Data collection rule for security events not working in Azure sentinel

Jasper Van Damme 111

Hi,

I am trying to migrate away from the Log Analytics agent to the Azure monitoring agent for the security events in Azure sentinel. Reason being that I only need certain event ID's. For that I have already configured one server with the azure monitoring agent which is not visible in Arc.

However, when I configure a custom data collection rule, it is not working. I have tested the xpath query locally on the domain controller and there it works fine.
All the other agents that are still using the old Security Events solution are working fine. But I don't see any data coming in from the new domain controller with the Azure monitoring agents.

The Azure monitoring agent is in a healthy state in the Azure portal.

I currently have the Security Events and Windows Security Events (Preview) active in Azure sentinel.

Here are the two event collection rules that I have configured:

I have tried various xpath queries already but none seem to be collecting the data.

Any ideas?
Br,
Jasper

1 answer

George Moise 2,346 Reputation points Microsoft Employee

2021-08-06T09:49:42.37+00:00

Hi Jasper,

Two things here... 1st, if the VM from where you want to collect these specific Security Events is not an Azure VM, then you need to ensure that this VM is onboarded on Azure Arc (if is an Azure VM, then the Data Collection Rule (DCR) should allow you to select it as a Resource)

The 2nd one, based on the documentation here, please try to configure the DCR with following XPath Query:

Security!*[System[(EventID=4624 or EventID=4768)]]

BR,
George
Please sign in to rate this answer.
Jasper Van Damme 111 Reputation points

2021-08-06T10:05:14.843+00:00

Hey George,

As you can see in the screenshot, the server is indeed onboarded in Azure Arc. I am able to select the on-prem server during the rule creation so I think everything is working fine in that regard.

I will adapt the query to see if it makes a difference, but I had already tried the ones based on the docs as well and those didn't seem to work either.
Perhaps an on-prem server with azure arc is not yet supported in the preview security solution?

Br,
Jasper

George Moise 2,346 Reputation points Microsoft Employee

2021-08-06T10:18:32.083+00:00

On-prem server with Azure Arc should be supported:

"To collect events from Windows machines that are not Azure VMs, the machines (physical or virtual) must have Azure Arc installed and enabled. Learn more."

Jasper Van Damme 111 Reputation points

2021-08-10T12:05:38.837+00:00

Hey George,

I have adapted your query and it seems to ingest data, so thank you for that.

However, I have started to expand the number of agents and so far, after waiting for about 2 hours, only 11 out of 26 are reporting any data. I checked and indeed the events that it should collect are being generated, but they are not sent to Azure sentinel. There's just one data collection rule and all agents are installed the same way.
Do you know any logs that can be checked from the agent itself that can help me understand why it is failing?

Br,
Jasper

Jasper Van Damme 111 Reputation points

2021-08-10T12:26:50.113+00:00

I think I may have found the issue. The problem was related to proxy configuration. The agent attempts to update third party root certificates, but is unable to as there is no system wide proxy configured. The eventviewer was flooded with CAPI2 4104 error events saying:
Failed auto update retrieval of third-party root certificate from: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt> with error: This network connection does not exist.

This started happening after installation of the agent so I'm fairly sure it was related. After configuring the proxy, the third party root certificates were downloaded and the events seem to be coming through.

Br,
Jasper
Sign in to comment