JasperVanDamme-9898 avatar image
0 Votes"
JasperVanDamme-9898 asked JasperVanDamme-9898 commented

Data collection rule for security events not working in Azure sentinel


I am trying to migrate away from the Log Analytics agent to the Azure monitoring agent for the security events in Azure sentinel. Reason being that I only need certain event ID's. For that I have already configured one server with the azure monitoring agent which is not visible in Arc.

However, when I configure a custom data collection rule, it is not working. I have tested the xpath query locally on the domain controller and there it works fine.
All the other agents that are still using the old Security Events solution are working fine. But I don't see any data coming in from the new domain controller with the Azure monitoring agents.

The Azure monitoring agent is in a healthy state in the Azure portal.

I currently have the Security Events and Windows Security Events (Preview) active in Azure sentinel.

Here are the two event collection rules that I have configured:

I have tried various xpath queries already but none seem to be collecting the data.

Any ideas?

image.png (39.0 KiB)
image.png (27.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GeorgeMoise-0315 avatar image
0 Votes"
GeorgeMoise-0315 answered JasperVanDamme-9898 commented

Hi Jasper,

Two things here... 1st, if the VM from where you want to collect these specific Security Events is not an Azure VM, then you need to ensure that this VM is onboarded on Azure Arc (if is an Azure VM, then the Data Collection Rule (DCR) should allow you to select it as a Resource)

The 2nd one, based on the documentation here, please try to configure the DCR with following XPath Query:

Security!*[System[(EventID=4624 or EventID=4768)]]


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey George,

As you can see in the screenshot, the server is indeed onboarded in Azure Arc. I am able to select the on-prem server during the rule creation so I think everything is working fine in that regard.

I will adapt the query to see if it makes a difference, but I had already tried the ones based on the docs as well and those didn't seem to work either.
Perhaps an on-prem server with azure arc is not yet supported in the preview security solution?


0 Votes 0 ·

Hey George,

I have adapted your query and it seems to ingest data, so thank you for that.

However, I have started to expand the number of agents and so far, after waiting for about 2 hours, only 11 out of 26 are reporting any data. I checked and indeed the events that it should collect are being generated, but they are not sent to Azure sentinel. There's just one data collection rule and all agents are installed the same way.
Do you know any logs that can be checked from the agent itself that can help me understand why it is failing?


1 Vote 1 ·
Show more comments