Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechExcel Sentinel onboarding

Task 2.3: Set up a data connector for Windows

Here we’ll connect Security Events via AMA and create a data collection rule for our Windows machine. The Azure Monitor agent uses data collection rules (DCR) to configure data to collect from each agent. Data collection rules enable the manageability of collection settings at scale for different groups of environments or machines, which results in lower cost and fewer events.

The following documents may help you complete this task.

  1. Return to the Microsoft Sentinel Data connectors page by selecting it in the breadcrumb navigation at the top of the page.

    Data-connectors-breadcrumb-data-connectors.png

  2. On the Data connectors page, select More content at Content hub.

    E1-T2a-S2-More-Content-At-Content-Hub.png

  3. On the Content hub page, select the Provider filter and unselect the All checkbox.

  4. In the Search box, enter Microsoft, select Microsoft, and then select Apply.

    E1-T2a-S3-Provider-Microsoft.png

  5. On the Content hub page, in the Search box, enter Windows Security Events, and then select Windows Security Events from the results.

  6. On the Windows Security Events details page, review the description, and then select Install.

    install-windowssecurityevents.png

  7. When the installation of the Windows Security Events connector has completed, select Microsoft Sentinel Data connectors on the breadcrumb navigation at the top of the page to return to the Data connectors page.

    Data-connectors-breadcrumb.png

  8. On the Microsoft Sentinel Data connectors page, in the Search by name or provider search box, enter Windows Security Events.

    data-connectors-windows-security-events.png

    If the Windows Security Events via AMA Data connector does not appear in the list select Refresh from the menu.

  9. Select Windows Security Events via AMA connector to configure the Windows Security Events connector .

  10. On the right, on the Windows Security Events via AMA pane, select Open connector page.

  11. On the Windows Security Events via AMA page, in the Configuration section, select +Create data collection rule.

    amacreatedatacollectionrule.png

  12. On the Create Data Collection Rule panel, on the Basics tab, in the Rule Name box, enter windowsdata.

  13. Verify that the subscription is set to @lab.CloudSubscription.Name and the Resource Group is set to @lab.CloudResourceGroup(RG1).Name and then select Next : Resources >.

  14. On the Resources tab, expand @lab.CloudSubscription.Name, and then expand @lab.CloudResourceGroup(RG1).Name

  15. Select the Windows1 Virtual machine scope checkbox, and then select Next : Collect >.

    selectwinscope.png

  16. On the Collect tab, leave the All Security Events option selected, and then select Next : Review + create >.

  17. Once the validation has passed, on the Review + create tab select Create.

  18. On the Windows Security Events AMA page, in the Configuration section, select Refresh until the data collection rule windowsdata is shown in the list.

    refreshconfiguration.png