Testing the New Version of the Windows Security Events Connector with Azure Sentinel To-Go!

Published Jun 24 2021 08:11 PM 7,478 Views
Microsoft

Cyb3rWard0g_7-1624588039379.png

 

 

Last week, on Monday June 14th, 2021, a new version of the Windows Security Events data connector reached public preview. This is the first data connector created leveraging the new generally available Azure Monitor Agent (AMA) and Data Collection Rules (DCR) features from the Azure Monitor ecosystem. As any other new feature in Azure Sentinel, I wanted to expedite the testing process and empower others in the InfoSec community through a lab environment to learn more about it. 

 

In this post, I will talk about the new features of the new data connector and how to automate the deployment of an Azure Sentinel instance with the connector enabled, the creation and association of DCRs and installation of the AMA on a Windows workstation. This is an extension of a blog post I wrote, last year (2020), where I covered the collection of Windows security events via the Log Analytics Agent (Legacy). 
 

Recommended Reading

 

I highly recommend reading the following blog posts to learn more about the announcement of the new Azure Monitor features and the Windows Security Events data connector: 

Azure Sentinel To-Go!? 

 

Azure Sentinel2Go is an open-source project maintained and developed by the Open Threat Research community to automate the deployment of an Azure Sentinel research lab and a data ingestion pipeline to consume pre-recorded datasets. Every environment I release through this initiative is an environment I use and test while performing research as part of my role in the MSTIC R&D team. Therefore, I am constantly trying to improve the deployment templates as I cover more scenarios. Feedback is greatly appreciated. 
 

 

A New Version of the Windows Security Events Connector? 

 

According to Microsoft docs, the Windows Security Events connector lets you stream security events from any Windows server (physical or virtual, on-premises or in any cloud) connected to your Azure Sentinel workspace. After last week, there are now two versions of this connector:  

  • Security events (legacy version): Based on the Log Analytics Agent (Usually known as the Microsoft Monitoring Agent (MMA) or Operations Management Suite (OMS) agent). 
  • Windows Security Events (new version): Based on the new Azure Monitor Agent (AMA). 

 

In your Azure Sentinel data connector's view, you can now see both connectors: 
 

Cyb3rWard0g_0-1624563350650.png

 

A New Version? What is New? 

 

Data Connector Deployment  

 

Besides using the Log Analytics Agent to collect and ship events, the old connector uses the Data Sources resource from the Log Analytics Workspace resource to set the collection tier of Windows security events. 
 

Cyb3rWard0g_1-1624563350661.png

 

The new connector, on the other hand, uses a combination of Data Connection Rules (DCR) and Data Connector Rules Association (DCRA). DCRs define what data to collect and where it should be sent. Here is where we can set it to send data to the log analytics workspace backing up our Azure Sentinel instance. 
 

Cyb3rWard0g_2-1624563350663.png

 

 
In order to apply a DCR to a virtual machine, one needs to create an association between the machine and the rule. A virtual machine may have an association with multiple DCRs, and a DCR may have multiple virtual machines associated with it. 
 

Cyb3rWard0g_3-1624563350658.png

 

 

 

For more detailed information about setting up the Windows Security Events connector with both Log Analytics Agent and Azure Monitor Agents manually, take a look at  this document.
 

Data Collection Filtering Capabilities 

 

The old connector is not flexible enough to choose what specific events to collect. For example, these are the only options to collect data from Windows machines with the old connector:

 

  • All events - All Windows security and AppLocker events. 
  • Common - A standard set of events for auditing purposes. The Common event set may contain some types of events that aren't so common. This is because the main point of the Common set is to reduce the volume of events to a more manageable level, while still maintaining full audit trail capability. 
  • Minimal - A small set of events that might indicate potential threats. This set does not contain a full audit trail. It covers only events that might indicate a successful breach, and other important events that have very low rates of occurrence.  
  • None - No security or AppLocker events. (This setting is used to disable the connector.) 
     

According to Microsoft docs, these are the pre-defined security event collection groups depending on the tier set: 
 

Cyb3rWard0g_4-1624563350652.png

 
On the other hand, the new connector allows custom data collection via XPath queries. These XPath queries are defined during the creation of the data collection rule and are written in the form of LogName!XPathQuery. Here are a few examples:

 

  • Collect only Security events with Event ID = 4624 
Security!*[System[(EventID=4624)]] 
  • Collect only Security events with Event ID = 4624 or Security Events with Event ID = 4688 
Security!*[System[(EventID=4624 or EventID=4688)]] 
  • Collect only Security events with Event ID = 4688 and with a process name of consent.exe. 
Security!*[System[(EventID=4688)]] and *[EventData[Data[@Name=’ProcessName’]=’C:\Windows\System32\consent.exe’]]

 

You can select the custom option to select which events to stream:

 

Cyb3rWard0g_5-1624563350659.png

 

 

Important! 

 

Based on the new connector docs, make sure to query only Windows Security and AppLocker logs. Events from other Windows logs, or from security logs from other environments, may not adhere to the Windows Security Events schema and won’t be parsed properly, in which case they won’t be ingested to your workspace.

 

Also, the Azure Monitor agent supports XPath queries for XPath version 1.0 only. I recommend reading the Xpath 1.0 Limitation documentation before writing XPath Queries. 
 

 

XPath? 

 

XPath stands for XML (Extensible Markup Language) Path language, and it is used to explore and model XML documents as a tree of nodes. Nodes can be represented as elements, attributes, and text

 

In the image below, we can see a few node examples in the XML representation of a Windows security event: 
 

Cyb3rWard0g_6-1624563350669.png

 

 
XPath Queries? 

 

XPath queries are used to search for patterns in XML documents and leverage path expressions and predicates to find a node or filter specific nodes that contain a specific value. Wildcards such as ‘*’ and ‘@’ are used to select nodes and predicates are always embedded in square brackets “[]”. 

 

Matching any element node with ‘*’

 

Using our previous Windows Security event XML example, we can process Windows Security events using the wildcard ‘*’ at the `Element` node level.

 

The example below walks through two ‘Element’ nodes to get to the ‘Text’ node of value ‘4688’. 
 

Cyb3rWard0g_7-1624563350628.png

 

You can test this basic ‘XPath’ query via PowerShell. 

  • Open a PowerShell console as ‘Administrator’. 
  • Use the Get-WinEvent command to pass the XPath query. 
  • Use the ‘Logname’ parameter to define what event channel to run the query against. 
  • Use the ‘FilterXPath’ parameter to set the XPath query. 

 

Get-WinEvent -LogName Security -FilterXPath '*[System[EventID=4688]]

 

Cyb3rWard0g_8-1624563350630.png

 

Matching any attribute node with ‘@’ 

 

As shown before, ‘Element’ nodes can contain ‘Attributes’ and we can use the wildcard ‘@’ to search for ‘Text’ nodes at the ‘Attribute’ node level. The example below extends the previous one and adds a filter to search for a specific ‘Attribute’ node that contains the following text: 'C:\Windows\System32\cmd.exe’. 
 

Cyb3rWard0g_9-1624563350632.png

 

Once again, you can test the XPath query via PowerShell as Administrator. 
 

$XPathQuery = "*[System[EventID=4688]] and *[EventData[Data[@Name='ParentProcessName']='C:\Windows\System32\cmd.exe']]" 
Get-WinEvent -LogName Security -FilterXPath $XPathQuery

 

Cyb3rWard0g_10-1624563350633.png

 

 

Can I Use XPath Queries in Event Viewer? 

 

Every time you add a filter through the Event Viewer UI, you can also get to the XPath query representation of the filter. The XPath query is part of a QueryList node which allows you to define and run multiple queries at once. 
 

Cyb3rWard0g_11-1624563350665.png

 

We can take our previous example where we searched for a specific attribute and run it through the Event Viewer Filter XML UI. 
 

<QueryList> 
  <Query Id="0" Path="Security"> 
  <Select Path="Security">*[System[(EventID=4688)]] and *[EventData[Data[@Name='ParentProcessName']='C:\Windows\System32\cmd.exe']]</Select> 
  </Query> 
</QueryList>

 

Cyb3rWard0g_12-1624563350667.png

 

Now that we have covered some of the main changes and features of the new version of the Windows Security Events data connector, it is time to show you how to create a lab environment for you to test your own XPath queries for research purposes and before pushing them to production. 
 

 

Deploy Lab Environment

  • Identify the right Azure resources to deploy. 
  • Create deployment template. 
  • Run deployment template. 

 
Identify the Right Azure Resources to Deploy 

 

As mentioned earlier in this post, the old connector uses the Data Sources resource from the Log Analytics Workspace resource to set the collection tier of Windows security events. 

 

This is the Azure Resource Manager (ARM) template I use in Azure-Sentinel2Go to set it up: 

 

Azure-Sentinel2Go/securityEvents.json at master · OTRF/Azure-Sentinel2Go (github.com)

 

Data Sources Azure Resource

 

{ 
  "type": "Microsoft.OperationalInsights/workspaces/dataSources", 
  "apiVersion": "2020-03-01-preview", 
  "location": "eastus", 
  "name": "WORKSPACE/SecurityInsightsSecurityEventCollectionConfiguration", 
  "kind": "SecurityInsightsSecurityEventCollectionConfiguration", 
  "properties": { 
    "tier": "All", 
    "tierSetMethod": "Custom" 
  } 
} 

 
However, the new connector uses a combination of Data Connection Rules (DCR) and Data Connector Rules Association (DCRA). 
 
This is the ARM template I use to create data collection rules: 

 

Azure-Sentinel2Go/creation-azureresource.json at master · OTRF/Azure-Sentinel2Go (github.com) 
 

Data Collection Rules Azure Resource

 

{ 
  "type": "microsoft.insights/dataCollectionRules", 
  "apiVersion": "2019-11-01-preview", 
  "name": "WindowsDCR", 
  "location": "eastus", 
  "tags": { 
    "createdBy": "Sentinel" 
  }, 
  "properties": { 
    "dataSources": { 
      "windowsEventLogs": [ 
        { 
          "name": "eventLogsDataSource", 
          "scheduledTransferPeriod": "PT5M", 
          "streams": [ 
            "Microsoft-SecurityEvent" 
          ], 
          "xPathQueries": [ 
            "Security!*[System[(EventID=4624)]]" 
          ] 
        } 
      ] 
    }, 
    "destinations": { 
      "logAnalytics": [ 
        { 
          "name": "SecurityEvent", 
          "workspaceId": "AZURE-SENTINEL-WORKSPACEID", 
          "workspaceResourceId": "AZURE-SENTINEL-WORKSPACERESOURCEID" 
        } 
      ] 
    }, 
    "dataFlows": [ 
      { 
        "streams": [ 
          "Microsoft-SecurityEvent" 
        ], 
        "destinations": [ 
          "SecurityEvent" 
        ] 
      } 
    ] 
  } 
} 

 
One additional step in the setup of the new connector is the association of the DCR with Virtual Machines. 

 

This is the ARM template I use to create DCRAs:

 

Azure-Sentinel2Go/association.json at master · OTRF/Azure-Sentinel2Go (github.com)
 

Data Collection Rule Associations Azure Resource

 

{
  "name": "WORKSTATION5/microsoft.insights/WindowsDCR", 
"type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations", 
  "apiVersion": "2019-11-01-preview", 
  "location": "eastus", 
   "properties": { 
"description": "Association of data collection rule. Deleting this association will break the data collection for this virtual machine.", 
    "dataCollectionRuleId": "DATACOLLECTIONRULEID" 
   } 
}

 

 

What about the XPath Queries?

 

As shown in the previous section, the XPath query is part of the “dataSources” section of the data collection rule resource. It is defined under the ‘windowsEventLogs’ data source type. 

 

"dataSources": { 
  "windowsEventLogs": [ 
    { 
      "name": "eventLogsDataSource", 
      "scheduledTransferPeriod": "PT5M", 
      "streams": [ 
        "Microsoft-SecurityEvent" 
      ], 
      "xPathQueries": [ 
        "Security!*[System[(EventID=4624)]]" 
      ] 
    } 
  ] 
} 

 

 

Create Deployment Template 

 

We can easily add all those ARM templates to an ‘Azure Sentinel & Win10 Workstation’ basic templateWe just need to make sure we install the Azure Monitor Agent instead of the Log Analytics oneand enable the system-assigned managed identity in the Azure VM. 

 

Template Resource List to Deploy: 

  • Azure Sentinel Instance 
  • Windows Virtual Machine 
  • Azure Monitor Agent Installed. 
  • System-assigned managed identity Enabled. 
  • Data Collection Rule 
  • Log Analytics Workspace ID 
  • Log Analytics Workspace Resource ID 
  • Data Collection Rule Association
  • Data Collection Rule ID
  • Windows Virtual Machine Resource Name 

 

The following ARM template can be used for our first basic scenario:

 

Azure-Sentinel2Go/Win10-DCR-AzureResource.json at master · OTRF/Azure-Sentinel2Go (github.com)
 

Run Deployment Template 

 

You can deploy the ARM template via a “Deploy to Azure” button or via Azure CLI. 

 

“Deploy to Azure” Button 

  1. Browse to Azure Sentinel2Go repository 
  2. Go to grocery-list/Win10/demos. 
  3. Click on the “Deploy to Azure” button next to “Azure Sentinel + Win10 + DCR (DCR Resource) 

    Cyb3rWard0g_0-1624589431099.png

     

  4. Fill out the required parameters: 
    • adminUsername: admin user to create in the Windows workstation. 
    • adminPassword: password for admin user. 
    • allowedIPAddresses: Public IP address to restrict access to the lab environment. 
  5. Wait 5-10 mins and your environment should be ready.
     

Azure CLI 

  1. Download demo template. 
  2. Open a terminal where you can run Azure CLI from (i.e. PowerShell). 
  3. Log in to your Azure Tenant locally.

    az login 
  4. Create Resource Group (Optional)

    az group create -n AzSentinelDemo -l eastus 
  5. Deploy ARM template locally.

    az deployment group create –f ./ Win10-DCR-AzureResource.json -g MYRESOURCRGROUP –adminUsername MYUSER –adminPassword MYUSERPASSWORD –allowedIPAddresses x.x.x.x 
  6. Wait 5-10 mins and your environment should be ready. 

 

Whether you use the UI or the CLI, you can monitor your deployment by going to Resource Group > Deployments:

 

Cyb3rWard0g_13-1624563350637.png

 

  

Cyb3rWard0g_14-1624563350638.png

 

Verify Lab Resources 

 

Once your environment is deployed successfully, I recommend verifying every resource that was deployed.

 

Azure Sentinel New Data Connector 

 

You will see the Windows Security Events (Preview) data connector enabled with a custom Data Collection Rules (DCR):

 

Cyb3rWard0g_15-1624563350665.png

 

If you edit the custom DCR, you will see the XPath query and the resource that it got associated with. The image below shows the association of the DCR with a machine named workstation5.

 

Cyb3rWard0g_16-1624563350641.png

 

You can also see that the data collection is set to custom and, for this example, we only set the event stream to collect events with Event ID 4624.

 

Cyb3rWard0g_17-1624563350642.png

 

Windows Workstation 

 

I recommend to RDP to the Windows Workstation by using its Public IP Address. Go to your resource group and select the Azure VM. You should see the public IP address to the right of the screen. This would generate authentication events which will be captured by the custom DCR associated with the endpoint. 

 

Cyb3rWard0g_18-1624563350668.png

 

Check Azure Sentinel Logs 

 

Go back to your Azure Sentinel, and you should start seeing some events on the Overview page:

 

Cyb3rWard0g_19-1624563350654.png

 

Go to Logs and run the following KQL query: 

 

SecurityEvent 
| summarize count() by EventID

 

As you can see in the image below, only events with Event ID 4624 were collected by the Azure Monitor Agent. 
 

Cyb3rWard0g_20-1624563350656.png

 

You might be asking yourself, “Who would only want to collect events with Event ID 4624 from a Windows endpoint?”. Believe it or not, there are network environments where due to bandwidth constraints, they can only collect certain events. Therefore, this custom filtering capability is amazing and very useful to cover more use cases and even save storage!
 

 

Any Good XPath Queries Repositories in the InfoSec Community? 

 

Now that we know the internals of the new connector and how to deploy a simple lab environment, we can test multiple XPath queries depending on your organization and research use cases and bandwidth constraints. There are a few projects that you can use.

 

Palantir WEF Subscriptions

 

One of many repositories out there that contain XPath queries is the ‘windows-event-forwarding' project from Palantir. The XPath queries are Inside of the Windows Event Forwarding (WEF) subscriptions. We could take all the subscriptions and parse them programmatically to extract all the XPath queries saving them in a format that can be used to be part of the automatic deployment. 

 

You can run the following steps in this document available in Azure Sentinel To-go and extract XPath queries from the Palantir project.

 

Azure-Sentinel2Go/README.md at master · OTRF/Azure-Sentinel2Go (github.com) 
 

OSSEM Detection Model + ATT&CK Data Sources 

 

From a community perspective, another great resource you can use to extract XPath Queries from is the Open Source Security Event Metadata (OSSEM) Detection Model (DM) project. A community driven effort to help researchers model attack behaviors from a data perspective and share relationships identified in security events across several operating systems.

 

One of the use cases from this initiative is to map all security events in the project to the new ‘Data Sources’ objects provided by the MITRE ATT&CK framework. In the image below, we can see how the OSSEM DM project provides an interactive document (.CSV) for researchers to explore the mappings (Research output): 
 

Cyb3rWard0g_21-1624563350666.png

 
One of the advantages of this project over others is that all its data relationships are in YAML format which makes it easy to translate to others formats. For example, XML. We can use the Event IDs defined in each data relationship documented in OSSEM DM and create XML files with XPath queries in them. 
 

Exploring OSSEM DM Relationships (YAML Files) 

Let’s say we want to use relationships related to scheduled jobs in Windows.

 

Cyb3rWard0g_22-1624563350657.png

 

Translate YAML files to XML Query Lists 

We can process all the YAML files and export the data in an XML files. One thing that I like about this OSSEM DM use case is that we can group the XML files by ATT&CK data sources. This can help organizations organize their data collection in a way that can be mapped to detections or other ATT&CK based frameworks internally.

 

We can use the QueryList format to document all 'scheduled jobs relationships' XPath queries in one XML file. 
 

Cyb3rWard0g_23-1624563350647.png

 

I like to document my XPath queries first in this format because it expedites the validation process of the XPath queries locally on a Windows endpoint. You can use that XML file in a PowerShell command to query Windows Security events and make sure there are not syntax issues: 
 

[xml]$scheduledjobs = get-content .\scheduled-job.xml
Get-WinEvent -FilterXml $scheduledjobs

 

Cyb3rWard0g_0-1624585337804.png

 

Translate XML Query Lists to DCR Data Source: 

Finally, once the XPath queries have been validated, we could simply extract them from the XML files and put them in a format that could be used in ARM templates to create DCRs.  Do you remember the dataSources property of the DCR Azure resource we talked about earlier? What if we could get the values of the windowsEventLogs data source directly from a file instead of hardcoding them in an ARM template? The example below is how it was previously being hardcoded.
 

"dataSources": { 
  "windowsEventLogs": [ 
    { 
      "name": "eventLogsDataSource", 
      "scheduledTransferPeriod": "PT5M", 
      "streams": [ 
        "Microsoft-SecurityEvent" 
      ], 
      "xPathQueries": [ 
        "Security!*[System[(EventID=4624)]]" 
      ] 
    } 
  ] 
} 

 
We could use the XML files created after processing OSSEM DM relationships mapped to ATT&CK data sources and creating the following document. We can pass the URL of the document as a parameter in an ARM template to deploy our lab environment: 

 

Azure-Sentinel2Go/ossem-attack.json at master · OTRF/Azure-Sentinel2Go (github.com)

 

Wait! How Do You Create the Document? 

 

The OSSEM team is contributing and maintaining the JSON file from the previous section in the Azure Sentinel2Go repository. However, if you want to go through the whole process on your own, Jose Rodriguez (@Cyb3rpandah) was kind enough to write every single step to get to that output file in the following blog post:

 

OSSEM Detection Model: Leveraging Data Relationships to Generate Windows Event XPath Queries (openth...

 

Ok, But, How Do I Pass the JSON file to our Initial ARM template? 

 

In our initial ARM template, we had the XPath query as an ARM template variable as shown in the image below.

 

Cyb3rWard0g_1-1624585923557.png

 

We could also have it as a template parameter. However, it is not flexible enough to define multiple DCRs or even update the whole DCR Data Source object (Think about future coverage beyond Windows logs).

 

Data Collection Rules – CREATE API 

 

For more complex use cases, I would use the DCR Create API. This can be executed via a PowerShell script which can also be used inside of an ARM template via deployment scripts. Keep in mind that, the deployment script resource requires an identity to execute the script. This managed identity of type user-assigned can be created at deployment time and used to create the DCRs programmatically.

 

PowerShell Script 

 

If you have an Azure Sentinel instance without the data connector enabled, you can use the following PowerShell script to create DCRs in it. This is good for testing and it also works in ARM templates.

 

Keep in mind, that you would need to have a file where you can define the structure of the windowsEventLogs data source object used in the creation of DCRs. We created that in the previous section remember? Here is where we can use the OSSEM Detection Model XPath Queries File ;)

 

Azure-Sentinel2Go/ossem-attack.json at master · OTRF/Azure-Sentinel2Go (github.com)

 

FileExample.json

 

{ 
  "windowsEventLogs":  [ 
    { 
      "Name":  "eventLogsDataSource", 
      "scheduledTransferPeriod":  "PT1M", 
      "streams":  [ 
        "Microsoft-SecurityEvent" 
      ], 
"xPathQueries":  [ 
        "Security!*[System[(EventID=5141)]]", 
        "Security!*[System[(EventID=5137)]]", 
        "Security!*[System[(EventID=5136 or EventID=5139)]]", 
        "Security!*[System[(EventID=4688)]]", 
        "Security!*[System[(EventID=4660)]]", 
        "Security!*[System[(EventID=4656 or EventID=4661)]]", 
        "Security!*[System[(EventID=4670)]]" 
] 
    } 
  ] 
} 

 

Run Script

Once you have a JSON file similar to the one in the previous section, you can run the script from a PowerShell console:

 

.\Create-DataCollectionRules.ps1 -WorkspaceId xxxx -WorkspaceResourceId xxxx -ResourceGroup MYGROUP -Kind Windows -DataCollectionRuleName WinDCR -DataSourcesFile FileExample.json -Location eastus –verbose 

 
One thing to remember is that you can only have 10 Data Collection rules. That is different than XPath queries inside of one DCR. If you attempt to create more than 10 DCRs, you will get the following error message: 

 

ERROR 

VERBOSE: @{Headers=System.Object[]; Version=1.1; StatusCode=400; Method=PUT;  
Content={"error":{"code":"InvalidPayload","message":"Data collection rule is invalid","details":[{"code":"InvalidProperty","message":"'Data Sources. Windows Event Logs' item count should be 10 or less. Specified list has 11 items.","target":"Properties.DataSources.WindowsEventLogs"}]}}} 

 
Also, if you have duplicate XPath queries in one DCR, you would get the following message: 

 

ERROR
VERBOSE: @{Headers=System.Object[]; Version=1.1; StatusCode=400; Method=PUT;  
Content={"error":{"code":"InvalidPayload","message":"Data collection rule is invalid","details":[{"code":"InvalidDataSource","message":"'X Path Queries' items must be unique (case-insensitively).  
 
Duplicate names: 
Security!*[System[(EventID=4688)]],Security!*[System[(EventID=4656)]].","target":"Properties.DataSources.WindowsEventLogs[0].XPathQueries"}]}}} 

 

ARM Template: DeploymentScript Resource

 

Now that you know how to use a PowerShell script to create DCRs directly to your Azure Sentinel instance, we can use it inside of an ARM template and make it point to the JSON file that contains all the XPath queries in the right format contributed by the OSSEM DM project.

 

This is the template I use to put it all together:

 

Azure-Sentinel2Go/Win10-DCR-DeploymentScript.json at master · OTRF/Azure-Sentinel2Go (github.com)

 

What about the DCR Associations? 

You still need to associate the DCR with a virtual machine. However, we can keep doing that within the template leveraging the DCRAs Azure resource linked template inside of the main template. Just in case you were wondering how I call the linked template from the main template, I do it this way: 

 

Azure-Sentinel2Go/Win10-DCR-DeploymentScript.json at master · OTRF/Azure-Sentinel2Go (github.com)

 

Cyb3rWard0g_2-1624586850130.png

 

How Do I Deploy the New Template?

The same way how we deployed the initial one. If you want the Easy Button , then simply browse to the URL below and click on the blue button highlighted in the image below:

 

Link: Azure-Sentinel2Go/grocery-list/Win10/demos at master · OTRF/Azure-Sentinel2Go (github.com)

 

Cyb3rWard0g_3-1624587103977.png

 

Wait 5-10 mins!

 

Cyb3rWard0g_4-1624587184135.png

 

Enjoy it!

 

Cyb3rWard0g_6-1624588013944.png

 

 

 

That’s it! You now know two ways to deploy and test the new data connector and Data Collection Rules features with XPath queries capabilities. I hope this was useful. Those were all my notes while testing and developing templates to create a lab environment so that you could also expedite the testing process! 

 

Feedback is greatly appreciated! Thank you to the OSSEM team and the Open Threat Research (OTR) community for helping us operationalize the research they share with the community! Thank you, Jose Rodriguez. 

 

Demo Links

 

References 

4 Comments

Thank you @Cyb3rWard0g for the Awesome Blogpost and Sharing with the Community :cool:

Microsoft

Thank you @James van den Berg ! I appreciate the feedback :) 

Senior Member

This is bloody amazing :clapping_hands:

Respected Contributor

@Cyb3rWard0g when i view the Sentinel2Go readme page, I don't see anything for the DCR deployments. Have the been removed?

Never mind, I found them 

%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_12-1624563350667.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291063iBD3C6F0F0A81E511%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_12-1624563350667.png%22%20alt%3D%22Cyb3rWard0g_12-1624563350667.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENow%20that%20we%20have%20covered%20some%20of%20the%20main%20changes%20and%20features%20of%20the%20new%20version%20of%20the%20Windows%20Security%20Events%20data%20connector%2C%20it%20is%20time%20to%20show%20you%20how%20to%20create%20a%20lab%20environment%20for%20you%20to%20test%20your%20own%20XPath%20queries%26nbsp%3Bfor%20research%20purposes%20and%26nbsp%3Bbefore%26nbsp%3Bpushing%20them%26nbsp%3Bto%26nbsp%3Bproduction.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--783896431%22%20id%3D%22toc-hId--783869713%22%20id%3D%22toc-hId--435567913%22%20id%3D%22toc-hId--435567913%22%20id%3D%22toc-hId--435567913%22%20id%3D%22toc-hId--435567913%22%20id%3D%22toc-hId--435567913%22%20id%3D%22toc-hId--435567913%22%20id%3D%22toc-hId--435567913%22%20id%3D%22toc-hId--435567913%22%20id%3D%22toc-hId--435567913%22%20id%3D%22toc-hId--435567913%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-1703616402%22%20id%3D%22toc-hId-1703643120%22%20id%3D%22toc-hId-2051944920%22%20id%3D%22toc-hId-2051944920%22%20id%3D%22toc-hId-2051944920%22%20id%3D%22toc-hId-2051944920%22%20id%3D%22toc-hId-2051944920%22%20id%3D%22toc-hId-2051944920%22%20id%3D%22toc-hId-2051944920%22%20id%3D%22toc-hId-2051944920%22%20id%3D%22toc-hId-2051944920%22%20id%3D%22toc-hId-2051944920%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeploy%20Lab%20Environment%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2245%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIdentify%20the%26nbsp%3Bright%20Azure%26nbsp%3Bresources%20to%26nbsp%3Bdeploy.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2245%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECreate%20deployment%26nbsp%3Btemplate.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2245%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERun%20deployment%20template.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20id%3D%22toc-hId-25244658%22%20id%3D%22toc-hId-25271376%22%20id%3D%22toc-hId--1552460902%22%20id%3D%22toc-hId--1552460902%22%20id%3D%22toc-hId--1552460902%22%20id%3D%22toc-hId--1552460902%22%20id%3D%22toc-hId--1552460902%22%20id%3D%22toc-hId--1552460902%22%20id%3D%22toc-hId--1552460902%22%20id%3D%22toc-hId--1552460902%22%20id%3D%22toc-hId--1552460902%22%20id%3D%22toc-hId--1552460902%22%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EIdentify%26nbsp%3Bthe%20Right%26nbsp%3BAzure%20Resources%26nbsp%3Bto%26nbsp%3BDeploy%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20mentioned%26nbsp%3Bearlier%20in%20this%20post%2C%26nbsp%3Bthe%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eold%20connector%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Buses%26nbsp%3Bthe%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ftemplates%2Fmicrosoft.operationalinsights%2Fworkspaces%2Fdatasources%3Ftabs%3Djson%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Sources%20resource%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfrom%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ftemplates%2Fmicrosoft.operationalinsights%2Fworkspaces%3Ftabs%3Djson%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ELog%20Analytics%20Workspace%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bresource%20to%20set%20the%20collection%20tier%20of%20Windows%20security%20events.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20the%26nbsp%3BAzure%20Resource%20Manager%20(ARM)%26nbsp%3Btemplate%26nbsp%3BI%20use%26nbsp%3Bin%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure-Sentinel2Go%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bto%20set%20it%20up%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-connectors%2FsecurityEvents.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure-Sentinel2Go%2FsecurityEvents.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EData%20Sources%20Azure%20Resource%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22type%22%3A%20%22Microsoft.OperationalInsights%2Fworkspaces%2FdataSources%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22apiVersion%22%3A%20%222020-03-01-preview%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22location%22%3A%20%22eastus%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22name%22%3A%20%22WORKSPACE%2FSecurityInsightsSecurityEventCollectionConfiguration%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22kind%22%3A%20%22SecurityInsightsSecurityEventCollectionConfiguration%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22properties%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22tier%22%3A%20%22All%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22tierSetMethod%22%3A%20%22Custom%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EHowever%2C%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Enew%20connector%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Buses%20a%20combination%20of%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ftemplates%2Fmicrosoft.insights%2Fdatacollectionrules%3Ftabs%3Djson%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Connection%20Rules%20(DCR)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fdata-collection-rule-azure-monitor-agent%23data-collection-rule-associations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Connector%20Rules%20Association%20(DCRA)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20the%26nbsp%3BARM%26nbsp%3Btemplate%26nbsp%3BI%26nbsp%3Buse%20to%20create%20data%20collection%20rules%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Fcreation-azureresource.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fcreation-azureresource.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EData%20Collection%20Rules%20Azure%20Resource%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22type%22%3A%20%22microsoft.insights%2FdataCollectionRules%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22apiVersion%22%3A%20%222019-11-01-preview%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22name%22%3A%20%22WindowsDCR%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22location%22%3A%20%22eastus%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22tags%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22createdBy%22%3A%20%22Sentinel%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%7D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22properties%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22dataSources%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22windowsEventLogs%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22name%22%3A%20%22eventLogsDataSource%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22scheduledTransferPeriod%22%3A%20%22PT5M%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22streams%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Microsoft-SecurityEvent%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22xPathQueries%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4624)%5D%5D%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22destinations%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22logAnalytics%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22name%22%3A%20%22SecurityEvent%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22workspaceId%22%3A%20%22AZURE-SENTINEL-WORKSPACEID%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22workspaceResourceId%22%3A%20%22AZURE-SENTINEL-WORKSPACERESOURCEID%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22dataFlows%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22streams%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Microsoft-SecurityEvent%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22destinations%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22SecurityEvent%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOne%20additional%20step%26nbsp%3Bin%20the%20setup%20of%20the%26nbsp%3Bnew%20connector%20is%20the%20association%20of%20the%20DCR%26nbsp%3Bwith%26nbsp%3BVirtual%20Machines.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20the%26nbsp%3BARM%26nbsp%3Btemplate%26nbsp%3BI%26nbsp%3Buse%20to%20create%20DCRAs%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Fassociation.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fassociation.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3CBR%20%2F%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EData%20Collection%20Rule%20Associations%20Azure%20Resource%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%3E%7B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%22name%22%3A%20%22WORKSTATION5%2Fmicrosoft.insights%2FWindowsDCR%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22type%22%3A%20%22Microsoft.Compute%2FvirtualMachines%2Fproviders%2FdataCollectionRuleAssociations%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%22apiVersion%22%3A%20%222019-11-01-preview%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%22location%22%3A%20%22eastus%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%20%22properties%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22description%22%3A%20%22Association%20of%20data%20collection%20rule.%20Deleting%20this%20association%20will%20break%20the%20data%20collection%20for%20this%20virtual%20machine.%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22dataCollectionRuleId%22%3A%20%22DATACOLLECTIONRULEID%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7D%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWhat%20about%20the%20XPath%20Queries%3F%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20shown%20in%20the%20previous%20section%2C%20the%20XPath%20query%20is%20part%20of%20the%20%E2%80%9C%3CSTRONG%3EdataSources%3C%2FSTRONG%3E%E2%80%9D%20section%20of%20the%20data%20collection%20rule%20resource.%20It%20is%20defined%20under%20the%26nbsp%3B%E2%80%98%3CSTRONG%3EwindowsEventLogs%3C%2FSTRONG%3E%E2%80%99%26nbsp%3Bdata%20source%20type.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22dataSources%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%22windowsEventLogs%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22name%22%3A%20%22eventLogsDataSource%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22scheduledTransferPeriod%22%3A%20%22PT5M%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22streams%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Microsoft-SecurityEvent%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22xPathQueries%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4624)%5D%5D%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--1782209805%22%20id%3D%22toc-hId--1782183087%22%20id%3D%22toc-hId-935051931%22%20id%3D%22toc-hId-935051931%22%20id%3D%22toc-hId-935051931%22%20id%3D%22toc-hId-935051931%22%20id%3D%22toc-hId-935051931%22%20id%3D%22toc-hId-935051931%22%20id%3D%22toc-hId-935051931%22%20id%3D%22toc-hId-935051931%22%20id%3D%22toc-hId-935051931%22%20id%3D%22toc-hId-935051931%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-705303028%22%20id%3D%22toc-hId-705329746%22%20id%3D%22toc-hId--872402532%22%20id%3D%22toc-hId--872402532%22%20id%3D%22toc-hId--872402532%22%20id%3D%22toc-hId--872402532%22%20id%3D%22toc-hId--872402532%22%20id%3D%22toc-hId--872402532%22%20id%3D%22toc-hId--872402532%22%20id%3D%22toc-hId--872402532%22%20id%3D%22toc-hId--872402532%22%20id%3D%22toc-hId--872402532%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECreate%20Deployment%20Template%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20can%26nbsp%3Beasily%26nbsp%3Badd%20all%20those%20ARM%26nbsp%3Btemplates%20to%20an%20%E2%80%98%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-Azure-Sentinel-Basic.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%20%26amp%3B%20Win10%20Workstation%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%20basic%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Etemplate%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20just%20need%20to%20make%20sure%20we%26nbsp%3Binstall%20the%26nbsp%3B%3CSTRONG%3EAzure%20Monitor%20Agent%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Einstead%20of%20the%20%3CSTRONG%3ELog%20Analytics%3C%2FSTRONG%3E%26nbsp%3Bone%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eand%20enable%26nbsp%3Bthe%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Foverview%23managed-identity-types%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Esystem-assigned%20managed%20identity%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ein%20the%20Azure%20VM.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETemplate%20Resource%20List%20to%20Deploy%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAzure%20Sentinel%20Instance%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWindows%20Virtual%20Machine%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAzure%20Monitor%20Agent%20Installed%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESystem-assigned%20managed%20identity%20Enabled.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EData%20Collection%20Rule%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELog%20Analytics%20Workspace%20ID%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELog%20Analytics%20Workspace%20Resource%20ID%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EData%20Collection%20Rule%20Association%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EData%20Collection%20Rule%20ID%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWindows%20Virtual%20Machine%20Resource%20Name%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20following%20ARM%20template%20can%20be%20used%20for%20our%20first%20basic%26nbsp%3Bscenario%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-AzureResource.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2FWin10-DCR-AzureResource.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3CBR%20%2F%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--1102151435%22%20id%3D%22toc-hId--1102124717%22%20id%3D%22toc-hId-1615110301%22%20id%3D%22toc-hId-1615110301%22%20id%3D%22toc-hId-1615110301%22%20id%3D%22toc-hId-1615110301%22%20id%3D%22toc-hId-1615110301%22%20id%3D%22toc-hId-1615110301%22%20id%3D%22toc-hId-1615110301%22%20id%3D%22toc-hId-1615110301%22%20id%3D%22toc-hId-1615110301%22%20id%3D%22toc-hId-1615110301%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ERun%20Deployment%20Template%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20deploy%20the%20ARM%20template%20via%20a%20%E2%80%9C%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-resource-manager%2Ftemplates%2Fdeploy-to-azure-button%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeploy%20to%20Azure%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%9D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ebutton%26nbsp%3Bor%20via%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcli%2Fazure%2Fwhat-is-azure-cli%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20CLI%3C%2FA%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%223%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20aria-level%3D%223%22%20id%3D%22toc-hId-1514444117%22%20id%3D%22toc-hId-1514470835%22%20id%3D%22toc-hId--1989295521%22%20id%3D%22toc-hId--1989295521%22%20id%3D%22toc-hId--1989295521%22%20id%3D%22toc-hId--1989295521%22%20id%3D%22toc-hId--1989295521%22%20id%3D%22toc-hId--1989295521%22%20id%3D%22toc-hId--1989295521%22%20id%3D%22toc-hId--1989295521%22%20id%3D%22toc-hId--1989295521%22%20id%3D%22toc-hId--1989295521%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%9CDeploy%20to%20Azure%E2%80%9D%26nbsp%3BButton%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH4%3E%0A%3COL%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EBrowse%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel2Go%20repository%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGo%20to%20grocery-list%2FWin10%2Fdemos.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%20on%20the%20%E2%80%9C%3CSTRONG%3EDeploy%20to%20Azure%3C%2FSTRONG%3E%E2%80%9D%20button%20next%20to%20%E2%80%9C%3CSTRONG%3EAzure%20Sentinel%20%2B%20Win10%20%2B%20DCR%20(DCR%20Resource)%3C%2FSTRONG%3E%E2%80%9D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_0-1624589431099.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291177iAAA49D3342EE5F7D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_0-1624589431099.png%22%20alt%3D%22Cyb3rWard0g_0-1624589431099.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFill%20out%20the%20required%20parameters%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EadminUsername%3A%20admin%20user%20to%20create%20in%20the%20Windows%20workstation.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EadminPassword%3A%20password%20for%20admin%20user.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EallowedIPAddresses%3A%20Public%20IP%20address%20to%26nbsp%3Brestrict%20access%20to%20the%20lab%20environment.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWait%205-10%20mins%20and%20your%20environment%20should%20be%20ready.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH4%20aria-level%3D%223%22%20id%3D%22toc-hId-405151595%22%20id%3D%22toc-hId-405178313%22%20id%3D%22toc-hId-498217312%22%20id%3D%22toc-hId-498217312%22%20id%3D%22toc-hId-498217312%22%20id%3D%22toc-hId-498217312%22%20id%3D%22toc-hId-498217312%22%20id%3D%22toc-hId-498217312%22%20id%3D%22toc-hId-498217312%22%20id%3D%22toc-hId-498217312%22%20id%3D%22toc-hId-498217312%22%20id%3D%22toc-hId-498217312%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20CLI%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH4%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDownload%20%3CA%20href%3D%22https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FAzure-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-AzureResource.json%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Edemo%20template%3C%2FA%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOpen%20a%20terminal%20where%20you%20can%26nbsp%3Brun%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcli%2Fazure%2Finstall-azure-cli%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20CLI%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfrom%20(i.e.%26nbsp%3BPowerShell).%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELog%20in%20to%20your%20Azure%20Tenant%20locally.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3Eaz%26nbsp%3Blogin%3C%2FSPAN%3E%26nbsp%3B%3C%2FPRE%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECreate%20Resource%20Group%20(Optional)%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3Eaz%26nbsp%3Bgroup%20create%20-n%26nbsp%3BAzSentinelDemo%26nbsp%3B-l%26nbsp%3Beastus%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDeploy%20ARM%20template%20locally.%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3Eaz%26nbsp%3Bdeployment%20group%20create%26nbsp%3B%E2%80%93f%26nbsp%3B.%2F%20Win10-DCR-AzureResource.json%20-g%20MYRESOURCRGROUP%20%E2%80%93adminUsername%26nbsp%3BMYUSER%20%E2%80%93adminPassword%26nbsp%3BMYUSERPASSWORD%20%E2%80%93allowedIPAddresses%26nbsp%3Bx.x.x.x%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWait%205-10%20mins%20and%20your%20environment%20should%20be%20ready.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWhether%20you%20use%20the%20UI%20or%20the%20CLI%2C%20you%20can%20monitor%20your%20deployment%26nbsp%3Bby%20going%20to%20Resource%20Group%20%26gt%3B%20Deployments%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_13-1624563350637.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291061iD3FA95B731C7D4A2%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_13-1624563350637.png%22%20alt%3D%22Cyb3rWard0g_13-1624563350637.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_14-1624563350638.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291062iC6882B6F8D19BD76%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_14-1624563350638.png%22%20alt%3D%22Cyb3rWard0g_14-1624563350638.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1660468306%22%20id%3D%22toc-hId--1660441588%22%20id%3D%22toc-hId--2010301729%22%20id%3D%22toc-hId--2010301729%22%20id%3D%22toc-hId--2010301729%22%20id%3D%22toc-hId--2010301729%22%20id%3D%22toc-hId--2010301729%22%20id%3D%22toc-hId--2010301729%22%20id%3D%22toc-hId--2010301729%22%20id%3D%22toc-hId--2010301729%22%20id%3D%22toc-hId--2010301729%22%20id%3D%22toc-hId--2010301729%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EVerify%20Lab%20Resources%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CH3%20id%3D%22toc-hId-956127246%22%20id%3D%22toc-hId-956153964%22%20id%3D%22toc-hId--1319740255%22%20id%3D%22toc-hId--1319740255%22%20id%3D%22toc-hId--1319740255%22%20id%3D%22toc-hId--1319740255%22%20id%3D%22toc-hId--1319740255%22%20id%3D%22toc-hId--1319740255%22%20id%3D%22toc-hId--1319740255%22%20id%3D%22toc-hId--1319740255%22%20id%3D%22toc-hId--1319740255%22%20id%3D%22toc-hId--1319740255%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EOnce%20your%20environment%20is%20deployed%20successfully%2C%20I%20recommend%20verifying%20every%20resource%20that%20was%20deployed.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--851327217%22%20id%3D%22toc-hId--851300499%22%20id%3D%22toc-hId-472609099%22%20id%3D%22toc-hId-472609099%22%20id%3D%22toc-hId-472609099%22%20id%3D%22toc-hId-472609099%22%20id%3D%22toc-hId-472609099%22%20id%3D%22toc-hId-472609099%22%20id%3D%22toc-hId-472609099%22%20id%3D%22toc-hId-472609099%22%20id%3D%22toc-hId-472609099%22%20id%3D%22toc-hId-472609099%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-1636185616%22%20id%3D%22toc-hId-1636212334%22%20id%3D%22toc-hId--1334845364%22%20id%3D%22toc-hId--1334845364%22%20id%3D%22toc-hId--1334845364%22%20id%3D%22toc-hId--1334845364%22%20id%3D%22toc-hId--1334845364%22%20id%3D%22toc-hId--1334845364%22%20id%3D%22toc-hId--1334845364%22%20id%3D%22toc-hId--1334845364%22%20id%3D%22toc-hId--1334845364%22%20id%3D%22toc-hId--1334845364%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%20New%20Data%20Connector%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20will%20see%20the%20%3CSTRONG%3EWindows%20Security%20Events%20(Preview)%3C%2FSTRONG%3E%26nbsp%3Bdata%20connector%20enabled%20with%20a%20custom%20%3CSTRONG%3EData%20Collection%20Rules%20(DCR)%3C%2FSTRONG%3E%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_15-1624563350665.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291065i883D30E9F4EF7004%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_15-1624563350665.png%22%20alt%3D%22Cyb3rWard0g_15-1624563350665.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20you%20edit%20the%20custom%20DCR%2C%20you%20will%20see%20the%20XPath%20query%20and%20the%20resource%20that%20it%20got%20associated%20with.%20The%20image%20below%20shows%20the%20association%20of%20the%20DCR%20with%20a%20machine%20named%20%3CSTRONG%3Eworkstation5.%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_16-1624563350641.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291064iF2D12F48A6172688%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_16-1624563350641.png%22%20alt%3D%22Cyb3rWard0g_16-1624563350641.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20see%20that%20the%20data%20collection%20is%20set%20to%20%3CSTRONG%3Ecustom%3C%2FSTRONG%3E%20and%2C%20for%20this%20example%2C%20we%20only%20set%20the%20event%20stream%20to%20collect%20events%20with%20%3CSTRONG%3EEvent%20ID%204624%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_17-1624563350642.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291066i01C988E45895710D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_17-1624563350642.png%22%20alt%3D%22Cyb3rWard0g_17-1624563350642.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%223%22%20id%3D%22toc-hId--171268847%22%20id%3D%22toc-hId--171242129%22%20id%3D%22toc-hId-1152667469%22%20id%3D%22toc-hId-1152667469%22%20id%3D%22toc-hId-1152667469%22%20id%3D%22toc-hId-1152667469%22%20id%3D%22toc-hId-1152667469%22%20id%3D%22toc-hId-1152667469%22%20id%3D%22toc-hId-1152667469%22%20id%3D%22toc-hId-1152667469%22%20id%3D%22toc-hId-1152667469%22%20id%3D%22toc-hId-1152667469%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWindows%20Workstation%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EI%20recommend%20to%20RDP%20to%20the%20Windows%20Workstation%20by%20using%20its%20Public%20IP%20Address.%20Go%20to%20your%20resource%20group%20and%20select%20the%20Azure%20VM.%20You%20should%20see%20the%20public%20IP%20address%20to%20the%20right%20of%20the%20screen.%20This%26nbsp%3Bwould%20generate%20authentication%20events%26nbsp%3Bwhich%20will%20be%20captured%20by%20the%20custom%20DCR%20associated%20with%20the%20endpoint.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_18-1624563350668.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291069iD97997E8318B9A70%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_18-1624563350668.png%22%20alt%3D%22Cyb3rWard0g_18-1624563350668.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%223%22%20id%3D%22toc-hId--1978723310%22%20id%3D%22toc-hId--1978696592%22%20id%3D%22toc-hId--654786994%22%20id%3D%22toc-hId--654786994%22%20id%3D%22toc-hId--654786994%22%20id%3D%22toc-hId--654786994%22%20id%3D%22toc-hId--654786994%22%20id%3D%22toc-hId--654786994%22%20id%3D%22toc-hId--654786994%22%20id%3D%22toc-hId--654786994%22%20id%3D%22toc-hId--654786994%22%20id%3D%22toc-hId--654786994%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECheck%20Azure%20Sentinel%20Logs%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGo%20back%20to%20your%20Azure%20Sentinel%2C%20and%20you%20should%20start%20seeing%20some%20events%26nbsp%3Bon%26nbsp%3Bthe%20%3CSTRONG%3EOverview%3C%2FSTRONG%3E%20page%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_19-1624563350654.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291067i569F3D73FA0B5308%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_19-1624563350654.png%22%20alt%3D%22Cyb3rWard0g_19-1624563350654.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGo%20to%20%3CSTRONG%3ELogs%3C%2FSTRONG%3E%20and%20run%20the%20following%20KQL%20query%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESecurityEvent%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20summarize%26nbsp%3Bcount()%20by%26nbsp%3BEventID%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20you%20can%20see%20in%20the%20image%20below%2C%20only%20events%20with%20Event%20ID%204624%20were%26nbsp%3Bcollected%20by%20the%20Azure%20Monitor%20Agent.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_20-1624563350656.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291068i864394B23E3318B9%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_20-1624563350656.png%22%20alt%3D%22Cyb3rWard0g_20-1624563350656.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20might%20be%20asking%20yourself%2C%20%E2%80%9C%3CSTRONG%3EWho%20would%20only%26nbsp%3Bwant%20to%26nbsp%3Bcollect%20events%20with%20Event%20ID%204624%20from%20a%20Windows%20endpoint%3F%3C%2FSTRONG%3E%E2%80%9D.%20Believe%20it%20or%20not%2C%20there%20are%20network%20environments%20where%20due%20to%20bandwidth%20constraints%2C%20they%20can%20only%20collect%20certain%20events.%20Therefore%2C%20this%20custom%20filtering%20capability%20is%20amazing%20and%20very%20useful%20to%20cover%20more%20use%20cases%20and%20even%20save%20storage!%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-379706804%22%20id%3D%22toc-hId-379733522%22%20id%3D%22toc-hId-1703643120%22%20id%3D%22toc-hId-1703643120%22%20id%3D%22toc-hId-1703643120%22%20id%3D%22toc-hId-1703643120%22%20id%3D%22toc-hId-1703643120%22%20id%3D%22toc-hId-1703643120%22%20id%3D%22toc-hId-1703643120%22%20id%3D%22toc-hId-1703643120%22%20id%3D%22toc-hId-1703643120%22%20id%3D%22toc-hId-1703643120%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--1427747659%22%20id%3D%22toc-hId--1427720941%22%20id%3D%22toc-hId--103811343%22%20id%3D%22toc-hId--103811343%22%20id%3D%22toc-hId--103811343%22%20id%3D%22toc-hId--103811343%22%20id%3D%22toc-hId--103811343%22%20id%3D%22toc-hId--103811343%22%20id%3D%22toc-hId--103811343%22%20id%3D%22toc-hId--103811343%22%20id%3D%22toc-hId--103811343%22%20id%3D%22toc-hId--103811343%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAny%20Good%20XPath%20Queries%26nbsp%3BRepositories%26nbsp%3Bin%20the%20InfoSec%20Community%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENow%20that%20we%20know%20the%20internals%20of%20the%20new%20connector%20and%20how%20to%20deploy%20a%20simple%20lab%20environment%2C%20we%20can%20test%20multiple%20XPath%20queries%20depending%20on%20your%20organization%20and%20research%20use%26nbsp%3Bcases%20and%20bandwidth%20constraints.%20There%20are%20a%20few%20projects%20that%20you%20can%20use.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-1188847893%22%20id%3D%22toc-hId-1188874611%22%20id%3D%22toc-hId--1782183087%22%20id%3D%22toc-hId--1782183087%22%20id%3D%22toc-hId--1782183087%22%20id%3D%22toc-hId--1782183087%22%20id%3D%22toc-hId--1782183087%22%20id%3D%22toc-hId--1782183087%22%20id%3D%22toc-hId--1782183087%22%20id%3D%22toc-hId--1782183087%22%20id%3D%22toc-hId--1782183087%22%20id%3D%22toc-hId--1782183087%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EPalantir%20WEF%20Subscriptions%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOne%20of%20many%20repositories%26nbsp%3Bout%20there%20that%20contain%20XPath%20queries%26nbsp%3Bis%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fpalantir%2Fwindows-event-forwarding%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%98windows-event-forwarding'%20project%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfrom%20Palantir.%20The%20XPath%20queries%20are%20Inside%20of%26nbsp%3Bthe%26nbsp%3BWindows%20Event%20Forwarding%20(WEF)%20subscriptions.%26nbsp%3BWe%20could%20take%20all%20the%20subscriptions%20and%20parse%20them%26nbsp%3Bprogrammatically%26nbsp%3Bto%20extract%26nbsp%3Ball%26nbsp%3Bthe%20XPath%20queries%20saving%20them%20in%26nbsp%3Ba%20format%20that%20can%20be%20used%20to%20be%20part%20of%20the%20automatic%20deployment.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20run%20the%20following%20steps%20in%20this%20document%20available%20in%20Azure%20Sentinel%20To-go%20and%20extract%20XPath%20queries%20from%20the%20Palantir%20project.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%2Fpalantir%2FREADME.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2FREADME.md%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-79555371%22%20id%3D%22toc-hId-79582089%22%20id%3D%22toc-hId-705329746%22%20id%3D%22toc-hId-705329746%22%20id%3D%22toc-hId-705329746%22%20id%3D%22toc-hId-705329746%22%20id%3D%22toc-hId-705329746%22%20id%3D%22toc-hId-705329746%22%20id%3D%22toc-hId-705329746%22%20id%3D%22toc-hId-705329746%22%20id%3D%22toc-hId-705329746%22%20id%3D%22toc-hId-705329746%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOSSEM%20Detection%20Model%20%2B%20ATT%26amp%3BCK%20Data%20Sources%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFrom%20a%20community%20perspective%2C%20another%20great%20resource%20you%20can%20use%20to%20extract%20XPath%20Queries%20from%20is%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM-DM%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOpen%20Source%20Security%20Event%20Metadata%20(OSSEM)%20Detection%20Model%20(DM)%26nbsp%3Bproject%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20A%20community%20driven%20effort%20to%26nbsp%3Bhelp%20researchers%26nbsp%3Bmodel%20attack%20behaviors%20from%20a%20data%20perspective%20and%20share%26nbsp%3Brelationships%20identified%20in%20security%20events%20across%20several%20operating%20systems.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOne%20of%20the%20use%20cases%20from%20this%20initiative%20is%26nbsp%3Bto%20map%20all%20security%20events%20in%20the%20project%20to%20the%20new%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmitre-attack%2Fattack-datasources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%98Data%20Sources%E2%80%99%26nbsp%3Bobjects%20provided%20by%20the%20MITRE%20ATT%26amp%3BCK%20framework%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3BIn%20the%20image%20below%2C%20we%20can%20see%20how%20the%26nbsp%3BOSSEM%20DM%20project%26nbsp%3Bprovides%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM-DM%2Fblob%2Fmain%2Fuse-cases%2Fmitre_attack%2Fattack_events_mapping.csv%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ean%20interactive%20document%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B(.CSV)%26nbsp%3Bfor%20researchers%20to%20explore%20the%26nbsp%3Bmappings%20(Research%20output)%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_21-1624563350666.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291073iD31791A72DDC6086%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_21-1624563350666.png%22%20alt%3D%22Cyb3rWard0g_21-1624563350666.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOne%20of%20the%20advantages%20of%20this%20project%20over%20others%20is%20that%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM-DM%2Ftree%2Fmain%2Frelationships%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eall%20its%20data%20relationships%3C%2FA%3E%20are%20in%20YAML%20format%20which%26nbsp%3Bmakes%20it%20easy%20to%20translate%20to%20others%20formats.%20For%20example%2C%20%3CSTRONG%3EXML%3C%2FSTRONG%3E.%20We%20can%26nbsp%3Buse%20the%20Event%20IDs%20defined%20in%20each%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM-DM%2Ftree%2Fmain%2Frelationships%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Edata%20relationship%20documented%20in%20OSSEM%20DM%3C%2FA%3E%20and%20create%20XML%20files%20with%20XPath%20queries%20in%20them.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EExploring%20OSSEM%20DM%20Relationships%20(YAML%20Files)%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELet%E2%80%99s%20say%20we%26nbsp%3Bwant%20to%26nbsp%3Buse%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM-DM%2Fblob%2Fmain%2Frelationships%2Fuser_created_scheduled_job.yml%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Erelationships%20related%20to%20scheduled%20jobs%3C%2FA%3E%20in%20Windows.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_22-1624563350657.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291072i5E213CB9FE4AD5ED%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_22-1624563350657.png%22%20alt%3D%22Cyb3rWard0g_22-1624563350657.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETranslate%20YAML%20files%20to%20XML%20Query%20Lists%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20can%20process%20all%20the%20YAML%20files%20and%20export%20the%20data%20in%26nbsp%3Ban%26nbsp%3BXML%26nbsp%3Bfiles.%26nbsp%3BOne%20thing%20that%20I%20like%20about%20this%20OSSEM%20DM%20use%20case%20is%20that%20we%20can%20group%20the%20XML%20files%20by%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmitre-attack%2Fattack-datasources%2Ftree%2Fmain%2Fcontribution%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EATT%26amp%3BCK%20data%20sources.%3C%2FA%3E%20This%20can%20help%20organizations%20organize%20their%20data%20collection%20in%20a%20way%20that%20can%20be%20mapped%20to%20detections%20or%20other%20ATT%26amp%3BCK%20based%20frameworks%20internally.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20can%20use%20the%20%3CSTRONG%3EQueryList%3C%2FSTRONG%3E%20format%26nbsp%3Bto%20document%20all%20'%3CSTRONG%3Escheduled%20jobs%20relationships%3C%2FSTRONG%3E'%20XPath%20queries%26nbsp%3Bin%20one%20XML%20file.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_23-1624563350647.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291071i4E91B0701CDD9BC8%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_23-1624563350647.png%22%20alt%3D%22Cyb3rWard0g_23-1624563350647.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EI%20like%20to%20document%20my%20XPath%20queries%26nbsp%3Bfirst%26nbsp%3Bin%20this%20format%20because%20it%20expedites%20the%20validation%20process%20of%20the%20XPath%20queries%20locally%20on%20a%20Windows%20endpoint.%20You%20can%20use%20that%20XML%20file%20in%20a%20PowerShell%20command%20to%20query%20Windows%20Security%20events%26nbsp%3Band%20make%20sure%20there%20are%20not%20syntax%20issues%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3E%5Bxml%5D%24scheduledjobs%20%3D%20get-content%20.%5Cscheduled-job.xml%3CBR%20%2F%3EGet-WinEvent%26nbsp%3B-FilterXml%20%24scheduledjobs%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_0-1624585337804.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291165i34FCF0A62CCE47DC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_0-1624585337804.png%22%20alt%3D%22Cyb3rWard0g_0-1624585337804.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETranslate%20XML%20Query%20Lists%20to%20DCR%26nbsp%3BData%26nbsp%3BSource%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFinally%2C%20once%20the%20XPath%20queries%20have%20been%20validated%2C%20we%20could%20simply%20extract%20them%20from%20the%20XML%20files%20and%20put%20them%20in%20a%20format%20that%20could%20be%20used%20in%20ARM%20templates%20to%20create%20DCRs.%26nbsp%3B%26nbsp%3BDo%20you%20remember%26nbsp%3Bthe%20%3CSTRONG%3EdataSources%3C%2FSTRONG%3E%26nbsp%3Bproperty%20of%20the%20DCR%20Azure%20resource%26nbsp%3Bwe%20talked%20about%20earlier%3F%20What%20if%20we%20could%20get%20the%20values%20of%20the%20%3CSTRONG%3EwindowsEventLogs%3C%2FSTRONG%3E%26nbsp%3Bdata%20source%20directly%20from%20a%20file%26nbsp%3Binstead%20of%20hardcoding%20them%20in%20an%20ARM%20template%3F%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BThe%20example%20below%20is%20how%20it%20was%20previously%20being%20hardcoded.%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22dataSources%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22windowsEventLogs%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22name%22%3A%20%22eventLogsDataSource%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22scheduledTransferPeriod%22%3A%20%22PT5M%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22streams%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Microsoft-SecurityEvent%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22xPathQueries%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4624)%5D%5D%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20could%20use%20the%20XML%20files%20created%20after%20processing%20OSSEM%20DM%20relationships%20mapped%20to%20ATT%26amp%3BCK%26nbsp%3Bdata%20sources%26nbsp%3Band%20creating%20the%20following%20document.%20We%20can%20pass%20the%20URL%20of%20the%20document%20as%20a%20parameter%20in%20an%20ARM%20template%20to%20deploy%20our%20lab%20environment%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%2Fossem-attack%2Fossem-attack.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fossem-attack.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1856981811%22%20id%3D%22toc-hId--1856955093%22%20id%3D%22toc-hId--1231207436%22%20id%3D%22toc-hId--1231207436%22%20id%3D%22toc-hId--1231207436%22%20id%3D%22toc-hId--1231207436%22%20id%3D%22toc-hId--1231207436%22%20id%3D%22toc-hId--1231207436%22%20id%3D%22toc-hId--1231207436%22%20id%3D%22toc-hId--1231207436%22%20id%3D%22toc-hId--1231207436%22%20id%3D%22toc-hId--1231207436%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWait!%20How%20Do%20You%26nbsp%3BCreate%20the%20Document%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EOSSEM%26nbsp%3Bteam%3C%2FA%3E%26nbsp%3Bis%20contributing%26nbsp%3Band%20maintaining%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%2Fossem-attack%2Fossem-attack.json%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethe%26nbsp%3BJSON%20file%3C%2FA%3E%26nbsp%3Bfrom%20the%20previous%20section%26nbsp%3Bin%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%2Fossem-attack%2Fossem-attack.json%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Sentinel2Go%20repository%3C%2FA%3E.%26nbsp%3BHowever%2C%20if%20you%20want%20to%20go%20through%20the%20whole%20process%20on%20your%20own%2C%20Jose%20Rodriguez%20(%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FCyb3rPandaH%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%40Cyb3rpandah%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E)%26nbsp%3Bwas%26nbsp%3Bkind%20enough%20to%20write%20every%20single%20step%26nbsp%3Bto%20get%20to%20that%20output%20file%20in%20the%20following%20blog%20post%3A%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CA%20href%3D%22https%3A%2F%2Fblog.openthreatresearch.com%2Fossem_generation_xpath_queries%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EOSSEM%20Detection%20Model%3A%20Leveraging%20Data%20Relationships%20to%20Generate%20Windows%20Event%20XPath%20Queries%20(openthreatresearch.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-630531022%22%20id%3D%22toc-hId-630557740%22%20id%3D%22toc-hId-1256305397%22%20id%3D%22toc-hId-1256305397%22%20id%3D%22toc-hId-1256305397%22%20id%3D%22toc-hId-1256305397%22%20id%3D%22toc-hId-1256305397%22%20id%3D%22toc-hId-1256305397%22%20id%3D%22toc-hId-1256305397%22%20id%3D%22toc-hId-1256305397%22%20id%3D%22toc-hId-1256305397%22%20id%3D%22toc-hId-1256305397%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOk%2C%20But%2C%20How%20Do%20I%26nbsp%3BPass%26nbsp%3Bthe%20JSON%20file%26nbsp%3Bto%26nbsp%3Bour%20Initial%26nbsp%3BARM%20template%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%20our%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-AzureResource.json%23L159%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Einitial%20ARM%20template%3C%2FA%3E%2C%20we%20had%20the%20XPath%20query%26nbsp%3Bas%26nbsp%3Ban%20ARM%20template%20variable%20as%20shown%20in%20the%20image%20below.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_1-1624585923557.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291167i9C07EB631AAF2443%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_1-1624585923557.png%22%20alt%3D%22Cyb3rWard0g_1-1624585923557.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20could%20also%20have%20it%20as%20a%20template%20parameter.%20However%2C%20it%20is%20%3CSTRONG%3Enot%20flexible%26nbsp%3Benough%20to%20define%20multiple%20DCRs%20or%20even%20update%20the%20whole%20DCR%20Data%20Source%20object%3C%2FSTRONG%3E%26nbsp%3B(Think%20about%20future%20coverage%20beyond%20Windows%20logs).%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%222%22%20id%3D%22toc-hId--1176923441%22%20id%3D%22toc-hId--1176896723%22%20id%3D%22toc-hId-147012875%22%20id%3D%22toc-hId-147012875%22%20id%3D%22toc-hId-147012875%22%20id%3D%22toc-hId-147012875%22%20id%3D%22toc-hId-147012875%22%20id%3D%22toc-hId-147012875%22%20id%3D%22toc-hId-147012875%22%20id%3D%22toc-hId-147012875%22%20id%3D%22toc-hId-147012875%22%20id%3D%22toc-hId-147012875%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Collection%20Rules%20%E2%80%93%20CREATE%20API%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFor%20more%20complex%20use%20cases%2C%20I%20would%20use%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fmonitor%2Fdata-collection-rules%2Fcreate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EDCR%20Create%20API.%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BThis%20can%20be%26nbsp%3Bexecuted%26nbsp%3Bvia%20a%20PowerShell%20script%20which%20can%20also%26nbsp%3Bbe%26nbsp%3Bused%20inside%20of%20an%20ARM%20template%26nbsp%3Bvia%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-resource-manager%2Ftemplates%2Fdeployment-script-template%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Edeployment%20scripts%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20Keep%20in%20mind%20that%2C%20the%20deployment%20script%20resource%20requires%20an%20identity%20to%20execute%20the%20script.%26nbsp%3BThis%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Foverview%23managed-identity-types%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Emanaged%20identity%20of%20type%20user-assigned%3C%2FA%3E%20can%20be%20created%20at%20deployment%20time%20and%20used%20to%20create%20the%20DCRs%26nbsp%3Bprogrammatically.%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-1439672111%22%20id%3D%22toc-hId-1439698829%22%20id%3D%22toc-hId--1531358869%22%20id%3D%22toc-hId--1531358869%22%20id%3D%22toc-hId--1531358869%22%20id%3D%22toc-hId--1531358869%22%20id%3D%22toc-hId--1531358869%22%20id%3D%22toc-hId--1531358869%22%20id%3D%22toc-hId--1531358869%22%20id%3D%22toc-hId--1531358869%22%20id%3D%22toc-hId--1531358869%22%20id%3D%22toc-hId--1531358869%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--367782352%22%20id%3D%22toc-hId--367755634%22%20id%3D%22toc-hId-956153964%22%20id%3D%22toc-hId-956153964%22%20id%3D%22toc-hId-956153964%22%20id%3D%22toc-hId-956153964%22%20id%3D%22toc-hId-956153964%22%20id%3D%22toc-hId-956153964%22%20id%3D%22toc-hId-956153964%22%20id%3D%22toc-hId-956153964%22%20id%3D%22toc-hId-956153964%22%20id%3D%22toc-hId-956153964%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EPowerShell%20Script%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20you%20have%20an%20Azure%20Sentinel%20instance%20without%20the%20data%20connector%20enabled%2C%20you%20can%20use%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fresources%2Fscripts%2FCreate-DataCollectionRules.ps1%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Efollowing%20PowerShell%20script%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bto%20create%20DCRs%20in%20it.%20This%20is%20good%20for%20testing%20and%20it%20also%20works%20in%20ARM%20templates.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EKeep%20in%20mind%2C%20that%20you%20would%26nbsp%3Bneed%20to%20have%20a%20file%20where%20you%20can%20define%20the%20structure%20of%20the%20%3CSTRONG%3EwindowsEventLogs%3C%2FSTRONG%3E%26nbsp%3Bdata%20source%20object%20used%20in%20the%20creation%20of%20DCRs.%20We%20created%20that%20in%20the%20previous%20section%20remember%3F%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EHere%20is%20where%20we%20can%20use%20the%20OSSEM%20Detection%20Model%20XPath%20Queries%20File%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%2Fossem-attack%2Fossem-attack.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fossem-attack.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFileExample.json%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%22windowsEventLogs%22%3A%26nbsp%3B%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Name%22%3A%26nbsp%3B%20%22eventLogsDataSource%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22scheduledTransferPeriod%22%3A%26nbsp%3B%20%22PT1M%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22streams%22%3A%26nbsp%3B%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Microsoft-SecurityEvent%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20%20%20%20%20%20%22xPathQueries%22%3A%26nbsp%3B%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D5141)%5D%5D%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D5137)%5D%5D%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D5136%20or%26nbsp%3BEventID%3D5139)%5D%5D%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4688)%5D%5D%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4660)%5D%5D%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4656%20or%26nbsp%3BEventID%3D4661)%5D%5D%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4670)%5D%5D%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20%20%20%20%20%20%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERun%20Script%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EOnce%20you%20have%20a%20JSON%20file%20similar%20to%20the%20one%20in%20the%20previous%20section%2C%20you%20can%20run%20the%20script%20from%20a%20PowerShell%20console%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%5CCreate-DataCollectionRules.ps1%20-WorkspaceId%26nbsp%3Bxxxx%26nbsp%3B-WorkspaceResourceId%26nbsp%3Bxxxx%26nbsp%3B-ResourceGroup%26nbsp%3BMYGROUP%20-Kind%20Windows%20-DataCollectionRuleName%26nbsp%3BWinDCR%26nbsp%3B-DataSourcesFile%26nbsp%3BFileExample.json%26nbsp%3B-Location%26nbsp%3Beastus%26nbsp%3B%E2%80%93verbose%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOne%20thing%20to%20remember%20is%26nbsp%3Bthat%20you%20can%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eonly%20have%2010%20Data%20Collection%20rules%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20That%20is%20different%20than%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EXPath%20queries%20inside%20of%20one%20DCR%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20If%20you%26nbsp%3Battempt%20to%26nbsp%3Bcreate%20more%20than%2010%20DCRs%2C%20you%20will%20get%20the%20following%20error%20message%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3EERROR%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EVERBOSE%3A%26nbsp%3B%40%7BHeaders%3DSystem.Object%5B%5D%3B%20Version%3D1.1%3B%26nbsp%3BStatusCode%3D400%3B%20Method%3DPUT%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EContent%3D%7B%22error%22%3A%7B%22code%22%3A%22InvalidPayload%22%2C%22message%22%3A%22Data%26nbsp%3Bcollection%20rule%20is%26nbsp%3Binvalid%22%2C%22details%22%3A%5B%7B%22code%22%3A%22InvalidProperty%22%2C%22message%22%3A%22'Data%26nbsp%3BSources.%20Windows%20Event%20Logs'%20item%20count%20should%20be%2010%20or%20less.%20Specified%20list%20has%2011%20items.%22%2C%22target%22%3A%22Properties.DataSources.WindowsEventLogs%22%7D%5D%7D%7D%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAlso%2C%20if%20you%20have%20duplicate%20XPath%20queries%20in%20one%20DCR%2C%20you%20would%26nbsp%3Bget%20the%20following%20message%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3EERROR%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EVERBOSE%3A%26nbsp%3B%40%7BHeaders%3DSystem.Object%5B%5D%3B%20Version%3D1.1%3B%26nbsp%3BStatusCode%3D400%3B%20Method%3DPUT%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EContent%3D%7B%22error%22%3A%7B%22code%22%3A%22InvalidPayload%22%2C%22message%22%3A%22Data%26nbsp%3Bcollection%20rule%20is%26nbsp%3Binvalid%22%2C%22details%22%3A%5B%7B%22code%22%3A%22InvalidDataSource%22%2C%22message%22%3A%22'X%26nbsp%3BPath%20Queries'%20items%20must%20be%20unique%20(case-insensitively).%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDuplicate%20names%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CBR%20%2F%3ESecurity!*%5BSystem%5B(EventID%3D4688)%5D%5D%2CSecurity!*%5BSystem%5B(EventID%3D4656)%5D%5D.%22%2C%22target%22%3A%22Properties.DataSources.WindowsEventLogs%5B0%5D.XPathQueries%22%7D%5D%7D%7D%7D%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-2119730481%22%20id%3D%22toc-hId-2119757199%22%20id%3D%22toc-hId--851300499%22%20id%3D%22toc-hId--851300499%22%20id%3D%22toc-hId--851300499%22%20id%3D%22toc-hId--851300499%22%20id%3D%22toc-hId--851300499%22%20id%3D%22toc-hId--851300499%22%20id%3D%22toc-hId--851300499%22%20id%3D%22toc-hId--851300499%22%20id%3D%22toc-hId--851300499%22%20id%3D%22toc-hId--851300499%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EARM%20Template%3A%26nbsp%3BDeploymentScript%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3BResource%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENow%20that%20you%20know%20how%20to%20use%20a%20PowerShell%20script%20to%20create%20DCRs%20directly%20to%20your%20Azure%20Sentinel%20instance%2C%20we%20can%20use%20it%20inside%20of%20an%20ARM%20template%20and%20make%20it%20point%20to%20the%20JSON%20file%20that%20contains%20all%20the%20XPath%20queries%20in%20the%20right%20format%20contributed%20by%20the%20OSSEM%20DM%20project.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20the%20template%20I%20use%20to%20put%20it%20all%20together%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-DeploymentScript.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2FWin10-DCR-DeploymentScript.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-312276018%22%20id%3D%22toc-hId-312302736%22%20id%3D%22toc-hId-1636212334%22%20id%3D%22toc-hId-1636212334%22%20id%3D%22toc-hId-1636212334%22%20id%3D%22toc-hId-1636212334%22%20id%3D%22toc-hId-1636212334%22%20id%3D%22toc-hId-1636212334%22%20id%3D%22toc-hId-1636212334%22%20id%3D%22toc-hId-1636212334%22%20id%3D%22toc-hId-1636212334%22%20id%3D%22toc-hId-1636212334%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWhat%20about%20the%20DCR%20Associations%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20still%20need%20to%20associate%20the%20DCR%20with%20a%20virtual%20machine.%20However%2C%20we%20can%20keep%20doing%20that%20within%20the%20template%20leveraging%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Fassociation.json%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EDCRAs%20Azure%20resource%20linked%20template%3C%2FA%3E%26nbsp%3Binside%20of%20the%20main%20template.%20Just%20in%20case%20you%20were%20wondering%20how%20I%20call%20the%20linked%20template%20from%20the%20main%20template%2C%20I%20do%20it%20this%20way%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-DeploymentScript.json%23L285-L311%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2FWin10-DCR-DeploymentScript.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_2-1624586850130.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291168i404F0CE22E18FBD6%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_2-1624586850130.png%22%20alt%3D%22Cyb3rWard0g_2-1624586850130.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1624261164%22%20id%3D%22toc-hId--1624234446%22%20id%3D%22toc-hId--300324848%22%20id%3D%22toc-hId--300324848%22%20id%3D%22toc-hId--300324848%22%20id%3D%22toc-hId--300324848%22%20id%3D%22toc-hId--300324848%22%20id%3D%22toc-hId--300324848%22%20id%3D%22toc-hId--300324848%22%20id%3D%22toc-hId--300324848%22%20id%3D%22toc-hId--300324848%22%20id%3D%22toc-hId--300324848%22%3EHow%20Do%20I%20Deploy%20the%20New%20Template%3F%3C%2FH2%3E%0A%3CP%3EThe%20same%20way%20how%20we%20deployed%20the%20initial%20one.%20If%20you%20want%20the%20Easy%20%3CSTRONG%3EButton%3C%2FSTRONG%3E%20%2C%20then%20simply%20browse%20to%20the%20URL%20below%20and%20click%20on%20the%20blue%20button%20highlighted%20in%20the%20image%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELink%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fgrocery-list%2FWin10%2Fdemos%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_3-1624587103977.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291170i2157EE960113AC9D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_3-1624587103977.png%22%20alt%3D%22Cyb3rWard0g_3-1624587103977.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWait%205-10%20mins!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_4-1624587184135.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291171i20D07D5FC684077E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_4-1624587184135.png%22%20alt%3D%22Cyb3rWard0g_4-1624587184135.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnjoy%20it!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_6-1624588013944.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291174i48700DF747FD1EE3%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_6-1624588013944.png%22%20alt%3D%22Cyb3rWard0g_6-1624588013944.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThat%E2%80%99s%20it!%26nbsp%3BYou%20now%20know%20two%20ways%20to%20deploy%20and%20test%20the%20new%20data%20connector%20and%20%3CSTRONG%3EData%20Collection%20Rules%3C%2FSTRONG%3E%20features%20with%20%3CSTRONG%3EXPath%20queries%20capabilities%3C%2FSTRONG%3E.%20I%20hope%20this%20was%20useful.%26nbsp%3BThose%20were%20all%20my%20notes%20while%20testing%20and%20developing%20templates%20to%20create%20a%20lab%20environment%20so%20that%20you%20could%20also%20expedite%20the%20testing%20process!%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFeedback%20is%20greatly%20appreciated!%20Thank%20you%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EOSSEM%20team%3C%2FA%3E%20and%20the%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FOTR_Community%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EOpen%20Threat%20Research%20(OTR)%20community%3C%2FA%3E%20for%20helping%20us%20operationalize%20the%20research%20they%20share%20with%20the%20community!%20Thank%20you%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FCyb3rPandaH%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EJose%20Rodriguez%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-863251669%22%20id%3D%22toc-hId-863278387%22%20id%3D%22toc-hId--2107779311%22%20id%3D%22toc-hId--2107779311%22%20id%3D%22toc-hId--2107779311%22%20id%3D%22toc-hId--2107779311%22%20id%3D%22toc-hId--2107779311%22%20id%3D%22toc-hId--2107779311%22%20id%3D%22toc-hId--2107779311%22%20id%3D%22toc-hId--2107779311%22%20id%3D%22toc-hId--2107779311%22%20id%3D%22toc-hId--2107779311%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EDemo%20Links%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fgrocery-list%2FWin10%2Fdemos%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%2Fossem-attack%2Fossem-attack.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fossem-attack.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--246040853%22%20id%3D%22toc-hId--246014135%22%20id%3D%22toc-hId-379733522%22%20id%3D%22toc-hId-379733522%22%20id%3D%22toc-hId-379733522%22%20id%3D%22toc-hId-379733522%22%20id%3D%22toc-hId-379733522%22%20id%3D%22toc-hId-379733522%22%20id%3D%22toc-hId-379733522%22%20id%3D%22toc-hId-379733522%22%20id%3D%22toc-hId-379733522%22%20id%3D%22toc-hId-379733522%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EReferences%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.w3schools.com%2Fxml%2Fxpath_intro.asp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EXPath%20Tutorial%20(w3schools.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fdata-collection-rule-azure-monitor-agent%23limit-data-collection-with-custom-xpath-queries%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConfigure%20data%20collection%20for%20the%20Azure%20Monitor%20agent%20(preview)%20-%20Azure%20Monitor%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fdata-collection-rule-overview%3Fbranch%3Dmain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Collection%20Rules%20in%20Azure%20Monitor%20(preview)%20-%20Azure%20Monitor%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%224%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%3Fbranch%3Dmain%26amp%3Btabs%3DLAA%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConnect%20Windows%20security%20event%20data%20to%20Azure%20Sentinel%20(tabbed%20version)%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%3Fbranch%3Dmain%26amp%3Btabs%3DAMA%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConnect%20Windows%20security%20event%20data%20to%20Azure%20Sentinel%20(tabbed%20version)%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ftemplates%2Fmicrosoft.insights%2Fdatacollectionruleassociations%3Ftabs%3Djson%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft.Insights%2FdataCollectionRuleAssociations%20-%20ARM%20template%20reference%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fask-the-directory-services-team%2Fadvanced-xml-filtering-in-the-windows-event-viewer%2Fba-p%2F399761%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAdvanced%20XML%20filtering%20in%20the%20Windows%20Event%20Viewer%20-%20Microsoft%20Tech%20Community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%224%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fwes%2Fconsuming-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConsuming%20Events%20(Windows%20Event%20Log)%20-%20Win32%20apps%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fazure-monitor-agent-overview%3Ftabs%3DCLI1%2CCLI2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Monitor%20agent%20overview%20-%20Azure%20Monitor%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-monitor%2Fa-powerful-agent-for-azure-monitor-and-a-simpler-world-of-data%2Fba-p%2F2443285%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EA%20powerful%20agent%20for%20Azure%20Monitor%20and%20a%20simpler%20world%20of%20data%20collection%3B%20now%20generally%20available!%20-%20Microsoft%20Tech%20Community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fmonitor%2Fdata-collection-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Collection%20Rules%20-%20REST%20API%20(Azure%20Monitor)%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%224%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fmonitor%2Fdata-collection-rule-associations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Collection%20Rule%20Associations%20-%20REST%20API%20(Azure%20Monitor)%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%225%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.w3.org%2FTR%2F1999%2FREC-xpath-19991116%2F%23predicates%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EXML%20Path%20Language%20(XPath)%20(w3.org)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Foverview%23managed-identity-types%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EManaged%20identities%20for%20Azure%20resources%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Fqs-configure-portal-windows-vm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConfigure%20managed%20identities%20using%20the%20Azure%20portal%20-%20Azure%20AD%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2483369%22%20slang%3D%22en-US%22%3ETesting%20the%20New%20Version%20of%20the%20Windows%20Security%20Events%20Connector%20with%20Azure%20Sentinel%20To-Go!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2483369%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_7-1624588039379.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291175iC2FCABD1976A6547%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_7-1624588039379.png%22%20alt%3D%22Cyb3rWard0g_7-1624588039379.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELast%20week%2C%20on%26nbsp%3BMonday%20June%2014%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eth%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3B2021%2C%26nbsp%3Ba%26nbsp%3Bnew%20version%20of%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%3Fbranch%3Dmain%26amp%3Btabs%3DAMA%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWindows%20Security%20Events%20data%20connector%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Breached%20public%20preview.%20This%20is%20the%26nbsp%3Bfirst%26nbsp%3Bdata%26nbsp%3Bconnector%26nbsp%3Bcreated%20leveraging%26nbsp%3Bthe%20new%20generally%26nbsp%3Bavailable%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fazure-monitor-agent-overview%3Ftabs%3DCLI1%2CCLI2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Monitor%20Agent%20(AMA)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fdata-collection-rule-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Collection%20Rules%20(DCR)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfeatures%20from%20the%20Azure%20Monitor%26nbsp%3Becosystem.%26nbsp%3BAs%26nbsp%3Bany%20other%20new%20feature%20in%20Azure%20Sentinel%2C%20I%20wanted%20to%26nbsp%3Bexpedite%20the%20testing%20process%20and%20empower%20others%20in%20the%20InfoSec%20community%26nbsp%3Bthrough%20a%20lab%20environment%20to%20learn%20more%20about%20it.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%20this%20post%2C%20I%26nbsp%3Bwill%26nbsp%3Btalk%20about%26nbsp%3Bthe%20new%20features%26nbsp%3Bof%20the%26nbsp%3Bnew%20data%20connector%20and%26nbsp%3Bhow%20to%20automate%20the%20deployment%20of%20an%20Azure%20Sentinel%20instance%26nbsp%3Bwith%26nbsp%3Bthe%20connector%26nbsp%3Benabled%2C%20the%20creation%20and%20association%20of%26nbsp%3BDCRs%20and%26nbsp%3Binstallation%20of%20the%20AMA%20on%20a%26nbsp%3BWindows%20workstation.%26nbsp%3BThis%20is%20an%20extension%20of%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-to-go-part2-integrating-a-basic-windows-lab-via%2Fba-p%2F1742165%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ea%26nbsp%3Bblog%20post%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BI%20wrote%2C%26nbsp%3Blast%20year%20(2020)%2C%26nbsp%3Bwhere%20I%20covered%20the%20collection%20of%20Windows%20security%20events%20via%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%3Fbranch%3Dmain%26amp%3Btabs%3DLAA%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ELog%20Analytics%20Agent%20(Legacy)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--435567913%22%20id%3D%22toc-hId--1427720941%22%20id%3D%22toc-hId--1427720941%22%20id%3D%22toc-hId--1427720941%22%20id%3D%22toc-hId--1427720941%22%20id%3D%22toc-hId--1427720941%22%20id%3D%22toc-hId--1427720941%22%20id%3D%22toc-hId--1427720941%22%20id%3D%22toc-hId--1427720941%22%20id%3D%22toc-hId--1427720941%22%20id%3D%22toc-hId--1427720941%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ERecommended%20Reading%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EI%20highly%20recommend%20reading%20the%20following%20blog%20posts%20to%26nbsp%3Blearn%20more%20about%26nbsp%3Bthe%20announcement%20of%20the%20new%20Azure%20Monitor%20features%20and%20the%20Windows%20Security%20Events%20data%20connector%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2243%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fupdates%2Fazure-monitor-agent-and-data-collection-rules-now-generally-available%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Monitor%20Agent%20and%20Data%20Collection%20Rules%20now%20generally%20available%20%7C%20Azure%20updates%20%7C%20Microsoft%20Azure%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2243%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-monitor%2Fa-powerful-agent-for-azure-monitor-and-a-simpler-world-of-data%2Fba-p%2F2443285%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EA%20powerful%20agent%20for%20Azure%20Monitor%20and%20a%20simpler%20world%20of%20data%20collection%3B%20now%20generally%20available!%20-%20Microsoft%20Tech%20Community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2243%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%3Fbranch%3Dmain%26amp%3Btabs%3DAMA%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConnect%20Windows%20security%20event%20data%20to%20Azure%20Sentinel%20(tabbed%20version)%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-2051944920%22%20id%3D%22toc-hId-1059791892%22%20id%3D%22toc-hId-1059791892%22%20id%3D%22toc-hId-1059791892%22%20id%3D%22toc-hId-1059791892%22%20id%3D%22toc-hId-1059791892%22%20id%3D%22toc-hId-1059791892%22%20id%3D%22toc-hId-1059791892%22%20id%3D%22toc-hId-1059791892%22%20id%3D%22toc-hId-1059791892%22%20id%3D%22toc-hId-1059791892%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%20To-Go!%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Sentinel2Go%3C%2FA%3E%20is%20an%20open-source%20project%26nbsp%3Bmaintained%20and%20developed%20by%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FOTR_Community%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOpen%20Threat%20Research%20community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bto%26nbsp%3Bautomate%26nbsp%3Bthe%20deployment%20of%20an%20Azure%20Sentinel%26nbsp%3Bresearch%26nbsp%3Blab%20and%20a%20data%20ingestion%20pipeline%20to%20consume%20pre-recorded%20datasets.%26nbsp%3BEvery%26nbsp%3Benvironment%20I%20release%20through%20this%20initiative%20is%20an%20environment%20I%20use%20and%20test%20while%20performing%20research%20as%20part%20of%20my%20role%20in%20the%20MSTIC%20R%26amp%3BD%20team.%20Therefore%2C%20I%20am%20constantly%26nbsp%3Btrying%20to%20improve%26nbsp%3Bthe%20deployment%20templates%26nbsp%3Bas%20I%20cover%20more%20scenarios.%26nbsp%3BFeedback%20is%20greatly%20appreciated.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-244490457%22%20id%3D%22toc-hId--49500630%22%20id%3D%22toc-hId--49500630%22%20id%3D%22toc-hId--49500630%22%20id%3D%22toc-hId--49500630%22%20id%3D%22toc-hId--49500630%22%20id%3D%22toc-hId--49500630%22%20id%3D%22toc-hId--49500630%22%20id%3D%22toc-hId--49500630%22%20id%3D%22toc-hId--49500630%22%20id%3D%22toc-hId--49500630%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EA%20New%20Version%20of%20the%26nbsp%3BWindows%20Security%20Events%20Connector%3F%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAccording%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%3Fbranch%3Dmain%26amp%3Btabs%3DAMA%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft%20docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3Bthe%20Windows%20Security%20Events%20connector%20lets%20you%20stream%20security%20events%20from%20any%20Windows%20server%20(physical%20or%20virtual%2C%20on-premises%20or%20in%20any%20cloud)%20connected%20to%20your%20Azure%20Sentinel%20workspace.%26nbsp%3BAfter%20last%20week%2C%20there%20are%20now%20two%20versions%20of%20this%20connector%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2242%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESecurity%20events%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B(legacy%20version)%3A%20Based%20on%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELog%20Analytics%20Agent%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B(Usually%20known%20as%20the%20Microsoft%20Monitoring%26nbsp%3BAgent%20(MMA)%26nbsp%3Bor%20Operations%20Management%20Suite%20(OMS)%26nbsp%3Bagent).%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2242%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWindows%20Security%20Events%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B(new%20version)%3A%20Based%20on%20the%20new%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAzure%20Monitor%20Agent%20(AMA)%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%20your%20Azure%20Sentinel%20data%20connector's%20view%2C%20you%20can%20now%20see%20both%20connectors%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_0-1624563350650.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291049iBC204BCF054B965A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_0-1624563350650.png%22%20alt%3D%22Cyb3rWard0g_0-1624563350650.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1562964006%22%20id%3D%22toc-hId--1856955093%22%20id%3D%22toc-hId--1856955093%22%20id%3D%22toc-hId--1856955093%22%20id%3D%22toc-hId--1856955093%22%20id%3D%22toc-hId--1856955093%22%20id%3D%22toc-hId--1856955093%22%20id%3D%22toc-hId--1856955093%22%20id%3D%22toc-hId--1856955093%22%20id%3D%22toc-hId--1856955093%22%20id%3D%22toc-hId--1856955093%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EA%20New%20Version%3F%26nbsp%3BWhat%20is%20New%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CH3%20id%3D%22toc-hId--872402532%22%20id%3D%22toc-hId-759640459%22%20id%3D%22toc-hId-759640459%22%20id%3D%22toc-hId-759640459%22%20id%3D%22toc-hId-759640459%22%20id%3D%22toc-hId-759640459%22%20id%3D%22toc-hId-759640459%22%20id%3D%22toc-hId-759640459%22%20id%3D%22toc-hId-759640459%22%20id%3D%22toc-hId-759640459%22%20id%3D%22toc-hId-759640459%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-1615110301%22%20id%3D%22toc-hId--1047814004%22%20id%3D%22toc-hId--1047814004%22%20id%3D%22toc-hId--1047814004%22%20id%3D%22toc-hId--1047814004%22%20id%3D%22toc-hId--1047814004%22%20id%3D%22toc-hId--1047814004%22%20id%3D%22toc-hId--1047814004%22%20id%3D%22toc-hId--1047814004%22%20id%3D%22toc-hId--1047814004%22%20id%3D%22toc-hId--1047814004%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Connector%26nbsp%3BDeployment%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EBesides%20using%20the%20Log%20Analytics%20Agent%26nbsp%3Bto%20collect%20and%26nbsp%3Bship%20events%2C%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eold%26nbsp%3Bconnector%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Buses%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ftemplates%2Fmicrosoft.operationalinsights%2Fworkspaces%2Fdatasources%3Ftabs%3Djson%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Sources%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bresource%26nbsp%3Bfrom%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ftemplates%2Fmicrosoft.operationalinsights%2Fworkspaces%3Ftabs%3Djson%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ELog%20Analytics%20Workspace%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bresource%26nbsp%3Bto%20set%20the%20collection%20tier%20of%26nbsp%3BWindows%26nbsp%3Bsecurity%20events.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_1-1624563350661.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291050i6B0B34224AC3FD06%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_1-1624563350661.png%22%20alt%3D%22Cyb3rWard0g_1-1624563350661.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EThe%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Enew%26nbsp%3Bconnector%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20on%20the%20other%20hand%2C%20uses%20a%20combination%20of%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ftemplates%2Fmicrosoft.insights%2Fdatacollectionrules%3Ftabs%3Djson%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Connection%20Rules%26nbsp%3B(DCR)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fdata-collection-rule-azure-monitor-agent%23data-collection-rule-associations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Connector%20Rules%26nbsp%3BAssociation%26nbsp%3B(DCRA)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%20DCRs%26nbsp%3Bdefine%26nbsp%3Bwhat%20data%20to%20collect%20and%20where%20it%20should%20be%20sent.%26nbsp%3BHere%20is%20where%20we%20can%20set%20it%20to%20send%20data%20to%20the%20log%20analytics%20workspace%20backing%20up%20our%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Binstance.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_2-1624563350663.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291051iF978EEBE3595B7DC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_2-1624563350663.png%22%20alt%3D%22Cyb3rWard0g_2-1624563350663.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EIn%20order%20to%20apply%20a%20DCR%20to%20a%20virtual%20machine%2C%20one%20needs%20to%20create%20an%20association%26nbsp%3Bbetween%20the%20machine%20and%20the%20rule.%26nbsp%3BA%20virtual%20machine%20may%20have%20an%20association%26nbsp%3Bwith%26nbsp%3Bmultiple%20DCRs%2C%20and%20a%20DCR%20may%20have%20multiple%20virtual%20machines%20associated%26nbsp%3Bwith%26nbsp%3Bit.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_3-1624563350658.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291053i9B3AE8FBDE7E1789%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_3-1624563350658.png%22%20alt%3D%22Cyb3rWard0g_3-1624563350658.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFor%20more%26nbsp%3Bdetailed%26nbsp%3Binformation%20about%20setting%20up%20the%20Windows%20Security%20Events%20connector%20with%20both%20Log%20Analytics%20Agent%20and%20Azure%20Monitor%20Agents%20%3CSTRONG%3Emanually%3C%2FSTRONG%3E%2C%20take%20a%20look%20at%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%3Fbranch%3Dmain%26amp%3Btabs%3DLAA%23set-up-the-windows-security-events-connector%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ethis%20document%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--192344162%22%20id%3D%22toc-hId-1439698829%22%20id%3D%22toc-hId-1439698829%22%20id%3D%22toc-hId-1439698829%22%20id%3D%22toc-hId-1439698829%22%20id%3D%22toc-hId-1439698829%22%20id%3D%22toc-hId-1439698829%22%20id%3D%22toc-hId-1439698829%22%20id%3D%22toc-hId-1439698829%22%20id%3D%22toc-hId-1439698829%22%20id%3D%22toc-hId-1439698829%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Collection%26nbsp%3BFiltering%20Capabilities%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eold%20connector%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bis%20not%20flexible%20enough%20to%20choose%26nbsp%3Bwhat%26nbsp%3Bspecific%20events%20to%20collect.%20For%20example%2C%20these%20are%20the%20only%20options%20to%20collect%20data%20from%20Windows%20machines%20with%20the%20old%20connector%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2241%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAll%20events%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B-%20All%20Windows%20security%20and%20AppLocker%20events.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2241%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECommon%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B-%20A%20standard%20set%20of%20events%20for%20auditing%20purposes.%26nbsp%3BThe%20Common%20event%20set%20may%20contain%20some%20types%20of%20events%20that%20aren't%20so%20common.%20This%20is%20because%20the%20main%20point%20of%20the%20Common%20set%20is%20to%20reduce%20the%20volume%20of%20events%20to%20a%20more%20manageable%20level%2C%20while%20still%20maintaining%20full%20audit%20trail%20capability.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2241%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMinimal%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B-%20A%20small%20set%20of%20events%20that%20might%20indicate%20potential%20threats.%20This%20set%20does%20not%20contain%20a%20full%20audit%20trail.%20It%20covers%20only%20events%20that%20might%20indicate%20a%20successful%20breach%2C%20and%20other%20important%20events%20that%20have%20very%20low%20rates%20of%20occurrence.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2241%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENone%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B-%20No%20security%20or%20AppLocker%20events.%20(This%20setting%20is%20used%20to%20disable%20the%20connector.)%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAccording%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%3Fbranch%3Dmain%26amp%3Btabs%3DLAA%23event-id-reference%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft%20docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20these%20are%20the%26nbsp%3Bpre-defined%26nbsp%3Bsecurity%26nbsp%3Bevent%26nbsp%3Bcollection%26nbsp%3Bgroups%20depending%20on%20the%20tier%20set%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_4-1624563350652.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291052iC2BEBDCEB748311A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_4-1624563350652.png%22%20alt%3D%22Cyb3rWard0g_4-1624563350652.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOn%20the%20other%20hand%2C%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Enew%20connector%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Ballows%20custom%26nbsp%3Bdata%20collection%26nbsp%3Bvia%20%3CSTRONG%3EXPath%20queries%3C%2FSTRONG%3E.%26nbsp%3BThese%20%3CSTRONG%3EXPath%20queries%3C%2FSTRONG%3E%20are%20defined%20during%20the%20creation%20of%20the%20data%20collection%20rule%26nbsp%3Band%20are%26nbsp%3Bwritten%20in%20the%20form%26nbsp%3Bof%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELogName!XPathQuery%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3BHere%20are%20a%20few%20examples%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2239%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECollect%20only%20Security%20events%20with%20Event%20ID%20%3D%204624%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESecurity!*%5BSystem%5B(EventID%3D4624)%5D%5D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2239%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECollect%20only%20Security%20events%20with%20Event%20ID%20%3D%204624%20or%20Security%20Events%20with%20Event%20ID%20%3D%204688%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESecurity!*%5BSystem%5B(EventID%3D4624%20or%26nbsp%3BEventID%3D4688)%5D%5D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2237%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECollect%20only%20Security%20events%20with%20Event%20ID%20%3D%204688%20and%20with%20a%20process%20name%20of%26nbsp%3Bconsent.exe.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESecurity!*%5BSystem%5B(EventID%3D4688)%5D%5D%20and%26nbsp%3B*%5BEventData%5BData%5B%40Name%3D%E2%80%99ProcessName%E2%80%99%5D%3D%E2%80%99C%3A%5CWindows%5CSystem32%5Cconsent.exe%E2%80%99%5D%5D%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20select%20the%20%3CSTRONG%3Ecustom%3C%2FSTRONG%3E%20option%20to%20select%20which%20events%20to%20stream%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_5-1624563350659.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291054i880C763609ED9DF3%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_5-1624563350659.png%22%20alt%3D%22Cyb3rWard0g_5-1624563350659.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--1999798625%22%20id%3D%22toc-hId--367755634%22%20id%3D%22toc-hId--367755634%22%20id%3D%22toc-hId--367755634%22%20id%3D%22toc-hId--367755634%22%20id%3D%22toc-hId--367755634%22%20id%3D%22toc-hId--367755634%22%20id%3D%22toc-hId--367755634%22%20id%3D%22toc-hId--367755634%22%20id%3D%22toc-hId--367755634%22%20id%3D%22toc-hId--367755634%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EImportant!%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EBased%20on%26nbsp%3Bthe%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%3Fbranch%3Dmain%26amp%3Btabs%3DAMA%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Enew%26nbsp%3Bconnector%26nbsp%3Bdocs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20make%20sure%20to%20query%20only%20Windows%20Security%20and%20AppLocker%20logs.%20Events%20from%20other%20Windows%20logs%2C%20or%20from%20security%20logs%20from%20other%20environments%2C%20may%20not%20adhere%20to%20the%20Windows%20Security%20Events%20schema%20and%26nbsp%3Bwon%E2%80%99t%26nbsp%3Bbe%20parsed%20properly%2C%20in%20which%20case%20they%20won%E2%80%99t%20be%20ingested%20to%20your%20workspace.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAlso%2C%26nbsp%3Bthe%20Azure%20Monitor%20agent%20supports%20XPath%20queries%20for%20XPath%20version%201.0%20only.%20I%20recommend%20reading%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fwes%2Fconsuming-events%23xpath-10-limitations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EXpath%201.0%20Limitation%20documentation%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bbefore%20writing%20XPath%20Queries.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--2010301729%22%20id%3D%22toc-hId-1990674480%22%20id%3D%22toc-hId-1990674480%22%20id%3D%22toc-hId-1990674480%22%20id%3D%22toc-hId-1990674480%22%20id%3D%22toc-hId-1990674480%22%20id%3D%22toc-hId-1990674480%22%20id%3D%22toc-hId-1990674480%22%20id%3D%22toc-hId-1990674480%22%20id%3D%22toc-hId-1990674480%22%20id%3D%22toc-hId-1990674480%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EXPath%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EXPath%20stands%20for%20XML%26nbsp%3B(Extensible%20Markup%26nbsp%3BLanguage)%26nbsp%3BPath%26nbsp%3Blanguage%2C%26nbsp%3Band%26nbsp%3Bit%26nbsp%3Bis%20used%20to%20explore%20and%20model%20XML%20documents%20as%20a%20tree%20of%20nodes.%20Nodes%26nbsp%3Bcan%20be%20represented%20as%20%3CSTRONG%3Eelements%3C%2FSTRONG%3E%2C%20%3CSTRONG%3Eattributes%3C%2FSTRONG%3E%2C%26nbsp%3Band%20%3CSTRONG%3Etext%3C%2FSTRONG%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%20the%20image%20below%2C%20we%20can%20see%20a%20few%20node%20examples%20in%26nbsp%3Bthe%26nbsp%3BXML%20representation%20of%20a%20Windows%20security%26nbsp%3Bevent%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_6-1624563350669.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291057iA84CA44228260CCC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_6-1624563350669.png%22%20alt%3D%22Cyb3rWard0g_6-1624563350669.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-477211104%22%20id%3D%22toc-hId-183220017%22%20id%3D%22toc-hId-183220017%22%20id%3D%22toc-hId-183220017%22%20id%3D%22toc-hId-183220017%22%20id%3D%22toc-hId-183220017%22%20id%3D%22toc-hId-183220017%22%20id%3D%22toc-hId-183220017%22%20id%3D%22toc-hId-183220017%22%20id%3D%22toc-hId-183220017%22%20id%3D%22toc-hId-183220017%22%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EXPath%20Queries%3F%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EXPath%20queries%20are%20used%20to%20search%20for%26nbsp%3Bpatterns%26nbsp%3Bin%26nbsp%3BXML%20documents%20and%26nbsp%3Bleverage%26nbsp%3Bpath%20expressions%20and%26nbsp%3Bpredicates%20to%26nbsp%3Bfind%20a%20node%20or%20filter%26nbsp%3Bspecific%20nodes%26nbsp%3Bthat%20contain%20a%20specific%20value.%26nbsp%3BWildcards%20such%20as%20%E2%80%98%3CSTRONG%3E*%3C%2FSTRONG%3E%E2%80%99%20and%20%E2%80%98%3CSTRONG%3E%40%3C%2FSTRONG%3E%E2%80%99%20are%20used%20to%20select%20nodes%20and%20predicates%20are%20always%20embedded%20in%20square%20brackets%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%9C%5B%5D%E2%80%9D.%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-472609099%22%20id%3D%22toc-hId--1495151727%22%20id%3D%22toc-hId--1495151727%22%20id%3D%22toc-hId--1495151727%22%20id%3D%22toc-hId--1495151727%22%20id%3D%22toc-hId--1495151727%22%20id%3D%22toc-hId--1495151727%22%20id%3D%22toc-hId--1495151727%22%20id%3D%22toc-hId--1495151727%22%20id%3D%22toc-hId--1495151727%22%20id%3D%22toc-hId--1495151727%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMatching%26nbsp%3Bany%20element%20node%26nbsp%3Bwith%20%E2%80%98*%E2%80%99%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EUsing%20our%26nbsp%3Bprevious%26nbsp%3BWindows%20Security%20event%20XML%20example%2C%20we%20can%26nbsp%3Bprocess%20Windows%20Security%20events%26nbsp%3Busing%26nbsp%3Bthe%20wildcard%20%E2%80%98%3CSTRONG%3E*%3C%2FSTRONG%3E%E2%80%99%26nbsp%3Bat%20the%20%60Element%60%26nbsp%3Bnode%26nbsp%3Blevel.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%26nbsp%3Bexample%20below%20walks%20through%26nbsp%3Btwo%26nbsp%3B%E2%80%98%3CSTRONG%3EElement%3C%2FSTRONG%3E%E2%80%99%26nbsp%3Bnodes%20to%20get%20to%20the%26nbsp%3B%E2%80%98%3CSTRONG%3EText%3C%2FSTRONG%3E%E2%80%99%20node%20of%20value%26nbsp%3B%E2%80%984688%E2%80%99.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_7-1624563350628.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291056i467F07A87C900F2D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_7-1624563350628.png%22%20alt%3D%22Cyb3rWard0g_7-1624563350628.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20test%20this%20basic%20%E2%80%98%3CSTRONG%3EXPath%3C%2FSTRONG%3E%E2%80%99%20query%20via%20PowerShell.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2235%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOpen%20a%20PowerShell%20console%20as%20%E2%80%98Administrator%E2%80%99.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2235%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EUse%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fmicrosoft.powershell.diagnostics%2Fget-winevent%3Fview%3Dpowershell-7.1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EGet-WinEvent%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bcommand%20to%20pass%20the%20XPath%20query.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2235%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EUse%20the%20%E2%80%98Logname%E2%80%99%20parameter%20to%20define%20what%20event%20channel%20to%20run%20the%20query%20against.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2235%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EUse%20the%20%E2%80%98FilterXPath%E2%80%99%20parameter%20to%20set%20the%20XPath%20query.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGet-WinEvent%26nbsp%3B-LogName%26nbsp%3BSecurity%20-FilterXPath%26nbsp%3B'*%5BSystem%5BEventID%3D4688%5D%5D%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_8-1624563350630.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291055i55FC76B00062BB27%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_8-1624563350630.png%22%20alt%3D%22Cyb3rWard0g_8-1624563350630.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--1334845364%22%20id%3D%22toc-hId-992361106%22%20id%3D%22toc-hId-992361106%22%20id%3D%22toc-hId-992361106%22%20id%3D%22toc-hId-992361106%22%20id%3D%22toc-hId-992361106%22%20id%3D%22toc-hId-992361106%22%20id%3D%22toc-hId-992361106%22%20id%3D%22toc-hId-992361106%22%20id%3D%22toc-hId-992361106%22%20id%3D%22toc-hId-992361106%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMatching%26nbsp%3Bany%20attribute%20node%26nbsp%3Bwith%20%E2%80%98%40%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20shown%20before%2C%20%E2%80%98%3CSTRONG%3EElement%3C%2FSTRONG%3E%E2%80%99%20nodes%20can%20contain%20%E2%80%98%3CSTRONG%3EAttributes%3C%2FSTRONG%3E%E2%80%99%20and%20we%20can%20use%20the%20wildcard%20%E2%80%98%3CSTRONG%3E%40%3C%2FSTRONG%3E%E2%80%99%20to%26nbsp%3Bsearch%20for%20%E2%80%98%3CSTRONG%3EText%3C%2FSTRONG%3E%E2%80%99%20nodes%20at%20the%20%E2%80%98%3CSTRONG%3EAttribute%3C%2FSTRONG%3E%E2%80%99%20node%20level.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20example%20below%20extends%20the%20previous%20one%20and%26nbsp%3Badds%20a%20filter%20to%20search%20for%26nbsp%3Ba%20specific%20%E2%80%98%3CSTRONG%3EAttribute%3C%2FSTRONG%3E%E2%80%99%20node%20that%20contains%20the%26nbsp%3Bfollowing%20text%3A%20'%3CSTRONG%3EC%3A%5CWindows%5CSystem32%5Ccmd.exe%3C%2FSTRONG%3E%E2%80%99.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_9-1624563350632.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291058iE40EC29B9B3E793E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_9-1624563350632.png%22%20alt%3D%22Cyb3rWard0g_9-1624563350632.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOnce%20again%2C%20you%20can%20test%20the%20XPath%20query%20via%20PowerShell%20as%20Administrator.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%24XPathQuery%26nbsp%3B%3D%20%22*%5BSystem%5BEventID%3D4688%5D%5D%20and%20*%5BEventData%5BData%5B%40Name%3D'ParentProcessName'%5D%3D'C%3A%5CWindows%5CSystem32%5Ccmd.exe'%5D%5D%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGet-WinEvent%26nbsp%3B-LogName%26nbsp%3BSecurity%20-FilterXPath%26nbsp%3B%24XPathQuery%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_10-1624563350633.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291059i7B045F7777842584%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_10-1624563350633.png%22%20alt%3D%22Cyb3rWard0g_10-1624563350633.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-1023584750%22%20id%3D%22toc-hId--246014135%22%20id%3D%22toc-hId--246014135%22%20id%3D%22toc-hId--246014135%22%20id%3D%22toc-hId--246014135%22%20id%3D%22toc-hId--246014135%22%20id%3D%22toc-hId--246014135%22%20id%3D%22toc-hId--246014135%22%20id%3D%22toc-hId--246014135%22%20id%3D%22toc-hId--246014135%22%20id%3D%22toc-hId--246014135%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECan%20I%20Use%20XPath%20Queries%20in%20Event%20Viewer%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EEvery%20time%20you%20add%20a%20filter%20through%20the%20Event%20Viewer%20UI%2C%20you%20can%20also%20get%20to%20the%20XPath%20query%20representation%20of%20the%20filter.%26nbsp%3BThe%26nbsp%3BXPath%20query%20is%20part%20of%26nbsp%3Ba%26nbsp%3B%3CSTRONG%3EQueryList%3C%2FSTRONG%3E%26nbsp%3Bnode%26nbsp%3Bwhich%20allows%20you%20to%26nbsp%3Bdefine%20and%20run%26nbsp%3Bmultiple%20queries%26nbsp%3Bat%20once.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_11-1624563350665.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291060iD5C2AFD5E98C44A2%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_11-1624563350665.png%22%20alt%3D%22Cyb3rWard0g_11-1624563350665.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20can%20take%20our%20previous%20example%20where%20we%20searched%20for%20a%26nbsp%3Bspecific%26nbsp%3Battribute%20and%20run%20it%20through%20the%20Event%20Viewer%20Filter%20XML%20UI.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CQUERYLIST%3E%3C%2FQUERYLIST%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%20%20%3CQUERY%20id%3D%220%22%20path%3D%22Security%22%3E%3C%2FQUERY%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%20%20%20%20%20%20%3CSELECT%20path%3D%22Security%22%3E*%5BSystem%5B(EventID%3D4688)%5D%5D%20and%20*%5BEventData%5BData%5B%40Name%3D'ParentProcessName'%5D%3D'C%3A%5CWindows%5CSystem32%5Ccmd.exe'%5D%5D%3C%2FSELECT%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%20%20%3C%2FSPAN%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_12-1624563350667.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291063iBD3C6F0F0A81E511%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_12-1624563350667.png%22%20alt%3D%22Cyb3rWard0g_12-1624563350667.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENow%20that%20we%20have%20covered%20some%20of%20the%20main%20changes%20and%20features%20of%20the%20new%20version%20of%20the%20Windows%20Security%20Events%20data%20connector%2C%20it%20is%20time%20to%20show%20you%20how%20to%20create%20a%20lab%20environment%20for%20you%20to%20test%20your%20own%20XPath%20queries%26nbsp%3Bfor%20research%20purposes%20and%26nbsp%3Bbefore%26nbsp%3Bpushing%20them%26nbsp%3Bto%26nbsp%3Bproduction.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--783869713%22%20id%3D%22toc-hId--2053468598%22%20id%3D%22toc-hId--2053468598%22%20id%3D%22toc-hId--2053468598%22%20id%3D%22toc-hId--2053468598%22%20id%3D%22toc-hId--2053468598%22%20id%3D%22toc-hId--2053468598%22%20id%3D%22toc-hId--2053468598%22%20id%3D%22toc-hId--2053468598%22%20id%3D%22toc-hId--2053468598%22%20id%3D%22toc-hId--2053468598%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-1703643120%22%20id%3D%22toc-hId-434044235%22%20id%3D%22toc-hId-434044235%22%20id%3D%22toc-hId-434044235%22%20id%3D%22toc-hId-434044235%22%20id%3D%22toc-hId-434044235%22%20id%3D%22toc-hId-434044235%22%20id%3D%22toc-hId-434044235%22%20id%3D%22toc-hId-434044235%22%20id%3D%22toc-hId-434044235%22%20id%3D%22toc-hId-434044235%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeploy%20Lab%20Environment%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2245%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIdentify%20the%26nbsp%3Bright%20Azure%26nbsp%3Bresources%20to%26nbsp%3Bdeploy.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2245%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECreate%20deployment%26nbsp%3Btemplate.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2245%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERun%20deployment%20template.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20id%3D%22toc-hId-25271376%22%20id%3D%22toc-hId--1244327509%22%20id%3D%22toc-hId--1244327509%22%20id%3D%22toc-hId--1244327509%22%20id%3D%22toc-hId--1244327509%22%20id%3D%22toc-hId--1244327509%22%20id%3D%22toc-hId--1244327509%22%20id%3D%22toc-hId--1244327509%22%20id%3D%22toc-hId--1244327509%22%20id%3D%22toc-hId--1244327509%22%20id%3D%22toc-hId--1244327509%22%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EIdentify%26nbsp%3Bthe%20Right%26nbsp%3BAzure%20Resources%26nbsp%3Bto%26nbsp%3BDeploy%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20mentioned%26nbsp%3Bearlier%20in%20this%20post%2C%26nbsp%3Bthe%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eold%20connector%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Buses%26nbsp%3Bthe%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ftemplates%2Fmicrosoft.operationalinsights%2Fworkspaces%2Fdatasources%3Ftabs%3Djson%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Sources%20resource%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfrom%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ftemplates%2Fmicrosoft.operationalinsights%2Fworkspaces%3Ftabs%3Djson%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ELog%20Analytics%20Workspace%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bresource%20to%20set%20the%20collection%20tier%20of%20Windows%20security%20events.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20the%26nbsp%3BAzure%20Resource%20Manager%20(ARM)%26nbsp%3Btemplate%26nbsp%3BI%20use%26nbsp%3Bin%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure-Sentinel2Go%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bto%20set%20it%20up%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-connectors%2FsecurityEvents.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure-Sentinel2Go%2FsecurityEvents.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EData%20Sources%20Azure%20Resource%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22type%22%3A%20%22Microsoft.OperationalInsights%2Fworkspaces%2FdataSources%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22apiVersion%22%3A%20%222020-03-01-preview%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22location%22%3A%20%22eastus%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22name%22%3A%20%22WORKSPACE%2FSecurityInsightsSecurityEventCollectionConfiguration%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22kind%22%3A%20%22SecurityInsightsSecurityEventCollectionConfiguration%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22properties%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22tier%22%3A%20%22All%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22tierSetMethod%22%3A%20%22Custom%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EHowever%2C%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Enew%20connector%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Buses%20a%20combination%20of%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ftemplates%2Fmicrosoft.insights%2Fdatacollectionrules%3Ftabs%3Djson%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Connection%20Rules%20(DCR)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fdata-collection-rule-azure-monitor-agent%23data-collection-rule-associations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Connector%20Rules%20Association%20(DCRA)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20the%26nbsp%3BARM%26nbsp%3Btemplate%26nbsp%3BI%26nbsp%3Buse%20to%20create%20data%20collection%20rules%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Fcreation-azureresource.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fcreation-azureresource.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EData%20Collection%20Rules%20Azure%20Resource%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22type%22%3A%20%22microsoft.insights%2FdataCollectionRules%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22apiVersion%22%3A%20%222019-11-01-preview%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22name%22%3A%20%22WindowsDCR%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22location%22%3A%20%22eastus%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22tags%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22createdBy%22%3A%20%22Sentinel%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%7D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22properties%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22dataSources%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22windowsEventLogs%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22name%22%3A%20%22eventLogsDataSource%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22scheduledTransferPeriod%22%3A%20%22PT5M%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22streams%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Microsoft-SecurityEvent%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22xPathQueries%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4624)%5D%5D%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22destinations%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22logAnalytics%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22name%22%3A%20%22SecurityEvent%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22workspaceId%22%3A%20%22AZURE-SENTINEL-WORKSPACEID%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22workspaceResourceId%22%3A%20%22AZURE-SENTINEL-WORKSPACERESOURCEID%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22dataFlows%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22streams%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Microsoft-SecurityEvent%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22destinations%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22SecurityEvent%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOne%20additional%20step%26nbsp%3Bin%20the%20setup%20of%20the%26nbsp%3Bnew%20connector%20is%20the%20association%20of%20the%20DCR%26nbsp%3Bwith%26nbsp%3BVirtual%20Machines.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20the%26nbsp%3BARM%26nbsp%3Btemplate%26nbsp%3BI%26nbsp%3Buse%20to%20create%20DCRAs%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Fassociation.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fassociation.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3CBR%20%2F%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EData%20Collection%20Rule%20Associations%20Azure%20Resource%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%3E%7B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%22name%22%3A%20%22WORKSTATION5%2Fmicrosoft.insights%2FWindowsDCR%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22type%22%3A%20%22Microsoft.Compute%2FvirtualMachines%2Fproviders%2FdataCollectionRuleAssociations%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%22apiVersion%22%3A%20%222019-11-01-preview%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%22location%22%3A%20%22eastus%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%20%22properties%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22description%22%3A%20%22Association%20of%20data%20collection%20rule.%20Deleting%20this%20association%20will%20break%20the%20data%20collection%20for%20this%20virtual%20machine.%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22dataCollectionRuleId%22%3A%20%22DATACOLLECTIONRULEID%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7D%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWhat%20about%20the%20XPath%20Queries%3F%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20shown%20in%20the%20previous%20section%2C%20the%20XPath%20query%20is%20part%20of%20the%20%E2%80%9C%3CSTRONG%3EdataSources%3C%2FSTRONG%3E%E2%80%9D%20section%20of%20the%20data%20collection%20rule%20resource.%20It%20is%20defined%20under%20the%26nbsp%3B%E2%80%98%3CSTRONG%3EwindowsEventLogs%3C%2FSTRONG%3E%E2%80%99%26nbsp%3Bdata%20source%20type.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22dataSources%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%22windowsEventLogs%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22name%22%3A%20%22eventLogsDataSource%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22scheduledTransferPeriod%22%3A%20%22PT5M%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22streams%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Microsoft-SecurityEvent%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22xPathQueries%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4624)%5D%5D%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--1782183087%22%20id%3D%22toc-hId-1243185324%22%20id%3D%22toc-hId-1243185324%22%20id%3D%22toc-hId-1243185324%22%20id%3D%22toc-hId-1243185324%22%20id%3D%22toc-hId-1243185324%22%20id%3D%22toc-hId-1243185324%22%20id%3D%22toc-hId-1243185324%22%20id%3D%22toc-hId-1243185324%22%20id%3D%22toc-hId-1243185324%22%20id%3D%22toc-hId-1243185324%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-705329746%22%20id%3D%22toc-hId--564269139%22%20id%3D%22toc-hId--564269139%22%20id%3D%22toc-hId--564269139%22%20id%3D%22toc-hId--564269139%22%20id%3D%22toc-hId--564269139%22%20id%3D%22toc-hId--564269139%22%20id%3D%22toc-hId--564269139%22%20id%3D%22toc-hId--564269139%22%20id%3D%22toc-hId--564269139%22%20id%3D%22toc-hId--564269139%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECreate%20Deployment%20Template%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20can%26nbsp%3Beasily%26nbsp%3Badd%20all%20those%20ARM%26nbsp%3Btemplates%20to%20an%20%E2%80%98%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-Azure-Sentinel-Basic.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%20%26amp%3B%20Win10%20Workstation%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%20basic%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Etemplate%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20just%20need%20to%20make%20sure%20we%26nbsp%3Binstall%20the%26nbsp%3B%3CSTRONG%3EAzure%20Monitor%20Agent%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Einstead%20of%20the%20%3CSTRONG%3ELog%20Analytics%3C%2FSTRONG%3E%26nbsp%3Bone%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eand%20enable%26nbsp%3Bthe%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Foverview%23managed-identity-types%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Esystem-assigned%20managed%20identity%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ein%20the%20Azure%20VM.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETemplate%20Resource%20List%20to%20Deploy%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAzure%20Sentinel%20Instance%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWindows%20Virtual%20Machine%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAzure%20Monitor%20Agent%20Installed%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESystem-assigned%20managed%20identity%20Enabled.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EData%20Collection%20Rule%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELog%20Analytics%20Workspace%20ID%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELog%20Analytics%20Workspace%20Resource%20ID%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EData%20Collection%20Rule%20Association%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EData%20Collection%20Rule%20ID%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2234%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWindows%20Virtual%20Machine%20Resource%20Name%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20following%20ARM%20template%20can%20be%20used%20for%20our%20first%20basic%26nbsp%3Bscenario%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-AzureResource.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2FWin10-DCR-AzureResource.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3CBR%20%2F%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--1102124717%22%20id%3D%22toc-hId-1923243694%22%20id%3D%22toc-hId-1923243694%22%20id%3D%22toc-hId-1923243694%22%20id%3D%22toc-hId-1923243694%22%20id%3D%22toc-hId-1923243694%22%20id%3D%22toc-hId-1923243694%22%20id%3D%22toc-hId-1923243694%22%20id%3D%22toc-hId-1923243694%22%20id%3D%22toc-hId-1923243694%22%20id%3D%22toc-hId-1923243694%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ERun%20Deployment%20Template%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20deploy%20the%20ARM%20template%20via%20a%20%E2%80%9C%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-resource-manager%2Ftemplates%2Fdeploy-to-azure-button%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeploy%20to%20Azure%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%9D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ebutton%26nbsp%3Bor%20via%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcli%2Fazure%2Fwhat-is-azure-cli%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20CLI%3C%2FA%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%223%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20aria-level%3D%223%22%20id%3D%22toc-hId-1514470835%22%20id%3D%22toc-hId-244871950%22%20id%3D%22toc-hId-244871950%22%20id%3D%22toc-hId-244871950%22%20id%3D%22toc-hId-244871950%22%20id%3D%22toc-hId-244871950%22%20id%3D%22toc-hId-244871950%22%20id%3D%22toc-hId-244871950%22%20id%3D%22toc-hId-244871950%22%20id%3D%22toc-hId-244871950%22%20id%3D%22toc-hId-244871950%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%9CDeploy%20to%20Azure%E2%80%9D%26nbsp%3BButton%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH4%3E%0A%3COL%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EBrowse%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel2Go%20repository%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGo%20to%20grocery-list%2FWin10%2Fdemos.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%20on%20the%20%E2%80%9C%3CSTRONG%3EDeploy%20to%20Azure%3C%2FSTRONG%3E%E2%80%9D%20button%20next%20to%20%E2%80%9C%3CSTRONG%3EAzure%20Sentinel%20%2B%20Win10%20%2B%20DCR%20(DCR%20Resource)%3C%2FSTRONG%3E%E2%80%9D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_0-1624589431099.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291177iAAA49D3342EE5F7D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_0-1624589431099.png%22%20alt%3D%22Cyb3rWard0g_0-1624589431099.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFill%20out%20the%20required%20parameters%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EadminUsername%3A%20admin%20user%20to%20create%20in%20the%20Windows%20workstation.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EadminPassword%3A%20password%20for%20admin%20user.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EallowedIPAddresses%3A%20Public%20IP%20address%20to%26nbsp%3Brestrict%20access%20to%20the%20lab%20environment.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWait%205-10%20mins%20and%20your%20environment%20should%20be%20ready.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH4%20aria-level%3D%223%22%20id%3D%22toc-hId-405178313%22%20id%3D%22toc-hId--1562582513%22%20id%3D%22toc-hId--1562582513%22%20id%3D%22toc-hId--1562582513%22%20id%3D%22toc-hId--1562582513%22%20id%3D%22toc-hId--1562582513%22%20id%3D%22toc-hId--1562582513%22%20id%3D%22toc-hId--1562582513%22%20id%3D%22toc-hId--1562582513%22%20id%3D%22toc-hId--1562582513%22%20id%3D%22toc-hId--1562582513%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20CLI%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH4%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDownload%20%3CA%20href%3D%22https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FAzure-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-AzureResource.json%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Edemo%20template%3C%2FA%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOpen%20a%20terminal%20where%20you%20can%26nbsp%3Brun%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcli%2Fazure%2Finstall-azure-cli%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20CLI%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfrom%20(i.e.%26nbsp%3BPowerShell).%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELog%20in%20to%20your%20Azure%20Tenant%20locally.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3Eaz%26nbsp%3Blogin%3C%2FSPAN%3E%26nbsp%3B%3C%2FPRE%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECreate%20Resource%20Group%20(Optional)%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3Eaz%26nbsp%3Bgroup%20create%20-n%26nbsp%3BAzSentinelDemo%26nbsp%3B-l%26nbsp%3Beastus%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDeploy%20ARM%20template%20locally.%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3Eaz%26nbsp%3Bdeployment%20group%20create%26nbsp%3B%E2%80%93f%26nbsp%3B.%2F%20Win10-DCR-AzureResource.json%20-g%20MYRESOURCRGROUP%20%E2%80%93adminUsername%26nbsp%3BMYUSER%20%E2%80%93adminPassword%26nbsp%3BMYUSERPASSWORD%20%E2%80%93allowedIPAddresses%26nbsp%3Bx.x.x.x%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWait%205-10%20mins%20and%20your%20environment%20should%20be%20ready.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWhether%20you%20use%20the%20UI%20or%20the%20CLI%2C%20you%20can%20monitor%20your%20deployment%26nbsp%3Bby%20going%20to%20Resource%20Group%20%26gt%3B%20Deployments%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_13-1624563350637.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291061iD3FA95B731C7D4A2%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_13-1624563350637.png%22%20alt%3D%22Cyb3rWard0g_13-1624563350637.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_14-1624563350638.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291062iC6882B6F8D19BD76%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_14-1624563350638.png%22%20alt%3D%22Cyb3rWard0g_14-1624563350638.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1660441588%22%20id%3D%22toc-hId-666764882%22%20id%3D%22toc-hId-666764882%22%20id%3D%22toc-hId-666764882%22%20id%3D%22toc-hId-666764882%22%20id%3D%22toc-hId-666764882%22%20id%3D%22toc-hId-666764882%22%20id%3D%22toc-hId-666764882%22%20id%3D%22toc-hId-666764882%22%20id%3D%22toc-hId-666764882%22%20id%3D%22toc-hId-666764882%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EVerify%20Lab%20Resources%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CH3%20id%3D%22toc-hId-956153964%22%20id%3D%22toc-hId--313444921%22%20id%3D%22toc-hId--313444921%22%20id%3D%22toc-hId--313444921%22%20id%3D%22toc-hId--313444921%22%20id%3D%22toc-hId--313444921%22%20id%3D%22toc-hId--313444921%22%20id%3D%22toc-hId--313444921%22%20id%3D%22toc-hId--313444921%22%20id%3D%22toc-hId--313444921%22%20id%3D%22toc-hId--313444921%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EOnce%20your%20environment%20is%20deployed%20successfully%2C%20I%20recommend%20verifying%20every%20resource%20that%20was%20deployed.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--851300499%22%20id%3D%22toc-hId--2120899384%22%20id%3D%22toc-hId--2120899384%22%20id%3D%22toc-hId--2120899384%22%20id%3D%22toc-hId--2120899384%22%20id%3D%22toc-hId--2120899384%22%20id%3D%22toc-hId--2120899384%22%20id%3D%22toc-hId--2120899384%22%20id%3D%22toc-hId--2120899384%22%20id%3D%22toc-hId--2120899384%22%20id%3D%22toc-hId--2120899384%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-1636212334%22%20id%3D%22toc-hId-366613449%22%20id%3D%22toc-hId-366613449%22%20id%3D%22toc-hId-366613449%22%20id%3D%22toc-hId-366613449%22%20id%3D%22toc-hId-366613449%22%20id%3D%22toc-hId-366613449%22%20id%3D%22toc-hId-366613449%22%20id%3D%22toc-hId-366613449%22%20id%3D%22toc-hId-366613449%22%20id%3D%22toc-hId-366613449%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%20New%20Data%20Connector%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20will%20see%20the%20%3CSTRONG%3EWindows%20Security%20Events%20(Preview)%3C%2FSTRONG%3E%26nbsp%3Bdata%20connector%20enabled%20with%20a%20custom%20%3CSTRONG%3EData%20Collection%20Rules%20(DCR)%3C%2FSTRONG%3E%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_15-1624563350665.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291065i883D30E9F4EF7004%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_15-1624563350665.png%22%20alt%3D%22Cyb3rWard0g_15-1624563350665.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20you%20edit%20the%20custom%20DCR%2C%20you%20will%20see%20the%20XPath%20query%20and%20the%20resource%20that%20it%20got%20associated%20with.%20The%20image%20below%20shows%20the%20association%20of%20the%20DCR%20with%20a%20machine%20named%20%3CSTRONG%3Eworkstation5.%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_16-1624563350641.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291064iF2D12F48A6172688%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_16-1624563350641.png%22%20alt%3D%22Cyb3rWard0g_16-1624563350641.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20see%20that%20the%20data%20collection%20is%20set%20to%20%3CSTRONG%3Ecustom%3C%2FSTRONG%3E%20and%2C%20for%20this%20example%2C%20we%20only%20set%20the%20event%20stream%20to%20collect%20events%20with%20%3CSTRONG%3EEvent%20ID%204624%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_17-1624563350642.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291066i01C988E45895710D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_17-1624563350642.png%22%20alt%3D%22Cyb3rWard0g_17-1624563350642.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%223%22%20id%3D%22toc-hId--171242129%22%20id%3D%22toc-hId--1440841014%22%20id%3D%22toc-hId--1440841014%22%20id%3D%22toc-hId--1440841014%22%20id%3D%22toc-hId--1440841014%22%20id%3D%22toc-hId--1440841014%22%20id%3D%22toc-hId--1440841014%22%20id%3D%22toc-hId--1440841014%22%20id%3D%22toc-hId--1440841014%22%20id%3D%22toc-hId--1440841014%22%20id%3D%22toc-hId--1440841014%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWindows%20Workstation%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EI%20recommend%20to%20RDP%20to%20the%20Windows%20Workstation%20by%20using%20its%20Public%20IP%20Address.%20Go%20to%20your%20resource%20group%20and%20select%20the%20Azure%20VM.%20You%20should%20see%20the%20public%20IP%20address%20to%20the%20right%20of%20the%20screen.%20This%26nbsp%3Bwould%20generate%20authentication%20events%26nbsp%3Bwhich%20will%20be%20captured%20by%20the%20custom%20DCR%20associated%20with%20the%20endpoint.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_18-1624563350668.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291069iD97997E8318B9A70%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_18-1624563350668.png%22%20alt%3D%22Cyb3rWard0g_18-1624563350668.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%223%22%20id%3D%22toc-hId--1978696592%22%20id%3D%22toc-hId-1046671819%22%20id%3D%22toc-hId-1046671819%22%20id%3D%22toc-hId-1046671819%22%20id%3D%22toc-hId-1046671819%22%20id%3D%22toc-hId-1046671819%22%20id%3D%22toc-hId-1046671819%22%20id%3D%22toc-hId-1046671819%22%20id%3D%22toc-hId-1046671819%22%20id%3D%22toc-hId-1046671819%22%20id%3D%22toc-hId-1046671819%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECheck%20Azure%20Sentinel%20Logs%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGo%20back%20to%20your%20Azure%20Sentinel%2C%20and%20you%20should%20start%20seeing%20some%20events%26nbsp%3Bon%26nbsp%3Bthe%20%3CSTRONG%3EOverview%3C%2FSTRONG%3E%20page%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_19-1624563350654.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291067i569F3D73FA0B5308%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_19-1624563350654.png%22%20alt%3D%22Cyb3rWard0g_19-1624563350654.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGo%20to%20%3CSTRONG%3ELogs%3C%2FSTRONG%3E%20and%20run%20the%20following%20KQL%20query%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESecurityEvent%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20summarize%26nbsp%3Bcount()%20by%26nbsp%3BEventID%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20you%20can%20see%20in%20the%20image%20below%2C%20only%20events%20with%20Event%20ID%204624%20were%26nbsp%3Bcollected%20by%20the%20Azure%20Monitor%20Agent.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_20-1624563350656.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291068i864394B23E3318B9%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_20-1624563350656.png%22%20alt%3D%22Cyb3rWard0g_20-1624563350656.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20might%20be%20asking%20yourself%2C%20%E2%80%9C%3CSTRONG%3EWho%20would%20only%26nbsp%3Bwant%20to%26nbsp%3Bcollect%20events%20with%20Event%20ID%204624%20from%20a%20Windows%20endpoint%3F%3C%2FSTRONG%3E%E2%80%9D.%20Believe%20it%20or%20not%2C%20there%20are%20network%20environments%20where%20due%20to%20bandwidth%20constraints%2C%20they%20can%20only%20collect%20certain%20events.%20Therefore%2C%20this%20custom%20filtering%20capability%20is%20amazing%20and%20very%20useful%20to%20cover%20more%20use%20cases%20and%20even%20save%20storage!%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-379733522%22%20id%3D%22toc-hId--889865363%22%20id%3D%22toc-hId--889865363%22%20id%3D%22toc-hId--889865363%22%20id%3D%22toc-hId--889865363%22%20id%3D%22toc-hId--889865363%22%20id%3D%22toc-hId--889865363%22%20id%3D%22toc-hId--889865363%22%20id%3D%22toc-hId--889865363%22%20id%3D%22toc-hId--889865363%22%20id%3D%22toc-hId--889865363%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--1427720941%22%20id%3D%22toc-hId-1597647470%22%20id%3D%22toc-hId-1597647470%22%20id%3D%22toc-hId-1597647470%22%20id%3D%22toc-hId-1597647470%22%20id%3D%22toc-hId-1597647470%22%20id%3D%22toc-hId-1597647470%22%20id%3D%22toc-hId-1597647470%22%20id%3D%22toc-hId-1597647470%22%20id%3D%22toc-hId-1597647470%22%20id%3D%22toc-hId-1597647470%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAny%20Good%20XPath%20Queries%26nbsp%3BRepositories%26nbsp%3Bin%20the%20InfoSec%20Community%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENow%20that%20we%20know%20the%20internals%20of%20the%20new%20connector%20and%20how%20to%20deploy%20a%20simple%20lab%20environment%2C%20we%20can%20test%20multiple%20XPath%20queries%20depending%20on%20your%20organization%20and%20research%20use%26nbsp%3Bcases%20and%20bandwidth%20constraints.%20There%20are%20a%20few%20projects%20that%20you%20can%20use.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-1188874611%22%20id%3D%22toc-hId--80724274%22%20id%3D%22toc-hId--80724274%22%20id%3D%22toc-hId--80724274%22%20id%3D%22toc-hId--80724274%22%20id%3D%22toc-hId--80724274%22%20id%3D%22toc-hId--80724274%22%20id%3D%22toc-hId--80724274%22%20id%3D%22toc-hId--80724274%22%20id%3D%22toc-hId--80724274%22%20id%3D%22toc-hId--80724274%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EPalantir%20WEF%20Subscriptions%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOne%20of%20many%20repositories%26nbsp%3Bout%20there%20that%20contain%20XPath%20queries%26nbsp%3Bis%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fpalantir%2Fwindows-event-forwarding%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%98windows-event-forwarding'%20project%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfrom%20Palantir.%20The%20XPath%20queries%20are%20Inside%20of%26nbsp%3Bthe%26nbsp%3BWindows%20Event%20Forwarding%20(WEF)%20subscriptions.%26nbsp%3BWe%20could%20take%20all%20the%20subscriptions%20and%20parse%20them%26nbsp%3Bprogrammatically%26nbsp%3Bto%20extract%26nbsp%3Ball%26nbsp%3Bthe%20XPath%20queries%20saving%20them%20in%26nbsp%3Ba%20format%20that%20can%20be%20used%20to%20be%20part%20of%20the%20automatic%20deployment.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20run%20the%20following%20steps%20in%20this%20document%20available%20in%20Azure%20Sentinel%20To-go%20and%20extract%20XPath%20queries%20from%20the%20Palantir%20project.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%2Fpalantir%2FREADME.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2FREADME.md%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-79582089%22%20id%3D%22toc-hId--1888178737%22%20id%3D%22toc-hId--1888178737%22%20id%3D%22toc-hId--1888178737%22%20id%3D%22toc-hId--1888178737%22%20id%3D%22toc-hId--1888178737%22%20id%3D%22toc-hId--1888178737%22%20id%3D%22toc-hId--1888178737%22%20id%3D%22toc-hId--1888178737%22%20id%3D%22toc-hId--1888178737%22%20id%3D%22toc-hId--1888178737%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOSSEM%20Detection%20Model%20%2B%20ATT%26amp%3BCK%20Data%20Sources%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFrom%20a%20community%20perspective%2C%20another%20great%20resource%20you%20can%20use%20to%20extract%20XPath%20Queries%20from%20is%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM-DM%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOpen%20Source%20Security%20Event%20Metadata%20(OSSEM)%20Detection%20Model%20(DM)%26nbsp%3Bproject%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20A%20community%20driven%20effort%20to%26nbsp%3Bhelp%20researchers%26nbsp%3Bmodel%20attack%20behaviors%20from%20a%20data%20perspective%20and%20share%26nbsp%3Brelationships%20identified%20in%20security%20events%20across%20several%20operating%20systems.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOne%20of%20the%20use%20cases%20from%20this%20initiative%20is%26nbsp%3Bto%20map%20all%20security%20events%20in%20the%20project%20to%20the%20new%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmitre-attack%2Fattack-datasources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%98Data%20Sources%E2%80%99%26nbsp%3Bobjects%20provided%20by%20the%20MITRE%20ATT%26amp%3BCK%20framework%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3BIn%20the%20image%20below%2C%20we%20can%20see%20how%20the%26nbsp%3BOSSEM%20DM%20project%26nbsp%3Bprovides%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM-DM%2Fblob%2Fmain%2Fuse-cases%2Fmitre_attack%2Fattack_events_mapping.csv%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ean%20interactive%20document%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B(.CSV)%26nbsp%3Bfor%20researchers%20to%20explore%20the%26nbsp%3Bmappings%20(Research%20output)%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_21-1624563350666.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291073iD31791A72DDC6086%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_21-1624563350666.png%22%20alt%3D%22Cyb3rWard0g_21-1624563350666.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOne%20of%20the%20advantages%20of%20this%20project%20over%20others%20is%20that%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM-DM%2Ftree%2Fmain%2Frelationships%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eall%20its%20data%20relationships%3C%2FA%3E%20are%20in%20YAML%20format%20which%26nbsp%3Bmakes%20it%20easy%20to%20translate%20to%20others%20formats.%20For%20example%2C%20%3CSTRONG%3EXML%3C%2FSTRONG%3E.%20We%20can%26nbsp%3Buse%20the%20Event%20IDs%20defined%20in%20each%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM-DM%2Ftree%2Fmain%2Frelationships%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Edata%20relationship%20documented%20in%20OSSEM%20DM%3C%2FA%3E%20and%20create%20XML%20files%20with%20XPath%20queries%20in%20them.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EExploring%20OSSEM%20DM%20Relationships%20(YAML%20Files)%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELet%E2%80%99s%20say%20we%26nbsp%3Bwant%20to%26nbsp%3Buse%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM-DM%2Fblob%2Fmain%2Frelationships%2Fuser_created_scheduled_job.yml%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Erelationships%20related%20to%20scheduled%20jobs%3C%2FA%3E%20in%20Windows.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_22-1624563350657.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291072i5E213CB9FE4AD5ED%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_22-1624563350657.png%22%20alt%3D%22Cyb3rWard0g_22-1624563350657.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETranslate%20YAML%20files%20to%20XML%20Query%20Lists%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20can%20process%20all%20the%20YAML%20files%20and%20export%20the%20data%20in%26nbsp%3Ban%26nbsp%3BXML%26nbsp%3Bfiles.%26nbsp%3BOne%20thing%20that%20I%20like%20about%20this%20OSSEM%20DM%20use%20case%20is%20that%20we%20can%20group%20the%20XML%20files%20by%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmitre-attack%2Fattack-datasources%2Ftree%2Fmain%2Fcontribution%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EATT%26amp%3BCK%20data%20sources.%3C%2FA%3E%20This%20can%20help%20organizations%20organize%20their%20data%20collection%20in%20a%20way%20that%20can%20be%20mapped%20to%20detections%20or%20other%20ATT%26amp%3BCK%20based%20frameworks%20internally.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20can%20use%20the%20%3CSTRONG%3EQueryList%3C%2FSTRONG%3E%20format%26nbsp%3Bto%20document%20all%20'%3CSTRONG%3Escheduled%20jobs%20relationships%3C%2FSTRONG%3E'%20XPath%20queries%26nbsp%3Bin%20one%20XML%20file.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_23-1624563350647.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291071i4E91B0701CDD9BC8%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_23-1624563350647.png%22%20alt%3D%22Cyb3rWard0g_23-1624563350647.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EI%20like%20to%20document%20my%20XPath%20queries%26nbsp%3Bfirst%26nbsp%3Bin%20this%20format%20because%20it%20expedites%20the%20validation%20process%20of%20the%20XPath%20queries%20locally%20on%20a%20Windows%20endpoint.%20You%20can%20use%20that%20XML%20file%20in%20a%20PowerShell%20command%20to%20query%20Windows%20Security%20events%26nbsp%3Band%20make%20sure%20there%20are%20not%20syntax%20issues%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3E%5Bxml%5D%24scheduledjobs%20%3D%20get-content%20.%5Cscheduled-job.xml%3CBR%20%2F%3EGet-WinEvent%26nbsp%3B-FilterXml%20%24scheduledjobs%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_0-1624585337804.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291165i34FCF0A62CCE47DC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_0-1624585337804.png%22%20alt%3D%22Cyb3rWard0g_0-1624585337804.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETranslate%20XML%20Query%20Lists%20to%20DCR%26nbsp%3BData%26nbsp%3BSource%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFinally%2C%20once%20the%20XPath%20queries%20have%20been%20validated%2C%20we%20could%20simply%20extract%20them%20from%20the%20XML%20files%20and%20put%20them%20in%20a%20format%20that%20could%20be%20used%20in%20ARM%20templates%20to%20create%20DCRs.%26nbsp%3B%26nbsp%3BDo%20you%20remember%26nbsp%3Bthe%20%3CSTRONG%3EdataSources%3C%2FSTRONG%3E%26nbsp%3Bproperty%20of%20the%20DCR%20Azure%20resource%26nbsp%3Bwe%20talked%20about%20earlier%3F%20What%20if%20we%20could%20get%20the%20values%20of%20the%20%3CSTRONG%3EwindowsEventLogs%3C%2FSTRONG%3E%26nbsp%3Bdata%20source%20directly%20from%20a%20file%26nbsp%3Binstead%20of%20hardcoding%20them%20in%20an%20ARM%20template%3F%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BThe%20example%20below%20is%20how%20it%20was%20previously%20being%20hardcoded.%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22dataSources%22%3A%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%22windowsEventLogs%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22name%22%3A%20%22eventLogsDataSource%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22scheduledTransferPeriod%22%3A%20%22PT5M%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22streams%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Microsoft-SecurityEvent%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22xPathQueries%22%3A%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4624)%5D%5D%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20could%20use%20the%20XML%20files%20created%20after%20processing%20OSSEM%20DM%20relationships%20mapped%20to%20ATT%26amp%3BCK%26nbsp%3Bdata%20sources%26nbsp%3Band%20creating%20the%20following%20document.%20We%20can%20pass%20the%20URL%20of%20the%20document%20as%20a%20parameter%20in%20an%20ARM%20template%20to%20deploy%20our%20lab%20environment%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%2Fossem-attack%2Fossem-attack.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fossem-attack.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1856955093%22%20id%3D%22toc-hId-470251377%22%20id%3D%22toc-hId-470251377%22%20id%3D%22toc-hId-470251377%22%20id%3D%22toc-hId-470251377%22%20id%3D%22toc-hId-470251377%22%20id%3D%22toc-hId-470251377%22%20id%3D%22toc-hId-470251377%22%20id%3D%22toc-hId-470251377%22%20id%3D%22toc-hId-470251377%22%20id%3D%22toc-hId-470251377%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWait!%20How%20Do%20You%26nbsp%3BCreate%20the%20Document%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EOSSEM%26nbsp%3Bteam%3C%2FA%3E%26nbsp%3Bis%20contributing%26nbsp%3Band%20maintaining%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%2Fossem-attack%2Fossem-attack.json%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethe%26nbsp%3BJSON%20file%3C%2FA%3E%26nbsp%3Bfrom%20the%20previous%20section%26nbsp%3Bin%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%2Fossem-attack%2Fossem-attack.json%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Sentinel2Go%20repository%3C%2FA%3E.%26nbsp%3BHowever%2C%20if%20you%20want%20to%20go%20through%20the%20whole%20process%20on%20your%20own%2C%20Jose%20Rodriguez%20(%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FCyb3rPandaH%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%40Cyb3rpandah%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E)%26nbsp%3Bwas%26nbsp%3Bkind%20enough%20to%20write%20every%20single%20step%26nbsp%3Bto%20get%20to%20that%20output%20file%20in%20the%20following%20blog%20post%3A%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CA%20href%3D%22https%3A%2F%2Fblog.openthreatresearch.com%2Fossem_generation_xpath_queries%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EOSSEM%20Detection%20Model%3A%20Leveraging%20Data%20Relationships%20to%20Generate%20Windows%20Event%20XPath%20Queries%20(openthreatresearch.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-630557740%22%20id%3D%22toc-hId--639041145%22%20id%3D%22toc-hId--639041145%22%20id%3D%22toc-hId--639041145%22%20id%3D%22toc-hId--639041145%22%20id%3D%22toc-hId--639041145%22%20id%3D%22toc-hId--639041145%22%20id%3D%22toc-hId--639041145%22%20id%3D%22toc-hId--639041145%22%20id%3D%22toc-hId--639041145%22%20id%3D%22toc-hId--639041145%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOk%2C%20But%2C%20How%20Do%20I%26nbsp%3BPass%26nbsp%3Bthe%20JSON%20file%26nbsp%3Bto%26nbsp%3Bour%20Initial%26nbsp%3BARM%20template%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%20our%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-AzureResource.json%23L159%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Einitial%20ARM%20template%3C%2FA%3E%2C%20we%20had%20the%20XPath%20query%26nbsp%3Bas%26nbsp%3Ban%20ARM%20template%20variable%20as%20shown%20in%20the%20image%20below.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_1-1624585923557.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291167i9C07EB631AAF2443%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_1-1624585923557.png%22%20alt%3D%22Cyb3rWard0g_1-1624585923557.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20could%20also%20have%20it%20as%20a%20template%20parameter.%20However%2C%20it%20is%20%3CSTRONG%3Enot%20flexible%26nbsp%3Benough%20to%20define%20multiple%20DCRs%20or%20even%20update%20the%20whole%20DCR%20Data%20Source%20object%3C%2FSTRONG%3E%26nbsp%3B(Think%20about%20future%20coverage%20beyond%20Windows%20logs).%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%222%22%20id%3D%22toc-hId--1176896723%22%20id%3D%22toc-hId-1848471688%22%20id%3D%22toc-hId-1848471688%22%20id%3D%22toc-hId-1848471688%22%20id%3D%22toc-hId-1848471688%22%20id%3D%22toc-hId-1848471688%22%20id%3D%22toc-hId-1848471688%22%20id%3D%22toc-hId-1848471688%22%20id%3D%22toc-hId-1848471688%22%20id%3D%22toc-hId-1848471688%22%20id%3D%22toc-hId-1848471688%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Collection%20Rules%20%E2%80%93%20CREATE%20API%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFor%20more%20complex%20use%20cases%2C%20I%20would%20use%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fmonitor%2Fdata-collection-rules%2Fcreate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EDCR%20Create%20API.%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BThis%20can%20be%26nbsp%3Bexecuted%26nbsp%3Bvia%20a%20PowerShell%20script%20which%20can%20also%26nbsp%3Bbe%26nbsp%3Bused%20inside%20of%20an%20ARM%20template%26nbsp%3Bvia%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-resource-manager%2Ftemplates%2Fdeployment-script-template%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Edeployment%20scripts%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20Keep%20in%20mind%20that%2C%20the%20deployment%20script%20resource%20requires%20an%20identity%20to%20execute%20the%20script.%26nbsp%3BThis%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Foverview%23managed-identity-types%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Emanaged%20identity%20of%20type%20user-assigned%3C%2FA%3E%20can%20be%20created%20at%20deployment%20time%20and%20used%20to%20create%20the%20DCRs%26nbsp%3Bprogrammatically.%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-1439698829%22%20id%3D%22toc-hId-170099944%22%20id%3D%22toc-hId-170099944%22%20id%3D%22toc-hId-170099944%22%20id%3D%22toc-hId-170099944%22%20id%3D%22toc-hId-170099944%22%20id%3D%22toc-hId-170099944%22%20id%3D%22toc-hId-170099944%22%20id%3D%22toc-hId-170099944%22%20id%3D%22toc-hId-170099944%22%20id%3D%22toc-hId-170099944%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--367755634%22%20id%3D%22toc-hId--1637354519%22%20id%3D%22toc-hId--1637354519%22%20id%3D%22toc-hId--1637354519%22%20id%3D%22toc-hId--1637354519%22%20id%3D%22toc-hId--1637354519%22%20id%3D%22toc-hId--1637354519%22%20id%3D%22toc-hId--1637354519%22%20id%3D%22toc-hId--1637354519%22%20id%3D%22toc-hId--1637354519%22%20id%3D%22toc-hId--1637354519%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EPowerShell%20Script%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20you%20have%20an%20Azure%20Sentinel%20instance%20without%20the%20data%20connector%20enabled%2C%20you%20can%20use%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fresources%2Fscripts%2FCreate-DataCollectionRules.ps1%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Efollowing%20PowerShell%20script%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bto%20create%20DCRs%20in%20it.%20This%20is%20good%20for%20testing%20and%20it%20also%20works%20in%20ARM%20templates.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EKeep%20in%20mind%2C%20that%20you%20would%26nbsp%3Bneed%20to%20have%20a%20file%20where%20you%20can%20define%20the%20structure%20of%20the%20%3CSTRONG%3EwindowsEventLogs%3C%2FSTRONG%3E%26nbsp%3Bdata%20source%20object%20used%20in%20the%20creation%20of%20DCRs.%20We%20created%20that%20in%20the%20previous%20section%20remember%3F%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EHere%20is%20where%20we%20can%20use%20the%20OSSEM%20Detection%20Model%20XPath%20Queries%20File%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3B)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%2Fossem-attack%2Fossem-attack.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fossem-attack.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFileExample.json%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%22windowsEventLogs%22%3A%26nbsp%3B%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Name%22%3A%26nbsp%3B%20%22eventLogsDataSource%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22scheduledTransferPeriod%22%3A%26nbsp%3B%20%22PT1M%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22streams%22%3A%26nbsp%3B%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Microsoft-SecurityEvent%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5D%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20%20%20%20%20%20%22xPathQueries%22%3A%26nbsp%3B%20%5B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D5141)%5D%5D%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D5137)%5D%5D%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D5136%20or%26nbsp%3BEventID%3D5139)%5D%5D%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4688)%5D%5D%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4660)%5D%5D%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4656%20or%26nbsp%3BEventID%3D4661)%5D%5D%22%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22Security!*%5BSystem%5B(EventID%3D4670)%5D%5D%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20%20%20%20%20%20%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%20%5D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERun%20Script%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EOnce%20you%20have%20a%20JSON%20file%20similar%20to%20the%20one%20in%20the%20previous%20section%2C%20you%20can%20run%20the%20script%20from%20a%20PowerShell%20console%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%5CCreate-DataCollectionRules.ps1%20-WorkspaceId%26nbsp%3Bxxxx%26nbsp%3B-WorkspaceResourceId%26nbsp%3Bxxxx%26nbsp%3B-ResourceGroup%26nbsp%3BMYGROUP%20-Kind%20Windows%20-DataCollectionRuleName%26nbsp%3BWinDCR%26nbsp%3B-DataSourcesFile%26nbsp%3BFileExample.json%26nbsp%3B-Location%26nbsp%3Beastus%26nbsp%3B%E2%80%93verbose%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOne%20thing%20to%20remember%20is%26nbsp%3Bthat%20you%20can%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eonly%20have%2010%20Data%20Collection%20rules%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20That%20is%20different%20than%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EXPath%20queries%20inside%20of%20one%20DCR%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20If%20you%26nbsp%3Battempt%20to%26nbsp%3Bcreate%20more%20than%2010%20DCRs%2C%20you%20will%20get%20the%20following%20error%20message%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3EERROR%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EVERBOSE%3A%26nbsp%3B%40%7BHeaders%3DSystem.Object%5B%5D%3B%20Version%3D1.1%3B%26nbsp%3BStatusCode%3D400%3B%20Method%3DPUT%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EContent%3D%7B%22error%22%3A%7B%22code%22%3A%22InvalidPayload%22%2C%22message%22%3A%22Data%26nbsp%3Bcollection%20rule%20is%26nbsp%3Binvalid%22%2C%22details%22%3A%5B%7B%22code%22%3A%22InvalidProperty%22%2C%22message%22%3A%22'Data%26nbsp%3BSources.%20Windows%20Event%20Logs'%20item%20count%20should%20be%2010%20or%20less.%20Specified%20list%20has%2011%20items.%22%2C%22target%22%3A%22Properties.DataSources.WindowsEventLogs%22%7D%5D%7D%7D%7D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAlso%2C%20if%20you%20have%20duplicate%20XPath%20queries%20in%20one%20DCR%2C%20you%20would%26nbsp%3Bget%20the%20following%20message%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22none%22%3EERROR%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EVERBOSE%3A%26nbsp%3B%40%7BHeaders%3DSystem.Object%5B%5D%3B%20Version%3D1.1%3B%26nbsp%3BStatusCode%3D400%3B%20Method%3DPUT%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EContent%3D%7B%22error%22%3A%7B%22code%22%3A%22InvalidPayload%22%2C%22message%22%3A%22Data%26nbsp%3Bcollection%20rule%20is%26nbsp%3Binvalid%22%2C%22details%22%3A%5B%7B%22code%22%3A%22InvalidDataSource%22%2C%22message%22%3A%22'X%26nbsp%3BPath%20Queries'%20items%20must%20be%20unique%20(case-insensitively).%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDuplicate%20names%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CBR%20%2F%3ESecurity!*%5BSystem%5B(EventID%3D4688)%5D%5D%2CSecurity!*%5BSystem%5B(EventID%3D4656)%5D%5D.%22%2C%22target%22%3A%22Properties.DataSources.WindowsEventLogs%5B0%5D.XPathQueries%22%7D%5D%7D%7D%7D%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-2119757199%22%20id%3D%22toc-hId-850158314%22%20id%3D%22toc-hId-850158314%22%20id%3D%22toc-hId-850158314%22%20id%3D%22toc-hId-850158314%22%20id%3D%22toc-hId-850158314%22%20id%3D%22toc-hId-850158314%22%20id%3D%22toc-hId-850158314%22%20id%3D%22toc-hId-850158314%22%20id%3D%22toc-hId-850158314%22%20id%3D%22toc-hId-850158314%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EARM%20Template%3A%26nbsp%3BDeploymentScript%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3BResource%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENow%20that%20you%20know%20how%20to%20use%20a%20PowerShell%20script%20to%20create%20DCRs%20directly%20to%20your%20Azure%20Sentinel%20instance%2C%20we%20can%20use%20it%20inside%20of%20an%20ARM%20template%20and%20make%20it%20point%20to%20the%20JSON%20file%20that%20contains%20all%20the%20XPath%20queries%20in%20the%20right%20format%20contributed%20by%20the%20OSSEM%20DM%20project.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20the%20template%20I%20use%20to%20put%20it%20all%20together%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-DeploymentScript.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2FWin10-DCR-DeploymentScript.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-312302736%22%20id%3D%22toc-hId--957296149%22%20id%3D%22toc-hId--957296149%22%20id%3D%22toc-hId--957296149%22%20id%3D%22toc-hId--957296149%22%20id%3D%22toc-hId--957296149%22%20id%3D%22toc-hId--957296149%22%20id%3D%22toc-hId--957296149%22%20id%3D%22toc-hId--957296149%22%20id%3D%22toc-hId--957296149%22%20id%3D%22toc-hId--957296149%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWhat%20about%20the%20DCR%20Associations%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20still%20need%20to%20associate%20the%20DCR%20with%20a%20virtual%20machine.%20However%2C%20we%20can%20keep%20doing%20that%20within%20the%20template%20leveraging%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Fassociation.json%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EDCRAs%20Azure%20resource%20linked%20template%3C%2FA%3E%26nbsp%3Binside%20of%20the%20main%20template.%20Just%20in%20case%20you%20were%20wondering%20how%20I%20call%20the%20linked%20template%20from%20the%20main%20template%2C%20I%20do%20it%20this%20way%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-DeploymentScript.json%23L285-L311%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2FWin10-DCR-DeploymentScript.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_2-1624586850130.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291168i404F0CE22E18FBD6%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_2-1624586850130.png%22%20alt%3D%22Cyb3rWard0g_2-1624586850130.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1624234446%22%20id%3D%22toc-hId-1401133965%22%20id%3D%22toc-hId-1401133965%22%20id%3D%22toc-hId-1401133965%22%20id%3D%22toc-hId-1401133965%22%20id%3D%22toc-hId-1401133965%22%20id%3D%22toc-hId-1401133965%22%20id%3D%22toc-hId-1401133965%22%20id%3D%22toc-hId-1401133965%22%20id%3D%22toc-hId-1401133965%22%20id%3D%22toc-hId-1401133965%22%3EHow%20Do%20I%20Deploy%20the%20New%20Template%3F%3C%2FH2%3E%0A%3CP%3EThe%20same%20way%20how%20we%20deployed%20the%20initial%20one.%20If%20you%20want%20the%20Easy%20%3CSTRONG%3EButton%3C%2FSTRONG%3E%20%2C%20then%20simply%20browse%20to%20the%20URL%20below%20and%20click%20on%20the%20blue%20button%20highlighted%20in%20the%20image%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELink%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fgrocery-list%2FWin10%2Fdemos%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_3-1624587103977.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291170i2157EE960113AC9D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_3-1624587103977.png%22%20alt%3D%22Cyb3rWard0g_3-1624587103977.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWait%205-10%20mins!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_4-1624587184135.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291171i20D07D5FC684077E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_4-1624587184135.png%22%20alt%3D%22Cyb3rWard0g_4-1624587184135.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnjoy%20it!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Cyb3rWard0g_6-1624588013944.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291174i48700DF747FD1EE3%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Cyb3rWard0g_6-1624588013944.png%22%20alt%3D%22Cyb3rWard0g_6-1624588013944.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThat%E2%80%99s%20it!%26nbsp%3BYou%20now%20know%20two%20ways%20to%20deploy%20and%20test%20the%20new%20data%20connector%20and%20%3CSTRONG%3EData%20Collection%20Rules%3C%2FSTRONG%3E%20features%20with%20%3CSTRONG%3EXPath%20queries%20capabilities%3C%2FSTRONG%3E.%20I%20hope%20this%20was%20useful.%26nbsp%3BThose%20were%20all%20my%20notes%20while%20testing%20and%20developing%20templates%20to%20create%20a%20lab%20environment%20so%20that%20you%20could%20also%20expedite%20the%20testing%20process!%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFeedback%20is%20greatly%20appreciated!%20Thank%20you%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FOSSEM%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EOSSEM%20team%3C%2FA%3E%20and%20the%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FOTR_Community%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EOpen%20Threat%20Research%20(OTR)%20community%3C%2FA%3E%20for%20helping%20us%20operationalize%20the%20research%20they%20share%20with%20the%20community!%20Thank%20you%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FCyb3rPandaH%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EJose%20Rodriguez%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-863278387%22%20id%3D%22toc-hId--406320498%22%20id%3D%22toc-hId--406320498%22%20id%3D%22toc-hId--406320498%22%20id%3D%22toc-hId--406320498%22%20id%3D%22toc-hId--406320498%22%20id%3D%22toc-hId--406320498%22%20id%3D%22toc-hId--406320498%22%20id%3D%22toc-hId--406320498%22%20id%3D%22toc-hId--406320498%22%20id%3D%22toc-hId--406320498%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EDemo%20Links%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fgrocery-list%2FWin10%2Fdemos%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-collection-rules%2Frules%2Fossem-attack%2Fossem-attack.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fossem-attack.json%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--246014135%22%20id%3D%22toc-hId-2081192335%22%20id%3D%22toc-hId-2081192335%22%20id%3D%22toc-hId-2081192335%22%20id%3D%22toc-hId-2081192335%22%20id%3D%22toc-hId-2081192335%22%20id%3D%22toc-hId-2081192335%22%20id%3D%22toc-hId-2081192335%22%20id%3D%22toc-hId-2081192335%22%20id%3D%22toc-hId-2081192335%22%20id%3D%22toc-hId-2081192335%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EReferences%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.w3schools.com%2Fxml%2Fxpath_intro.asp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EXPath%20Tutorial%20(w3schools.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fdata-collection-rule-azure-monitor-agent%23limit-data-collection-with-custom-xpath-queries%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConfigure%20data%20collection%20for%20the%20Azure%20Monitor%20agent%20(preview)%20-%20Azure%20Monitor%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fdata-collection-rule-overview%3Fbranch%3Dmain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Collection%20Rules%20in%20Azure%20Monitor%20(preview)%20-%20Azure%20Monitor%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%224%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%3Fbranch%3Dmain%26amp%3Btabs%3DLAA%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConnect%20Windows%20security%20event%20data%20to%20Azure%20Sentinel%20(tabbed%20version)%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%3Fbranch%3Dmain%26amp%3Btabs%3DAMA%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConnect%20Windows%20security%20event%20data%20to%20Azure%20Sentinel%20(tabbed%20version)%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Ftemplates%2Fmicrosoft.insights%2Fdatacollectionruleassociations%3Ftabs%3Djson%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft.Insights%2FdataCollectionRuleAssociations%20-%20ARM%20template%20reference%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fask-the-directory-services-team%2Fadvanced-xml-filtering-in-the-windows-event-viewer%2Fba-p%2F399761%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAdvanced%20XML%20filtering%20in%20the%20Windows%20Event%20Viewer%20-%20Microsoft%20Tech%20Community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%224%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fwes%2Fconsuming-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConsuming%20Events%20(Windows%20Event%20Log)%20-%20Win32%20apps%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fazure-monitor-agent-overview%3Ftabs%3DCLI1%2CCLI2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Monitor%20agent%20overview%20-%20Azure%20Monitor%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-monitor%2Fa-powerful-agent-for-azure-monitor-and-a-simpler-world-of-data%2Fba-p%2F2443285%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EA%20powerful%20agent%20for%20Azure%20Monitor%20and%20a%20simpler%20world%20of%20data%20collection%3B%20now%20generally%20available!%20-%20Microsoft%20Tech%20Community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fmonitor%2Fdata-collection-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Collection%20Rules%20-%20REST%20API%20(Azure%20Monitor)%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%224%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fmonitor%2Fdata-collection-rule-associations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EData%20Collection%20Rule%20Associations%20-%20REST%20API%20(Azure%20Monitor)%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%225%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.w3.org%2FTR%2F1999%2FREC-xpath-19991116%2F%23predicates%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EXML%20Path%20Language%20(XPath)%20(w3.org)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Foverview%23managed-identity-types%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EManaged%20identities%20for%20Azure%20resources%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2244%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Fqs-configure-portal-windows-vm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConfigure%20managed%20identities%20using%20the%20Azure%20portal%20-%20Azure%20AD%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2483369%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW194491919%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3ELast%20week%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E%2C%20on%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3EMonday%20June%201%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E4%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW194491919%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20Superscript%20SCXW194491919%20BCX8%22%20data-fontsize%3D%2211%22%3Eth%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW194491919%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E2021%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3Ea%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3Enew%20version%20of%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW194491919%20BCX8%22%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-windows-security-events%3Fbranch%3Dmain%26amp%3Btabs%3DAMA%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW194491919%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3EWindows%20Security%20Events%20data%20connector%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW194491919%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ereached%20public%20preview.%20This%20is%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3Efirst%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3Edata%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3Econnector%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3Ecreated%20lever%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3Eaging%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Et%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3Ehe%20new%20generally%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20ContextualSpellingAndGrammarErrorV2%20SCXW194491919%20BCX8%22%3Eavailable%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW194491919%20BCX8%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fazure-monitor-agent-overview%3Ftabs%3DCLI1%2CCLI2%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW194491919%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3EAzure%20Monitor%20Agent%20(AMA)%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW194491919%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3Eand%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW194491919%20BCX8%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fdata-collection-rule-overview%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW194491919%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3EData%20Collection%20Rules%20(DCR)%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW194491919%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efeatures%20from%20the%20Azure%20Monitor%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3Eecosystem%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E.%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20ContextualSpellingAndGrammarErrorV2%20SCXW194491919%20BCX8%22%3EAs%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eany%20other%20new%20feature%20in%20Azure%20Sentinel%2C%20I%20wanted%20to%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3Eexpedite%20the%20testing%20process%20and%20empower%20others%20in%20the%20InfoSec%20community%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ethrough%20a%20lab%20environment%20to%20learn%20more%20about%20it%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW194491919%20BCX8%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW194491919%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2483369%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Monitor%20Agent%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%20To-go%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edata%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edata%20collection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2485953%22%20slang%3D%22en-US%22%3ERe%3A%20Testing%20the%20New%20Version%20of%20the%20Windows%20Security%20Events%20Connector%20with%20Azure%20Sentinel%20To-Go!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2485953%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9011%22%20target%3D%22_blank%22%3E%40James%20van%20den%20Berg%3C%2FA%3E%26nbsp%3B!%20I%20appreciate%20the%20feedback%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2488057%22%20slang%3D%22en-US%22%3ERe%3A%20Testing%20the%20New%20Version%20of%20the%20Windows%20Security%20Events%20Connector%20with%20Azure%20Sentinel%20To-Go!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2488057%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20bloody%20amazing%20%3CSPAN%20class%3D%22lia-unicode-emoji%22%20title%3D%22%3Aclapping_hands%3A%22%3E%3CSPAN%20class%3D%22lia-unicode-emoji%22%20title%3D%22%3Aclapping_hands%3A%22%3E%3CSPAN%20class%3D%22lia-unicode-emoji%22%20title%3D%22%3Aclapping_hands%3A%22%3E%3CSPAN%20class%3D%22lia-unicode-emoji%22%20title%3D%22%3Aclapping_hands%3A%22%3E%3CSPAN%20class%3D%22lia-unicode-emoji%22%20title%3D%22%3Aclapping_hands%3A%22%3E%3Cimg%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%400B062246B440E8EF89184E9E310F1595%2Femoticons%2F1f44f_1f3fc.png%22%20alt%3D%22%3Aclapping_hands%3A%22%20title%3D%22%3Aclapping_hands%3A%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2535240%22%20slang%3D%22en-US%22%3ERe%3A%20Testing%20the%20New%20Version%20of%20the%20Windows%20Security%20Events%20Connector%20with%20Azure%20Sentinel%20To-Go!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2535240%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F591947%22%20target%3D%22_blank%22%3E%40Cyb3rWard0g%3C%2FA%3E%26nbsp%3Bwhen%20i%20view%20the%20Sentinel2Go%20readme%20page%2C%20I%20don't%20see%20anything%20for%20the%20DCR%20deployments.%20Have%20the%20been%20removed%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2484630%22%20slang%3D%22en-US%22%3ERe%3A%20Testing%20the%20New%20Version%20of%20the%20Windows%20Security%20Events%20Connector%20with%20Azure%20Sentinel%20To-Go!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2484630%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F591947%22%20target%3D%22_blank%22%3E%40Cyb3rWard0g%3C%2FA%3E%26nbsp%3Bfor%20the%20Awesome%20Blogpost%20and%20Sharing%20with%20the%20Community%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%40B71AFCCE02F5853FE57A20BD4B04EADD%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Jun 24 2021 08:11 PM
Updated by: