Configure Windows Security events with data collection rules
5 minutes
5 Questions
Data Collection Rules (DCRs) in Microsoft Sentinel provide a powerful and flexible way to configure the collection of Windows Security events from your endpoints. DCRs allow you to define exactly which events to collect, reducing storage costs and improving query performance by filtering data at th…Data Collection Rules (DCRs) in Microsoft Sentinel provide a powerful and flexible way to configure the collection of Windows Security events from your endpoints. DCRs allow you to define exactly which events to collect, reducing storage costs and improving query performance by filtering data at the source.
To configure Windows Security events with DCRs, you first need to ensure you have the Azure Monitor Agent (AMA) deployed on your Windows machines. The AMA replaces the legacy Log Analytics agent and works seamlessly with DCRs.
When creating a DCR for Windows Security events, navigate to the Azure portal and access the Data Collection Rules section under Azure Monitor. Click Create to start the configuration wizard. You will specify the subscription, resource group, rule name, and region for your DCR.
In the Resources section, you add the virtual machines or Azure Arc-enabled servers from which you want to collect events. The Collect and deliver section is where you define the data source type as Windows Event Logs and specifically select Security events.
Microsoft provides several predefined event sets including Common, Minimal, and All Security Events. The Common set includes events related to successful and failed logins, user account management, and security policy changes. The Minimal set focuses on high-fidelity events for threat detection. You can also create custom XPath queries to collect specific event IDs based on your security requirements.
The destination configuration specifies the Log Analytics workspace where collected events will be stored. You can send data to multiple workspaces if needed for different purposes.
After saving the DCR, it automatically associates with the specified resources. The Azure Monitor Agent begins collecting the defined events and forwarding them to your workspace. You can monitor the health of data collection through Azure Monitor metrics and verify event ingestion in the SecurityEvent table within your Log Analytics workspace.
Configure Windows Security Events with Data Collection Rules
Why This Is Important
Windows Security events are critical for detecting threats, investigating incidents, and maintaining compliance in enterprise environments. As a Security Operations Analyst, you must understand how to efficiently collect and filter these events using Data Collection Rules (DCRs) in Microsoft Sentinel. This skill is essential for the SC-200 exam and real-world security operations.
What Are Data Collection Rules?
Data Collection Rules (DCRs) are configuration objects in Azure Monitor that define: - What data to collect from Windows Security event logs - How to filter and transform the collected data - Where to send the data (Log Analytics workspace)
DCRs replace the legacy Windows Security Events connector method, offering more granular control over data ingestion.
How It Works
1. Azure Monitor Agent (AMA) is installed on Windows machines 2. DCR is created specifying which security events to collect 3. DCR is associated with target machines via Data Collection Rule Associations 4. Events flow to the specified Log Analytics workspace connected to Sentinel
Event Collection Tiers
- All Events: Collects all Windows Security and AppLocker events - Common: Standard audit events for most scenarios - Minimal: Small set of critical events only - Custom: You define specific Event IDs using XPath queries
Key Configuration Steps
1. Navigate to Microsoft Sentinel Data Connectors 2. Select Windows Security Events via AMA 3. Create a new Data Collection Rule 4. Select target resources (VMs, Arc-enabled servers) 5. Choose collection tier or define custom XPath filters 6. Complete the configuration and verify data ingestion
XPath Queries for Custom Collection
XPath queries allow precise filtering. Example format: Security!*[System[(EventID=4624 or EventID=4625)]]
This collects only logon success (4624) and failure (4625) events.
Exam Tips: Answering Questions on Configure Windows Security Events with Data Collection Rules
- Know the difference between AMA and MMA: Questions often test whether you understand that DCRs require the Azure Monitor Agent, not the legacy Microsoft Monitoring Agent
- Memorize collection tiers: Understand what All Events, Common, and Minimal include, as scenario questions test which tier fits specific requirements
- XPath query syntax: Be familiar with basic XPath structure for custom event filtering
- Resource associations: Remember that DCRs must be associated with resources; creating a DCR alone does not start collection
- Prerequisites matter: The Azure Monitor Agent must be installed before DCRs can collect data
- Cost optimization scenarios: When a question mentions reducing costs or data volume, think about using Minimal tier or custom XPath filters
- Compliance scenarios: When comprehensive logging is required, All Events tier is typically the answer
- Look for keywords: Terms like granular control, filtering, or specific Event IDs point toward custom DCR configurations
- Multi-workspace scenarios: DCRs can send data to multiple destinations; watch for questions about this capability
- Transformation support: DCRs support data transformation at ingestion time, which can reduce storage costs