The Log Analytics agent (MMA) was officially retired as of August 2024, and has been succeeded by the new and improved Azure Monitor Agent (AMA). When creating a Data Collection Rule (DCR) in the Azure Portal, all event logs are ingested to the Events table. This table is not included as part of Defender for Servers Plan 2 daily ingestion allowance of 500MB (for each node).
This blog post covers how to collect Windows Security event logs into the SecurityEvents table – allowing you to take advantage of the daily free data ingestion allowance offered as part of DfS P2.
Pre-Defined Event Filter (Event Sets)
The PowerShell script comes with 3 pre-defined event sets:
- AllEvents
- All Security and AppLocker events.
- Generates high volumes of data.
- Minimal
- Small scale set of critical events.
- Common
- Provides broader coverage over Minimal.
Both the Minimal and Common event sets are designed to address typical customer use cscenarios based on both customer and industry standards for the unfiltered frequency of each event and their usage. You can find further details here.
Collection Types |
Event IDs |
Minimal |
1102,4624,4625,4657,4663,4688,4700,4702,4719,4720,4722,4723,4724,4727,4728,4732,4735, 4737,4739,4740,4754,4755,4756,4767,4799,4825,4946,4948,4956,5024,5033,8001,8002,8003, 8004,8005,8006,8007,8222 |
Common |
1,299,300,324,340,403,404,410,411,412,413,431,500,501,1100,1102,1107,1108,4608,4610,4611, 4614,4622,4624,4625,4634,4647,4648,4649,4657,4661,4662,4663,4665,4666,4667,4688,4670,4672, 4673,4674,4675,4689,4697,4700,4702,4704,4705,4716,4717,4718,4719,4720,4722,4723,4724,4725, 4726,4727,4728,4729,4733,4732,4735,4737,4738,4739,4740,4742,4744,4745,4746,4750,4751,4752, 4754,4755,4756,4757,4760,4761,4762,4764,4767,4768,4771,4774,4778,4779,4781,4793,4797,4798, 4799,4800,4801,4802,4803,4825,4826,4870,4886,4887,4888,4893,4898,4902,4904,4905,4907,4931, 4932,4933,4946,4948,4956,4985,5024,5033,5059,5136,5137,5140,5145,5632,6144,6145,6272,6273, 6278,6416,6423,6424,8001,8002,8003,8004,8005,8006,8007,8222,26401,30004 |
Creating the Data Collection Rule (DCR) with PowerShell
Prerequisites
- Run the script with an account which has Monitoring Contributor access rights.
- Enable Defender for Servers Plan 2 on your subscription and at the Log Analytics Workspace level.
We’ll be using the Add-AMASecurityEventsDCR.ps1 PowerShell script available on Microsoft’s GitHub. This creates a new Data Collection Rule to collect Windows Security events into the SecurityEvents table. Note that this only creates the DCR, you still will need to create Data Collection Rule Associations for each of the machines you wish to collect from.
./Add-AMASecurityEventDCR.ps1 `
-DcrName "<DCR name>" `
-ResourceGroup "<DCR resource group>" `
-SubscriptionId "<DCR subscription>" `
-Region "<DCR region>" `
-LogAnalyticsWorkspaceARMId "<Log Analytics Workspace ARM resource ID>" `
-EventFilter AllEvents|Common|Minimal|Custom `
[-CustomEventFilter "<XPath query 1>","<XPath query 2>"]
Example 1: Collecting Minimal Security Events
./Add-AMASecurityEventDCR.ps1 `
-DcrName "cybertoucans-securityevents-dcr" `
-ResourceGroup "ct-dfs-rg" `
-SubscriptionId "00000000-0000-0000-0000-000000000000" `
-Region "eastus" `
-LogAnalyticsWorkspaceARMId "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/loganalytics-rg/providers/microsoft.operationalinsights/workspaces/myworkspace" `
-EventFilter Minimal
Example 2: Collecting Custom Security Events with XPath
Optionally you can use XPath to consume a custom set of events. This is a great blog post on how you can use Event Viewer to quickly create XPath queries.
./Add-AMASecurityEventDCR.ps1 `
-DcrName "cybertoucans-securityevents-dcr" `
-ResourceGroup "ct-dfs-rg" `
-SubscriptionId "00000000-0000-0000-0000-000000000000" `
-Region "eastus" `
-LogAnalyticsWorkspaceARMId "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/loganalytics-rg/providers/microsoft.operationalinsights/workspaces/myworkspace" `
-EventFilter Custom `
-CustomEventFilter "Microsoft-Windows-AppLocker/MSI and Script!*[System[(EventID=8005) or (EventID=8006) or (EventID=8007)]]", ""Security!*[System[(EventID=4754) or (EventID=4755) or (EventID=4756) or (EventID=4757)"