Shortcut Way to Create Your XPath Queries for Azure Sentinel DCRs

I talked recently about XPath queries in relations to the new Windows Security Events Data Connector in Azure Sentinel. To catch up to that discussion, see: How to Limit What Azure Sentinel Collects from Windows Systems.

XPath queries are something you’ll need to become comfortable with creating to use Data Collection Rules (DCRs) that are part of using the new agent – the Azure Monitor Agent (AMA).

Learn more about XPath queries: Configure data collection for the Azure Monitor agent (preview) – Azure Monitor | Microsoft Docs

However, there’s a shortcut (cheater’s) trick to creating your XPath queries using good, old Event Viewer.

Open up Event Viewer on any Windows system and select the log file where you want to pull Event IDs from.

[1] Choose the Filter Current Log… option, then [2] enter the Event IDs you want to collect, and then [3] go to the XML tab in the filter to find the XPath query.

Create your XPath query in Event Viewer

Lastly, take the XPath query part (as shown in the next image), and copy and paste it into your new DCR in the Windows Security Events Data Connector.

Copy/Paste the Event Viewer XPath query


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]