/
Appendix F - Microsoft Sentinel HTTP Log Delivery - DCR ARM Template

Appendix F - Microsoft Sentinel HTTP Log Delivery - DCR ARM Template

In Microsoft Sentinel, Data Collection Rule (DCR) play a vital role in managing how and where logs and telemetry data are ingested. A DCR defines the routing and transformation of incoming data, ensuring it is appropriately processed and directed to the right destination, such as a Log Analytics workspace.

This section will guide you through creating a DCR using a custom Azure Resource Manager (ARM) template. By deploying this template, you can configure a rule to enable Snare Central to send event logs via HTTP log delivery to Microsoft Sentinel. The process involves using the Azure portal to load, customize, and deploy the template, connecting it to your Log Analytics workspace and Data Collection Endpoint.

 

 

Creating a Data Collection Rule for Snare Central’s HTTP Log Delivery to Microsoft Sentinel

  1. Access the Azure Custom Template Service:

    • Navigate to the Azure portal and open the Deploy a custom template service.

  2. Load the DCR ARM Template:

  3. Save the Template:

    • After you paste or load the template, click Save to proceed.

  4. Configure the Subscription and Resource Group:

    • Select the appropriate Subscription and Resource group used by your organization.

  5. Configure the Instance details:

    • Set the appropriate Region.

    • Enter a descriptive name for the new Dcr Name (Data Collection Rule Name).

      • e.g. SnareCentral-DCR

    • Provide the Dce Resource Id (Data Collection Endpoint Resource ID).

      • e.g. /subscriptions/01xxxxxx-xxxx-xxxx-…/resourceGroups/…/dataCollectionEndpoints/Sample-sentinel-log-ingestion-name

    • Provide the Log Analytics Workspace Resource Id.

      • e.g. /subscriptions/01xxxxxx-xxxx-xxxx-…/resourcegroups/…/workspaces/Sample-log-analytics-workspace-name

    • Check Xxxx Columns definitions and adjust as needed.

    • Provide Xxxx Transform Kql as needed.

  6. Review and Deploy the DCR:

    • Review the configuration details.

    • Review the tables, column definition and modify as necessary.

      • e.g. Windows Event Columns

    • Click Review + create.

    • Once the validation is successful, click Create to deploy the DCR.

  7. Add role assignment

    • Once your deployment is complete, click Go to resource.

    • Once you are in the newly created DCR page, select Access control (IAM).

    • In the Check access page, look for the Grant access to this resource and click Add role assignment.

    • In the Add role assignment page, select Monitoring Metrics Publisher then click Next.

    • Select User, group or service principal for Assign access to.

    • Click Select members and in the Select members page, search for the App name you use in Microsoft Entra App registration step and choose it, then click Select.

    • Click Review + assign and verify the details then click Review + assign to save your role assignment.

    • Wait for around 15 to 30 minutes (sometimes it takes more than an hour) for the permission to take effect.

For more and updated information, please refer to Microsoft official documentation:

Create Data Collection Rule

Edit and deploy the template

Assign permissions to the DCR

 

 

 

DCR ARM Template Quick Starter Modification Guide

This guide will help you to quickly modify the existing DCR ARM Template to support additional stream declaration and data flow routing. Whether you're looking to route ingested event logs to a new stream or direct them to a new target table in Microsoft Sentinel, this guide will provide you with the essentials to quickly tailor your DCR configuration to suit your needs.

 

To add new stream that will enable Snare Central’s HTTP Log Delivery to send event logs to a new Azure Monitor Log Analytics log tables, follow this quick step below to Modify the DCR ARM Template content:

  1. Create the columns definition of the target Azure Log Analytics table.

    • In the "parameters" section of the DCR ARM Template, create a new entry similar to windowsEventColumns to define the columns coming from Snare Central, e.g. to send event logs from Snare Central to Azure Log Analytics Syslog table, see Sample syslog table columns definition entry below.

{     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",     "contentVersion": "1.0.0.0",     "parameters": {         "dcrName": {             ... // Omitted for brevity         },         ... // Omitted for brevity         "windowsEventColumns": {             "type": "array",             "defaultValue": [                 ... // Omitted for brevity             ]         },         // This is the sample new entry for Syslog column definition         "syslogColumns": {             "type": "array",             "defaultValue": [                 {                     "name": "Computer",                     "type": "string"                 },                 {                     "name": "Facility",                     "type": "string"                 },                 ... // Define all the syslog table columns.             ]         }, "windowsEventTransformKql": { "defaultValue": "source", "type": "String", "metadata": { "description": "Transformation KQL for WindowsEvent table." } }, // This is the sample new entry for Syslog transform KQL "syslogTransformKql": { "defaultValue": "source", "type": "String", "metadata": { "description": "Transformation KQL for Syslog table." } }     }     ... // Omitted for brevity }

  • It is expected that the new column definition is already based on the remapped and normalize columns of the target table.

 

  1. Add new streamDeclarations that will be used by Snare Central’s HTTP Log Delivery to send events.

    • Under "resources" > "properties" > "streamDeclarations" create a new entry similar to "Custom-WindowsEvent-Stream" e.g. Custom-Syslog-Stream.

{     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",     "contentVersion": "1.0.0.0",     "parameters": {         ... // Omitted for brevity     },     "resources": [         {             "type": "Microsoft.Insights/dataCollectionRules",             "apiVersion": "2023-03-11",             ... // Omitted for brevity             "properties": {                 "dataCollectionEndpointId": "[parameters('dceResourceId')]",                 "dataFlows": [                     {                         ... // Omitted for brevity                     }                 ],                 "streamDeclarations": {                     "Custom-WindowsEvent-Stream": {                         "columns": "[parameters('windowsEventColumns')]"                     },         // This is the sample new entry for Custom-Syslog-Stream. // syslogColumns is the entry created in the previous step.        "Custom-Syslog-Stream": {                         "columns": "[parameters('syslogColumns')]"                     }                 },                 "destinations": {                     ... // Omitted for brevity                 }             }         }     ] }

 

  1. Add new dataFlows that will define the flow of event logs from Snare Central to the target Azure Log Analytics table.

    • Under "resources" > "properties" > "dataFlows" create a new entry for the newly created streamDeclarations in the previous step e.g "Custom-Syslog-Stream".

{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { ... // Omitted for brevity }, "resources": [ { "type": "Microsoft.Insights/dataCollectionRules", "apiVersion": "2023-03-11", ... // Omitted for brevity "properties": { "dataCollectionEndpointId": "[parameters('dceResourceId')]", "dataFlows": [ { "destinations": ["LogAnalyticsDestination"], "outputStream": "Microsoft-WindowsEvent", "streams": ["Custom-WindowsEvent-Stream"], "transformKql": "[parameters('windowsEventTransformKql')]" },         // This is the sample new entry for Custom-Syslog-Stream dataFlow. { "destinations": ["LogAnalyticsDestination"], "outputStream": "Microsoft-Syslog", "streams": ["Custom-Syslog-Stream"], "transformKql": "[parameters('syslogTransformKql')]" } ], "streamDeclarations": { "Custom-WindowsEvent-Stream": { "columns": "[parameters('windowsEventColumns')]" },        "Custom-Syslog-Stream": {                         "columns": "[parameters('syslogColumns')]"                     } }, "destinations": { "logAnalytics": [ { "name": "LogAnalyticsDestination", "workspaceResourceId": "[parameters('workspaceResourceId')]" } ] } } } ] }

 

  1. Redeploy the modified DCR ARM Template.

 

 

 

DCR ARM Template For Single Table (WindowsEvent)

{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "dcrName": { "type": "string", "defaultValue": "SnareCentral-DCR", "metadata": { "description": "The Name of Data Collection Rule (DCR) to be created for ingesting event logs from Snare." } }, "dceResourceId": { "type": "string", "metadata": { "description": "The Resource ID of the Data Collection Endpoint (DCE) where event logs from Snare will be sent." } }, "workspaceResourceId": { "type": "string", "metadata": { "description": "The Resource ID of Log Analytics workspace where the event logs from Snare will be sent for analysis." } }, "windowsEventColumns": { "type": "array", "defaultValue": [ { "name": "Channel", "type": "string" }, { "name": "Computer", "type": "string" }, { "name": "Correlation", "type": "string" }, { "name": "EventData", "type": "dynamic" }, { "name": "EventID", "type": "int" }, { "name": "EventLevel", "type": "int" }, { "name": "EventLevelName", "type": "string" }, { "name": "EventOriginId", "type": "string" }, { "name": "EventRecordId", "type": "string" }, { "name": "Keywords", "type": "string" }, { "name": "ManagementGroupName", "type": "string" }, { "name": "Opcode", "type": "string" }, { "name": "Provider", "type": "string" }, { "name": "RawEventData", "type": "string" }, { "name": "SystemProcessId", "type": "int" }, { "name": "SystemThreadId", "type": "int" }, { "name": "SystemUserId", "type": "string" }, { "name": "Task", "type": "int" }, { "name": "TimeGenerated", "type": "datetime" }, { "name": "Type", "type": "string" }, { "name": "Version", "type": "int" } ], "metadata": { "description": "Schema for Windows Event logs. Adjust column names and types if necessary." } }, "windowsEventTransformKql": { "defaultValue": "source", "type": "string", "metadata": { "description": "Transformation KQL for WindowsEvent table." } } }, "resources": [ { "type": "Microsoft.Insights/dataCollectionRules", "apiVersion": "2023-03-11", "name": "[parameters('dcrName')]", "location": "[resourceGroup().location]", "properties": { "dataCollectionEndpointId": "[parameters('dceResourceId')]", "dataFlows": [ { "destinations": ["LogAnalyticsDestination"], "outputStream": "Microsoft-WindowsEvent", "streams": ["Custom-WindowsEvent-Stream"], "transformKql": "[parameters('windowsEventTransformKql')]" } ], "streamDeclarations": { "Custom-WindowsEvent-Stream": { "columns": "[parameters('windowsEventColumns')]" } }, "destinations": { "logAnalytics": [ { "name": "LogAnalyticsDestination", "workspaceResourceId": "[parameters('workspaceResourceId')]" } ] } } } ] }

 

DCR ARM Template For Single Table (SecurityEvent)

{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "dcrName": { "type": "string", "defaultValue": "SnareCentral-DCR", "metadata": { "description": "The Name of Data Collection Rule (DCR) to be created for ingesting event logs from Snare." } }, "dceResourceId": { "type": "string", "metadata": { "description": "The Resource ID of the Data Collection Endpoint (DCE) where event logs from Snare will be sent." } }, "workspaceResourceId": { "type": "string", "metadata": { "description": "The Resource ID of Log Analytics workspace where the event logs from Snare will be sent for analysis." } }, "securityEventColumns": { "type": "array", "defaultValue": [ { "name": "AccessList", "type": "string" }, { "name": "AccessMask", "type": "string" }, { "name": "AccessReason", "type": "string" }, { "name": "Account", "type": "string" }, { "name": "AccountDomain", "type": "string" }, { "name": "AccountExpires", "type": "string" }, { "name": "AccountName", "type": "string" }, { "name": "AccountSessionIdentifier", "type": "string" }, { "name": "AccountType", "type": "string" }, { "name": "Activity", "type": "string" }, { "name": "AdditionalInfo", "type": "string" }, { "name": "AdditionalInfo2", "type": "string" }, { "name": "AllowedToDelegateTo", "type": "string" }, { "name": "Attributes", "type": "string" }, { "name": "AuditPolicyChanges", "type": "string" }, { "name": "AuditsDiscarded", "type": "int" }, { "name": "AuthenticationLevel", "type": "int" }, { "name": "AuthenticationPackageName", "type": "string" }, { "name": "AuthenticationProvider", "type": "string" }, { "name": "AuthenticationServer", "type": "string" }, { "name": "AuthenticationService", "type": "int" }, { "name": "AuthenticationType", "type": "string" }, { "name": "AzureDeploymentID", "type": "string" }, { "name": "AzureTableName", "type": "string" }, { "name": "CACertificateHash", "type": "string" }, { "name": "CalledStationID", "type": "string" }, { "name": "CallerProcessId", "type": "string" }, { "name": "CallerProcessName", "type": "string" }, { "name": "CallingStationID", "type": "string" }, { "name": "CAPublicKeyHash", "type": "string" }, { "name": "CategoryId", "type": "string" }, { "name": "CertificateDatabaseHash", "type": "string" }, { "name": "Channel", "type": "string" }, { "name": "ClassId", "type": "string" }, { "name": "ClassName", "type": "string" }, { "name": "ClientAddress", "type": "string" }, { "name": "ClientIPAddress", "type": "string" }, { "name": "ClientName", "type": "string" }, { "name": "CommandLine", "type": "string" }, { "name": "CompatibleIds", "type": "string" }, { "name": "Computer", "type": "string" }, { "name": "Correlation", "type": "string" }, { "name": "DCDNSName", "type": "string" }, { "name": "DeviceDescription", "type": "string" }, { "name": "DeviceId", "type": "string" }, { "name": "DisplayName", "type": "string" }, { "name": "Disposition", "type": "string" }, { "name": "DomainBehaviorVersion", "type": "string" }, { "name": "DomainName", "type": "string" }, { "name": "DomainPolicyChanged", "type": "string" }, { "name": "DomainSid", "type": "string" }, { "name": "EAPType", "type": "string" }, { "name": "ElevatedToken", "type": "string" }, { "name": "ErrorCode", "type": "int" }, { "name": "EventData", "type": "string" }, { "name": "EventID", "type": "int" }, { "name": "EventLevelName", "type": "string" }, { "name": "EventOriginId", "type": "string" }, { "name": "EventRecordId", "type": "string" }, { "name": "EventSourceName", "type": "string" }, { "name": "ExtendedQuarantineState", "type": "string" }, { "name": "FailureReason", "type": "string" }, { "name": "FileHash", "type": "string" }, { "name": "FilePath", "type": "string" }, { "name": "FilePathNoUser", "type": "string" }, { "name": "Filter", "type": "string" }, { "name": "ForceLogoff", "type": "string" }, { "name": "Fqbn", "type": "string" }, { "name": "FullyQualifiedSubjectMachineName", "type": "string" }, { "name": "FullyQualifiedSubjectUserName", "type": "string" }, { "name": "GroupMembership", "type": "string" }, { "name": "HandleId", "type": "string" }, { "name": "HardwareIds", "type": "string" }, { "name": "HomeDirectory", "type": "string" }, { "name": "HomePath", "type": "string" }, { "name": "ImpersonationLevel", "type": "string" }, { "name": "IpAddress", "type": "string" }, { "name": "IpPort", "type": "string" }, { "name": "KeyLength", "type": "int" }, { "name": "Keywords", "type": "string" }, { "name": "Level", "type": "string" }, { "name": "LmPackageName", "type": "string" }, { "name": "LocationInformation", "type": "string" }, { "name": "LockoutDuration", "type": "string" }, { "name": "LockoutObservationWindow", "type": "string" }, { "name": "LockoutThreshold", "type": "string" }, { "name": "LoggingResult", "type": "string" }, { "name": "LogonHours", "type": "string" }, { "name": "LogonID", "type": "string" }, { "name": "LogonProcessName", "type": "string" }, { "name": "LogonType", "type": "int" }, { "name": "LogonTypeName", "type": "string" }, { "name": "MachineAccountQuota", "type": "string" }, { "name": "MachineInventory", "type": "string" }, { "name": "MachineLogon", "type": "string" }, { "name": "ManagementGroupName", "type": "string" }, { "name": "MandatoryLabel", "type": "string" }, { "name": "MaxPasswordAge", "type": "string" }, { "name": "MemberName", "type": "string" }, { "name": "MemberSid", "type": "string" }, { "name": "MinPasswordAge", "type": "string" }, { "name": "MinPasswordLength", "type": "string" }, { "name": "MixedDomainMode", "type": "string" }, { "name": "NASIdentifier", "type": "string" }, { "name": "NASIPv4Address", "type": "string" }, { "name": "NASIPv6Address", "type": "string" }, { "name": "NASPort", "type": "string" }, { "name": "NASPortType", "type": "string" }, { "name": "NetworkPolicyName", "type": "string" }, { "name": "NewDate", "type": "string" }, { "name": "NewMaxUsers", "type": "string" }, { "name": "NewProcessId", "type": "string" }, { "name": "NewProcessName", "type": "string" }, { "name": "NewRemark", "type": "string" }, { "name": "NewShareFlags", "type": "string" }, { "name": "NewTime", "type": "string" }, { "name": "NewUacValue", "type": "string" }, { "name": "NewValue", "type": "string" }, { "name": "NewValueType", "type": "string" }, { "name": "ObjectName", "type": "string" }, { "name": "ObjectServer", "type": "string" }, { "name": "ObjectType", "type": "string" }, { "name": "ObjectValueName", "type": "string" }, { "name": "OemInformation", "type": "string" }, { "name": "OldMaxUsers", "type": "string" }, { "name": "OldRemark", "type": "string" }, { "name": "OldShareFlags", "type": "string" }, { "name": "OldUacValue", "type": "string" }, { "name": "OldValue", "type": "string" }, { "name": "OldValueType", "type": "string" }, { "name": "Opcode", "type": "string" }, { "name": "OperationType", "type": "string" }, { "name": "PackageName", "type": "string" }, { "name": "ParentProcessName", "type": "string" }, { "name": "PartitionKey", "type": "string" }, { "name": "PasswordHistoryLength", "type": "string" }, { "name": "PasswordLastSet", "type": "string" }, { "name": "PasswordProperties", "type": "string" }, { "name": "PreviousDate", "type": "string" }, { "name": "PreviousTime", "type": "string" }, { "name": "PrimaryGroupId", "type": "string" }, { "name": "PrivateKeyUsageCount", "type": "string" }, { "name": "PrivilegeList", "type": "string" }, { "name": "Process", "type": "string" }, { "name": "ProcessId", "type": "string" }, { "name": "ProcessName", "type": "string" }, { "name": "ProfilePath", "type": "string" }, { "name": "Properties", "type": "string" }, { "name": "ProtocolSequence", "type": "string" }, { "name": "ProxyPolicyName", "type": "string" }, { "name": "QuarantineHelpURL", "type": "string" }, { "name": "QuarantineSessionID", "type": "string" }, { "name": "QuarantineSessionIdentifier", "type": "string" }, { "name": "QuarantineState", "type": "string" }, { "name": "QuarantineSystemHealthResult", "type": "string" }, { "name": "RelativeTargetName", "type": "string" }, { "name": "RemoteIpAddress", "type": "string" }, { "name": "RemotePort", "type": "string" }, { "name": "Requester", "type": "string" }, { "name": "RequestId", "type": "string" }, { "name": "RestrictedAdminMode", "type": "string" }, { "name": "RowKey", "type": "string" }, { "name": "RowsDeleted", "type": "string" }, { "name": "SamAccountName", "type": "string" }, { "name": "ScriptPath", "type": "string" }, { "name": "SecurityDescriptor", "type": "string" }, { "name": "ServiceAccount", "type": "string" }, { "name": "ServiceFileName", "type": "string" }, { "name": "ServiceName", "type": "string" }, { "name": "ServiceStartType", "type": "int" }, { "name": "ServiceType", "type": "string" }, { "name": "SessionName", "type": "string" }, { "name": "ShareLocalPath", "type": "string" }, { "name": "ShareName", "type": "string" }, { "name": "SidHistory", "type": "string" }, { "name": "SourceSystem", "type": "string" }, { "name": "Status", "type": "string" }, { "name": "StorageAccount", "type": "string" }, { "name": "SubcategoryId", "type": "string" }, { "name": "Subject", "type": "string" }, { "name": "SubjectAccount", "type": "string" }, { "name": "SubjectDomainName", "type": "string" }, { "name": "SubjectKeyIdentifier", "type": "string" }, { "name": "SubjectLogonId", "type": "string" }, { "name": "SubjectMachineName", "type": "string" }, { "name": "SubjectMachineSID", "type": "string" }, { "name": "SubjectUserName", "type": "string" }, { "name": "SubjectUserSid", "type": "string" }, { "name": "SubStatus", "type": "string" }, { "name": "SystemProcessId", "type": "int" }, { "name": "SystemThreadId", "type": "int" }, { "name": "SystemUserId", "type": "string" }, { "name": "TableId", "type": "string" }, { "name": "TargetAccount", "type": "string" }, { "name": "TargetDomainName", "type": "string" }, { "name": "TargetInfo", "type": "string" }, { "name": "TargetLinkedLogonId", "type": "string" }, { "name": "TargetLogonId", "type": "string" }, { "name": "TargetOutboundDomainName", "type": "string" }, { "name": "TargetOutboundUserName", "type": "string" }, { "name": "TargetServerName", "type": "string" }, { "name": "TargetSid", "type": "string" }, { "name": "TargetUser", "type": "string" }, { "name": "TargetUserName", "type": "string" }, { "name": "TargetUserSid", "type": "string" }, { "name": "Task", "type": "int" }, { "name": "TemplateContent", "type": "string" }, { "name": "TemplateDSObjectFQDN", "type": "string" }, { "name": "TemplateInternalName", "type": "string" }, { "name": "TemplateOID", "type": "string" }, { "name": "TemplateSchemaVersion", "type": "string" }, { "name": "TemplateVersion", "type": "string" }, { "name": "TimeCollected", "type": "datetime" }, { "name": "TimeGenerated", "type": "datetime" }, { "name": "TokenElevationType", "type": "string" }, { "name": "TransmittedServices", "type": "string" }, { "name": "Type", "type": "string" }, { "name": "UserAccountControl", "type": "string" }, { "name": "UserParameters", "type": "string" }, { "name": "UserPrincipalName", "type": "string" }, { "name": "UserWorkstations", "type": "string" }, { "name": "VendorIds", "type": "string" }, { "name": "Version", "type": "int" }, { "name": "VirtualAccount", "type": "string" }, { "name": "Workstation", "type": "string" }, { "name": "WorkstationName", "type": "string" } ], "metadata": { "description": "Schema for Security Event logs. Adjust column names and types if necessary." } }, "securityEventTransformKql": { "defaultValue": "source", "type": "string", "metadata": { "description": "Transformation KQL for SecurityEvent table." } } }, "resources": [ { "type": "Microsoft.Insights/dataCollectionRules", "apiVersion": "2023-03-11", "name": "[parameters('dcrName')]", "location": "[resourceGroup().location]", "properties": { "dataCollectionEndpointId": "[parameters('dceResourceId')]", "dataFlows": [ { "destinations": ["LogAnalyticsDestination"], "outputStream": "Microsoft-SecurityEvent", "streams": ["Custom-SecurityEvent-Stream"], "transformKql": "[parameters('securityEventTransformKql')]" } ], "streamDeclarations": { "Custom-SecurityEvent-Stream": { "columns": "[parameters('securityEventColumns')]" } }, "destinations": { "logAnalytics": [ { "name": "LogAnalyticsDestination", "workspaceResourceId": "[parameters('workspaceResourceId')]" } ] } } } ] }

 

DCR ARM Template For Single Table (Syslog)

{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "dcrName": { "type": "string", "defaultValue": "SnareCentral-DCR", "metadata": { "description": "The Name of Data Collection Rule (DCR) to be created for ingesting event logs from Snare." } }, "dceResourceId": { "type": "string", "metadata": { "description": "The Resource ID of the Data Collection Endpoint (DCE) where event logs from Snare will be sent." } }, "workspaceResourceId": { "type": "string", "metadata": { "description": "The Resource ID of Log Analytics workspace where the event logs from Snare will be sent for analysis." } }, "syslogColumns": { "type": "array", "defaultValue": [ { "name": "CollectorHostName", "type": "string" }, { "name": "Computer", "type": "string" }, { "name": "EventTime", "type": "datetime" }, { "name": "Facility", "type": "string" }, { "name": "HostIP", "type": "string" }, { "name": "HostName", "type": "string" }, { "name": "ManagementGroupName", "type": "string" }, { "name": "ProcessID", "type": "int" }, { "name": "ProcessName", "type": "string" }, { "name": "SeverityLevel", "type": "string" }, { "name": "SourceSystem", "type": "string" }, { "name": "SyslogMessage", "type": "string" }, { "name": "TimeGenerated", "type": "datetime" }, { "name": "Type", "type": "string" } ], "metadata": { "description": "Schema for Syslog. Adjust column names and types if necessary." } }, "syslogTransformKql": { "defaultValue": "source", "type": "String", "metadata": { "description": "Transformation KQL for Syslog table." } } }, "resources": [ { "type": "Microsoft.Insights/dataCollectionRules", "apiVersion": "2023-03-11", "name": "[parameters('dcrName')]", "location": "[resourceGroup().location]", "properties": { "dataCollectionEndpointId": "[parameters('dceResourceId')]", "dataFlows": [ { "destinations": ["LogAnalyticsDestination"], "outputStream": "Microsoft-Syslog", "streams": ["Custom-Syslog-Stream"], "transformKql": "[parameters('syslogTransformKql')]" } ], "streamDeclarations": { "Custom-Syslog-Stream": { "columns": "[parameters('syslogColumns')]" } }, "destinations": { "logAnalytics": [ { "name": "LogAnalyticsDestination", "workspaceResourceId": "[parameters('workspaceResourceId')]" } ] } } } ] }

 

DCR ARM Template For Multiple Tables (WindowsEvent, SecurityEvent, Syslog)

{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "dcrName": { "type": "string", "defaultValue": "SnareCentral-DCR", "metadata": { "description": "The Name of Data Collection Rule (DCR) to be created for ingesting event logs from Snare." } }, "dceResourceId": { "type": "string", "metadata": { "description": "The Resource ID of the Data Collection Endpoint (DCE) where event logs from Snare will be sent." } }, "workspaceResourceId": { "type": "string", "metadata": { "description": "The Resource ID of Log Analytics workspace where the event logs from Snare will be sent for analysis." } }, "windowsEventColumns": { "type": "array", "defaultValue": [ { "name": "Channel", "type": "string" }, { "name": "Computer", "type": "string" }, { "name": "Correlation", "type": "string" }, { "name": "EventData", "type": "dynamic" }, { "name": "EventID", "type": "int" }, { "name": "EventLevel", "type": "int" }, { "name": "EventLevelName", "type": "string" }, { "name": "EventOriginId", "type": "string" }, { "name": "EventRecordId", "type": "string" }, { "name": "Keywords", "type": "string" }, { "name": "ManagementGroupName", "type": "string" }, { "name": "Opcode", "type": "string" }, { "name": "Provider", "type": "string" }, { "name": "RawEventData", "type": "string" }, { "name": "SystemProcessId", "type": "int" }, { "name": "SystemThreadId", "type": "int" }, { "name": "SystemUserId", "type": "string" }, { "name": "Task", "type": "int" }, { "name": "TimeGenerated", "type": "datetime" }, { "name": "Type", "type": "string" }, { "name": "Version", "type": "int" } ], "metadata": { "description": "Schema for Windows Event logs. Adjust column names and types if necessary." } }, "windowsEventTransformKql": { "defaultValue": "source", "type": "string", "metadata": { "description": "Transformation KQL for WindowsEvent table." } }, "securityEventColumns": { "type": "array", "defaultValue": [ { "name": "AccessList", "type": "string" }, { "name": "AccessMask", "type": "string" }, { "name": "AccessReason", "type": "string" }, { "name": "Account", "type": "string" }, { "name": "AccountDomain", "type": "string" }, { "name": "AccountExpires", "type": "string" }, { "name": "AccountName", "type": "string" }, { "name": "AccountSessionIdentifier", "type": "string" }, { "name": "AccountType", "type": "string" }, { "name": "Activity", "type": "string" }, { "name": "AdditionalInfo", "type": "string" }, { "name": "AdditionalInfo2", "type": "string" }, { "name": "AllowedToDelegateTo", "type": "string" }, { "name": "Attributes", "type": "string" }, { "name": "AuditPolicyChanges", "type": "string" }, { "name": "AuditsDiscarded", "type": "int" }, { "name": "AuthenticationLevel", "type": "int" }, { "name": "AuthenticationPackageName", "type": "string" }, { "name": "AuthenticationProvider", "type": "string" }, { "name": "AuthenticationServer", "type": "string" }, { "name": "AuthenticationService", "type": "int" }, { "name": "AuthenticationType", "type": "string" }, { "name": "AzureDeploymentID", "type": "string" }, { "name": "AzureTableName", "type": "string" }, { "name": "CACertificateHash", "type": "string" }, { "name": "CalledStationID", "type": "string" }, { "name": "CallerProcessId", "type": "string" }, { "name": "CallerProcessName", "type": "string" }, { "name": "CallingStationID", "type": "string" }, { "name": "CAPublicKeyHash", "type": "string" }, { "name": "CategoryId", "type": "string" }, { "name": "CertificateDatabaseHash", "type": "string" }, { "name": "Channel", "type": "string" }, { "name": "ClassId", "type": "string" }, { "name": "ClassName", "type": "string" }, { "name": "ClientAddress", "type": "string" }, { "name": "ClientIPAddress", "type": "string" }, { "name": "ClientName", "type": "string" }, { "name": "CommandLine", "type": "string" }, { "name": "CompatibleIds", "type": "string" }, { "name": "Computer", "type": "string" }, { "name": "Correlation", "type": "string" }, { "name": "DCDNSName", "type": "string" }, { "name": "DeviceDescription", "type": "string" }, { "name": "DeviceId", "type": "string" }, { "name": "DisplayName", "type": "string" }, { "name": "Disposition", "type": "string" }, { "name": "DomainBehaviorVersion", "type": "string" }, { "name": "DomainName", "type": "string" }, { "name": "DomainPolicyChanged", "type": "string" }, { "name": "DomainSid", "type": "string" }, { "name": "EAPType", "type": "string" }, { "name": "ElevatedToken", "type": "string" }, { "name": "ErrorCode", "type": "int" }, { "name": "EventData", "type": "string" }, { "name": "EventID", "type": "int" }, { "name": "EventLevelName", "type": "string" }, { "name": "EventOriginId", "type": "string" }, { "name": "EventRecordId", "type": "string" }, { "name": "EventSourceName", "type": "string" }, { "name": "ExtendedQuarantineState", "type": "string" }, { "name": "FailureReason", "type": "string" }, { "name": "FileHash", "type": "string" }, { "name": "FilePath", "type": "string" }, { "name": "FilePathNoUser", "type": "string" }, { "name": "Filter", "type": "string" }, { "name": "ForceLogoff", "type": "string" }, { "name": "Fqbn", "type": "string" }, { "name": "FullyQualifiedSubjectMachineName", "type": "string" }, { "name": "FullyQualifiedSubjectUserName", "type": "string" }, { "name": "GroupMembership", "type": "string" }, { "name": "HandleId", "type": "string" }, { "name": "HardwareIds", "type": "string" }, { "name": "HomeDirectory", "type": "string" }, { "name": "HomePath", "type": "string" }, { "name": "ImpersonationLevel", "type": "string" }, { "name": "IpAddress", "type": "string" }, { "name": "IpPort", "type": "string" }, { "name": "KeyLength", "type": "int" }, { "name": "Keywords", "type": "string" }, { "name": "Level", "type": "string" }, { "name": "LmPackageName", "type": "string" }, { "name": "LocationInformation", "type": "string" }, { "name": "LockoutDuration", "type": "string" }, { "name": "LockoutObservationWindow", "type": "string" }, { "name": "LockoutThreshold", "type": "string" }, { "name": "LoggingResult", "type": "string" }, { "name": "LogonHours", "type": "string" }, { "name": "LogonID", "type": "string" }, { "name": "LogonProcessName", "type": "string" }, { "name": "LogonType", "type": "int" }, { "name": "LogonTypeName", "type": "string" }, { "name": "MachineAccountQuota", "type": "string" }, { "name": "MachineInventory", "type": "string" }, { "name": "MachineLogon", "type": "string" }, { "name": "ManagementGroupName", "type": "string" }, { "name": "MandatoryLabel", "type": "string" }, { "name": "MaxPasswordAge", "type": "string" }, { "name": "MemberName", "type": "string" }, { "name": "MemberSid", "type": "string" }, { "name": "MinPasswordAge", "type": "string" }, { "name": "MinPasswordLength", "type": "string" }, { "name": "MixedDomainMode", "type": "string" }, { "name": "NASIdentifier", "type": "string" }, { "name": "NASIPv4Address", "type": "string" }, { "name": "NASIPv6Address", "type": "string" }, { "name": "NASPort", "type": "string" }, { "name": "NASPortType", "type": "string" }, { "name": "NetworkPolicyName", "type": "string" }, { "name": "NewDate", "type": "string" }, { "name": "NewMaxUsers", "type": "string" }, { "name": "NewProcessId", "type": "string" }, { "name": "NewProcessName", "type": "string" }, { "name": "NewRemark", "type": "string" }, { "name": "NewShareFlags", "type": "string" }, { "name": "NewTime", "type": "string" }, { "name": "NewUacValue", "type": "string" }, { "name": "NewValue", "type": "string" }, { "name": "NewValueType", "type": "string" }, { "name": "ObjectName", "type": "string" }, { "name": "ObjectServer", "type": "string" }, { "name": "ObjectType", "type": "string" }, { "name": "ObjectValueName", "type": "string" }, { "name": "OemInformation", "type": "string" }, { "name": "OldMaxUsers", "type": "string" }, { "name": "OldRemark", "type": "string" }, { "name": "OldShareFlags", "type": "string" }, { "name": "OldUacValue", "type": "string" }, { "name": "OldValue", "type": "string" }, { "name": "OldValueType", "type": "string" }, { "name": "Opcode", "type": "string" }, { "name": "OperationType", "type": "string" }, { "name": "PackageName", "type": "string" }, { "name": "ParentProcessName", "type": "string" }, { "name": "PartitionKey", "type": "string" }, { "name": "PasswordHistoryLength", "type": "string" }, { "name": "PasswordLastSet", "type": "string" }, { "name": "PasswordProperties", "type": "string" }, { "name": "PreviousDate", "type": "string" }, { "name": "PreviousTime", "type": "string" }, { "name": "PrimaryGroupId", "type": "string" }, { "name": "PrivateKeyUsageCount", "type": "string" }, { "name": "PrivilegeList", "type": "string" }, { "name": "Process", "type": "string" }, { "name": "ProcessId", "type": "string" }, { "name": "ProcessName", "type": "string" }, { "name": "ProfilePath", "type": "string" }, { "name": "Properties", "type": "string" }, { "name": "ProtocolSequence", "type": "string" }, { "name": "ProxyPolicyName", "type": "string" }, { "name": "QuarantineHelpURL", "type": "string" }, { "name": "QuarantineSessionID", "type": "string" }, { "name": "QuarantineSessionIdentifier", "type": "string" }, { "name": "QuarantineState", "type": "string" }, { "name": "QuarantineSystemHealthResult", "type": "string" }, { "name": "RelativeTargetName", "type": "string" }, { "name": "RemoteIpAddress", "type": "string" }, { "name": "RemotePort", "type": "string" }, { "name": "Requester", "type": "string" }, { "name": "RequestId", "type": "string" }, { "name": "RestrictedAdminMode", "type": "string" }, { "name": "RowKey", "type": "string" }, { "name": "RowsDeleted", "type": "string" }, { "name": "SamAccountName", "type": "string" }, { "name": "ScriptPath", "type": "string" }, { "name": "SecurityDescriptor", "type": "string" }, { "name": "ServiceAccount", "type": "string" }, { "name": "ServiceFileName", "type": "string" }, { "name": "ServiceName", "type": "string" }, { "name": "ServiceStartType", "type": "int" }, { "name": "ServiceType", "type": "string" }, { "name": "SessionName", "type": "string" }, { "name": "ShareLocalPath", "type": "string" }, { "name": "ShareName", "type": "string" }, { "name": "SidHistory", "type": "string" }, { "name": "SourceSystem", "type": "string" }, { "name": "Status", "type": "string" }, { "name": "StorageAccount", "type": "string" }, { "name": "SubcategoryId", "type": "string" }, { "name": "Subject", "type": "string" }, { "name": "SubjectAccount", "type": "string" }, { "name": "SubjectDomainName", "type": "string" }, { "name": "SubjectKeyIdentifier", "type": "string" }, { "name": "SubjectLogonId", "type": "string" }, { "name": "SubjectMachineName", "type": "string" }, { "name": "SubjectMachineSID", "type": "string" }, { "name": "SubjectUserName", "type": "string" }, { "name": "SubjectUserSid", "type": "string" }, { "name": "SubStatus", "type": "string" }, { "name": "SystemProcessId", "type": "int" }, { "name": "SystemThreadId", "type": "int" }, { "name": "SystemUserId", "type": "string" }, { "name": "TableId", "type": "string" }, { "name": "TargetAccount", "type": "string" }, { "name": "TargetDomainName", "type": "string" }, { "name": "TargetInfo", "type": "string" }, { "name": "TargetLinkedLogonId", "type": "string" }, { "name": "TargetLogonId", "type": "string" }, { "name": "TargetOutboundDomainName", "type": "string" }, { "name": "TargetOutboundUserName", "type": "string" }, { "name": "TargetServerName", "type": "string" }, { "name": "TargetSid", "type": "string" }, { "name": "TargetUser", "type": "string" }, { "name": "TargetUserName", "type": "string" }, { "name": "TargetUserSid", "type": "string" }, { "name": "Task", "type": "int" }, { "name": "TemplateContent", "type": "string" }, { "name": "TemplateDSObjectFQDN", "type": "string" }, { "name": "TemplateInternalName", "type": "string" }, { "name": "TemplateOID", "type": "string" }, { "name": "TemplateSchemaVersion", "type": "string" }, { "name": "TemplateVersion", "type": "string" }, { "name": "TimeCollected", "type": "datetime" }, { "name": "TimeGenerated", "type": "datetime" }, { "name": "TokenElevationType", "type": "string" }, { "name": "TransmittedServices", "type": "string" }, { "name": "Type", "type": "string" }, { "name": "UserAccountControl", "type": "string" }, { "name": "UserParameters", "type": "string" }, { "name": "UserPrincipalName", "type": "string" }, { "name": "UserWorkstations", "type": "string" }, { "name": "VendorIds", "type": "string" }, { "name": "Version", "type": "int" }, { "name": "VirtualAccount", "type": "string" }, { "name": "Workstation", "type": "string" }, { "name": "WorkstationName", "type": "string" } ], "metadata": { "description": "Schema for Security Event logs. Adjust column names and types if necessary." } }, "securityEventTransformKql": { "defaultValue": "source", "type": "string", "metadata": { "description": "Transformation KQL for SecurityEvent table." } }, "syslogColumns": { "type": "array", "defaultValue": [ { "name": "CollectorHostName", "type": "string" }, { "name": "Computer", "type": "string" }, { "name": "EventTime", "type": "datetime" }, { "name": "Facility", "type": "string" }, { "name": "HostIP", "type": "string" }, { "name": "HostName", "type": "string" }, { "name": "ManagementGroupName", "type": "string" }, { "name": "ProcessID", "type": "int" }, { "name": "ProcessName", "type": "string" }, { "name": "SeverityLevel", "type": "string" }, { "name": "SourceSystem", "type": "string" }, { "name": "SyslogMessage", "type": "string" }, { "name": "TimeGenerated", "type": "datetime" }, { "name": "Type", "type": "string" } ], "metadata": { "description": "Schema for Syslog. Adjust column names and types if necessary." } }, "syslogTransformKql": { "defaultValue": "source", "type": "String", "metadata": { "description": "Transformation KQL for Syslog table." } } }, "resources": [ { "type": "Microsoft.Insights/dataCollectionRules", "apiVersion": "2023-03-11", "name": "[parameters('dcrName')]", "location": "[resourceGroup().location]", "properties": { "dataCollectionEndpointId": "[parameters('dceResourceId')]", "dataFlows": [ { "destinations": ["LogAnalyticsDestination"], "outputStream": "Microsoft-WindowsEvent", "streams": ["Custom-WindowsEvent-Stream"], "transformKql": "[parameters('windowsEventTransformKql')]" }, { "destinations": ["LogAnalyticsDestination"], "outputStream": "Microsoft-SecurityEvent", "streams": ["Custom-SecurityEvent-Stream"], "transformKql": "[parameters('securityEventTransformKql')]" }, { "destinations": ["LogAnalyticsDestination"], "outputStream": "Microsoft-Syslog", "streams": ["Custom-Syslog-Stream"], "transformKql": "[parameters('syslogTransformKql')]" } ], "streamDeclarations": { "Custom-WindowsEvent-Stream": { "columns": "[parameters('windowsEventColumns')]" }, "Custom-SecurityEvent-Stream": { "columns": "[parameters('securityEventColumns')]" }, "Custom-Syslog-Stream": { "columns": "[parameters('syslogColumns')]" } }, "destinations": { "logAnalytics": [ { "name": "LogAnalyticsDestination", "workspaceResourceId": "[parameters('workspaceResourceId')]" } ] } } } ] }