Merge pull request #49960 from KenMAG/main

Updated unit to use AMA and DCRs

Author: v-dirichards

learn-pr/wwl-sci/connect-windows-hosts-to-azure-sentinel/3-collect-sysmon-event-logs.yml

@@ -4,8 +4,8 @@ title: Collect Sysmon event logs
 metadata:
   title: Collect Sysmon event logs
   description: "Collect Sysmon event logs"
-  ms.date: 08/16/2022
-  author: wwlpublish
+  ms.date: 04/10/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: unit
 azureSandbox: false

learn-pr/wwl-sci/connect-windows-hosts-to-azure-sentinel/includes/3-collect-sysmon-event-logs.md

@@ -1,25 +1,69 @@
 System Monitor (Sysmon) is a Windows system service, and device driver that remains resident across system reboots to monitor and log system activity to the Windows event log once installed on a system. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and then analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
 
->[!Note]
->Installing and configuring Sysmon is out of the scope of this training.  Because Sysmon is a telemetry tool that many organizations use, it's essential to know how to configure the Log Analytics Agent and Workspace to collect the Sysmon events.
+ > [!NOTE]
+ > Installing and configuring Sysmon is out of the scope of this training. For more information on Sysmon, see [Sysinternals Sysmon](/sysinternals/downloads/sysmon).
 
-After connecting the Sysmon agent to the windows machine, perform the following to enable Microsoft Sentinel to query the logs:
+After connecting the Sysmon agent to the windows machine, you install the *Windows Forwarded Events* Content hub solution which includes the *Windows Forwarded Events* data connector. The data connector allows you to stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA). In the data connector configuration, you create *Data collection rules* (DCRs) to collect metrics and logs from the client operating system. Perform the following steps to create a DCR and enable Microsoft Sentinel to query the logs:
 
-1. Go to your Azure portal.
+## Install the solution
 
-1. Select **Log Analytics workspaces** from Azure services.
+Start by installing the solution that contains the data connector.
 
-1. Select your Log Analytics workspace for Sentinel.
+1. For Microsoft Sentinel in the Azure portal, under **Content management**, select **Content hub**. For Microsoft Sentinel in the Defender portal, select **Microsoft Sentinel** > **Content management** > **Content hub**.
 
-1. In the Settings area, select **Legacy agents management**.
+1. Search for and select **Windows Forwarded Events**.
 
-1. On, the Windows event logs tab select **+ Add windows event log**.
+1. On the details pane, select **Install**.
 
-1. In the **Add windows event log** search box, enter: *Microsoft-Windows-Sysmon/Operational*.  Sysmon isn't in the list by default.
+## Configure the data connector
 
-1. Then select the **Apply** button
+After the solution is installed, connect the data connector.
 
-This connection can also be made from within Sentinel under **Settings > Workspace settings > Legacy agents management**.  Once configured, the Sysmon events will be available in the Event table.  
+1. In the Microsoft Sentinel navigation menu expand **Configuration**,  and select **Data connectors**.
 
-:::image type="content" source="../media/sysmon.png" alt-text="Screenshot of Log Analytics Sysmon configuration." lightbox="../media/sysmon.png":::
+1. Select the **Windows Forwarded Events** Data connector.
 
+1. Select **+Create data collections rule**.
+
+    :::image type="content" source="../media/windows-forwarded-events.png" lightbox="../media/windows-forwarded-events.png" alt-text="Screenshot that shows the Basics tab for a new data collection rule.":::
+
+1. Fill in the following fields of the *Basic* tab:
+
+    | Setting | Description |
+    |:---|:---|
+    | **Rule Name** | A name for the DCR. The name should be something descriptive that helps you identify the rule. |
+    | **Subscription** | The subscription to store the DCR. The subscription doesn't need to be the same subscription as the virtual machines. |
+    | **Resource group** | A resource group to store the DCR. The resource group doesn't need to be the same resource group as the virtual machines. |
+
+1. Select **Next:Resources >**.
+
+1. In the *Resources* tab, expand the **Scope** column, and expand the Microsoft Azure subscription.
+
+1. Expand the resource group or groups, and select the virtual machines you want to connect to Microsoft Sentinel.
+
+1. Select the **Next: Collect >** button, and select **Custom** radio button.
+
+1. As an example, you can enter the following events log location (XPath format) to collect Sysmon events:
+
+     ```xml
+     Microsoft-Windows-Sysmon/Operational!*
+     ```
+
+1. Select the **Add** button to add the Sysmon events log location.
+
+1. Select the **Next: Review + create >** button, after validation passes, select **Create**.
+
+    :::image type="content" source="../media/sysmon-log-location.png" alt-text="Screenshot of Log Analytics Sysmon configuration." lightbox="../media/sysmon-log-location.png":::
+
+     > [!NOTE]
+     > At the end of this process, the Azure Monitor Agent is installed on any selected machines that don't already have the agent.
+
+1. After the DCR is created, select the **Refresh** button to see the rule. You can also edit or delete existing rules from the **Configuration** section of the connector page.
+
+This connector can use the Advanced Security Information Model (ASIM). Microsoft recommends that you use the ASIM normalization. For more information on ASIM, see [Advanced Security Information Model (ASIM)](/azure/sentinel/normalization).
+
+1. On the **Windows Forwarded Events** connector page, **Configuration** section, select the **Deploy** button.
+
+1. Fill-in the required fields of the **Custom deployment** ARM template, and select **Review + create**.
+
+1. When validation passes, select **Create**.

learn-pr/wwl-sci/connect-windows-hosts-to-azure-sentinel/index.yml

@@ -3,18 +3,18 @@ uid: learn.wwl.connect-windows-hosts-to-azure-sentinel
 metadata:
   title: Connect Windows hosts to Microsoft Sentinel
   description: "Connect Windows hosts to Microsoft Sentinel"
-  ms.date: 04/09/2025
+  ms.date: 04/11/2025
   author: KenMAG
   ms.author: kelawson
   ms.topic: module
   ms.service: microsoft-sentinel
 title: Connect Windows hosts to Microsoft Sentinel
-summary: One of the most common logs to collect is Windows security events.  Learn how Microsoft Sentinel makes this easy with the Security Events connector.
+summary: Two of the most common logs to collect are Windows security events and Sysmon. Learn how Microsoft Sentinel makes this easy with the Microsoft Windows Events data connectors.
 abstract: |
   Upon completion of this module, the learner is able to:
   - Connect Azure Windows Virtual Machines to Microsoft Sentinel
   - Connect non-Azure Windows hosts to Microsoft Sentinel
-  - Configure Log Analytics agent to collect Sysmon events
+  - Install and configure a data connector to collect Sysmon events
 prerequisites: |
   Basic knowledge of operational concepts such as monitoring, logging, and alerting.
 iconUrl: /training/achievements/connect-windows-hosts-to-azure-sentinel.svg