Shortcut Way to Create XPath Queries for Microsoft Sentinel DCRs

The Way to Enlightenment

XPath queries are something you’ll need to become comfortable with creating to use Data Collection Rules (DCRs) that are part of using the new agent – the Azure Monitor Agent (AMA).

Learn more about XPath queries: Filter events using XPath queries

However, there’s a shortcut (cheater’s) trick to creating your XPath queries using good, old Event Viewer.

Open up Event Viewer on any Windows system and select the log file where you want to pull Event IDs from.

[1] Choose the Filter Current Log… option, then…

[2] enter the Event IDs you want to collect, and then…

[3] go to the XML tab in the filter to find the XPath query.

Create your XPath query in Event Viewer

[4] Lastly, take the XPath query part (as shown in the next image), and copy and paste it into your new DCR in the Windows Security Events Data Connector.

Copy/Paste the Event Viewer XPath query

---

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]

Comments

[Jonathan]

Can we also use more properties than are available on Event Log side for the XPath Query? For example if I want to have greater than or lower then it doesn't work on Event Log side because they support only a very limited XPath 1.0 filter set.