azure Monitor documentation.

    Note

    • The Windows Security Events connector offers two other pre-built event sets you can choose to collect: Common and Minimal.

    • The Azure Monitor Agent supports XPath queries for XPath version 1.0 only.

    To test the validity of an XPath query, use the PowerShell cmdlet Get-WinEvent with the -FilterXPath parameter. For example:

    $XPath = '*[System[EventID=1035]]'
    Get-WinEvent -LogName 'Application' -FilterXPath $XPath
    
    • If events are returned, the query is valid.
    • If you receive the message "No events were found that match the specified selection criteria," the query may be valid, but there are no matching events on the local machine.
    • If you receive the message "The specified query is invalid," the query syntax is invalid.
  7. When you've added all the filter expressions you want, select Next: Review + create.

  8. When you see the Validation passed message, select Create.

You'll see all your data collection rules, including those created through the API, under Configuration on the connector page. From there you can edit or delete existing rules.

Create data collection rules using the API

You can also create data collection rules using the API, which can make life easier if you're creating many rules, such as if you're an MSSP. Here's an example (for the Windows Security Events via AMA connector) that you can use as a template for creating a rule:

Request URL and header

PUT https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule?api-version=2019-11-01-preview

Request body

{
    "location": "chinaeast2",
    "properties": {
        "dataSources": {
            "windowsEventLogs": [
                {
                    "streams": [
                        "Microsoft-SecurityEvent"
                    ],
                    "xPathQueries": [
                        "Security!*[System[(EventID=) or (EventID=4688) or (EventID=4663) or (EventID=4624) or (EventID=4657) or (EventID=4100) or (EventID=4104) or (EventID=5140) or (EventID=5145) or (EventID=5156)]]"
                    ],
                    "name": "eventLogsDataSource"
                }
            ]
        },
        "destinations": {
            "logAnalytics": [
                {
                    "workspaceResourceId": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
                    "name": "centralWorkspace"
                }
            ]
        },
        "dataFlows": [
            {
                "streams": [
                    "Microsoft-SecurityEvent"
                ],
                "destinations": [
                    "centralWorkspace"
                ]
            }
        ]
    }
}

For more information, see:

Next steps

For more information, see: