Update Windows Events Data Collection to Data Collection Rules (DCR) and XPath Queries

[Cyb3rWard0g]

A New Version of the Windows Security Events Connector?

According to Microsoft docs, the new Windows Security Events connector lets you stream security events from any Windows server (physical or virtual, on-premises or in any cloud) connected to your Azure Sentinel workspace. There are now two versions of this connector:

• Security events (legacy version): Based on the Log Analytics Agent (Usually known as the Microsoft Monitoring Agent (MMA) or Operations Management Suite (OMS) agent).
• Windows Security Events (new version): Based on the new Azure Monitor Agent (AMA).

Other Windows Event Providers

We also need to use DCRs to handle the collection of events from other Windows event providers besides Microsoft-Windows-Security-Auditing

References:

• https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/testing-the-new-version-of-the-windows-security-events-connector/ba-p/2483369
• https://github.com/OTRF/Blacksmith/blob/master/templates/azure/Data-Collection-Rules/azuredeploy.json
• https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent
• https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview