DEV Community

Hyacienth Ugochukwu
Hyacienth Ugochukwu

Posted on

How To Configure A Data Connector Data Collection Rule

A Data Collection Rule (DCR) in Azure Monitor is a set of instructions that defines how to collect and process telemetry sent to Azure Monitor. DCRs specify what data should be collected, how to transform it, and where to send it. They can be used for many purposes, including:
Consistent configuration
Scalable configuration options
Edge Pipeline
High-end scalability
Layered network configurations
Periodic connectivity 

In this article, we will be looking at how to validate the Microsoft Sentinel deployment to meet the following requirements:

a. Configure the Windows Security Events via AMA connector to collect all security events from only a virtual machine.
b. Create a near-real-time (NRT) query rule to generate an incident based on the following query.

SecurityEvent 
| where EventID == 4732
| where TargetAccount == "Builtin\\Administrators"

Enter fullscreen mode Exit fullscreen mode

c. Create an automation rule that assigns Operator1 the Owner role for incidents that are generated by the NRT rule.

Task 1 - Configure Data Collection rules (DCRs) in Microsoft Sentinel
Configure a Windows Security Events via AMA connector.

  1. In Microsoft Sentinel, go to the Configuration menu section and select Data connectors
  2. Search for and select Windows Security Events via AMA
  3. Select Open connector page
  4. In the Configuration area, select +Create data collection rule
  5. On the Basics tab enter a Rule Name
  6. On the Resources tab expand your subscription and the RG1 resource group in the Scope column
  7. Select the resource that you want to use, and then select Next: Collect >
  8. On the Collect tab leave the default of All Security Events
  9. Select Next: Review + create >, then select Create

Task 2 - Create a near real-time (NRT) query detection
Detect threats with near-real-time (NRT) analytic rules in Microsoft Sentinel.

  1. In Microsoft Sentinel, go to the Configuration menu section and select Analytics
  2. Select + Create, and NRT query rule (Preview)
  3. Enter a Name for the rule, and select Privilege Escalation from Tactics and Techniques.
  4. Select Next: Set rule logic >
  5. Enter the KQL query into the Rule query form

Code

SecurityEvent 
| where EventID == 4732
| where TargetAccount == "Builtin\\Administrators"
Enter fullscreen mode Exit fullscreen mode
  1. Select Next: Incident settings, and select Next: Automated response.
  2. Select Next: Review + Create.
  3. When validation is complete select Save.

Task 3 - Configure automation in Microsoft Sentinel
Configure automation in Microsoft Sentinel.

  1. In Microsoft Sentinel, go to the Configuration menu section and select Automation
  2. Select + Create, and Automation rule
  3. Enter an Automation rule name, and select Assign owner from Actions
  4. Assign the user that you want to use as the owner.
  5. Select Apply

Top comments (0)