Microsoft Sentinel – Ingesting Windows Server Event Logs from Azure VMs

Last Updated: 04/11/2024

Ingesting Windows Server event logs can provide lots of valuable data for both detections and investigations. The process of obtaining these logs differ, depending on if the server sits within Azure or on-prem and if the servers have direct internet access. 

Any server located in Azure is simple, we only need to create a Data Collection Rule (DCR) within Azure.

For on-premises/non-Azure machines, we have two options:

  1. Direct connection using Azure Arc
  2. Using WEF (Windows Event Forwarding) as a collector

For the purpose of this article, we will cover the simple option of ingesting Windows server event logs for an Azure VM. However, in subsequent articles I will detail the two methods for On-premises servers.

Creating the Data Collection Rule

Navigate to your Microsoft Sentinel instance and access the ‘Content Hub’, in the search bar search for: “Windows Security Events” and select the solution.

Sentinel Content Hub Windows Server Event Logs

Install the solution, and once installed, select manage. On the management page, select the ‘Windows Security Events via AMA’ data connector, and open the connector page.

Windows Server Event Logs AMA Data Connector Sentinel Content Hub

From the connector page, select ‘+Create data collection rule’ and the righthand side pane will the collection rule wizard will appear. Fill in the name of the rule and where the object is stored in Azure.

Data Collection Rule Sentinel AMA VMs

After clicking ‘Next’ you can then scope where this rule will apply to. The rule can be scoped to Subscriptions, Resource Groups and individual VMs.

Azure Data Collection Rule Scope

After you have selected your resources, click ‘Next’ to go to the collection settings. You can now select what level of events you would like to collect. The options are:

  • All Security Events – All Windows Security and App Locker Events.
  • Common – A standard set of events for auditing purposes.
  • Minimal – A small set of events that might indicate potential threats.
  • Custom – Allows you to filter and select the events you require by using an Xpath query.

Data Collection Rule collect options Windows Server Event Logs

Once you have selected this, you can create the rule. This will then configure the machines in the background to send the Windows event logs into Sentinel. It can sometime take a bit of time before logs start ingesting, mine started within 5 minutes but this was for a single VM located in Azure.

Validate Data Ingestion

You can check by querying the ‘SecurityEvent’ table from the ‘Logs’ section.

Hopefully this serves as a quick guide on getting Windows events into Microsoft Sentinel. I will in future posts detail the other methods for Azure Arc and using Windows Event Forwarding as a data collector.

If your planning your implementation of Microsoft Sentinel, please check out my post which highlights considerations for planning.

Leave a Reply

Your email address will not be published. Required fields are marked *