You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/connect-windows-hosts-to-azure-sentinel/includes/3-collect-sysmon-event-logs.md
+12-12Lines changed: 12 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,15 +25,15 @@ After the solution is installed, connect the data connector.
25
25
26
26
1. Select **+Create data collections rule**.
27
27
28
-
:::image type="content" source="../media/windows-forwarded-events.png" lightbox="../media/windows-forwarded-events.png" alt-text="Screenshot that shows the Basics tab for a new data collection rule.":::
28
+
:::image type="content" source="../media/windows-forwarded-events.png" lightbox="../media/windows-forwarded-events.png" alt-text="Screenshot that shows the Basics tab for a new data collection rule.":::
29
29
30
30
1. Fill in the following fields of the *Basic* tab:
31
31
32
-
| Setting | Description |
33
-
|:---|:---|
34
-
|**Rule Name**| A name for the DCR. The name should be something descriptive that helps you identify the rule. |
35
-
|**Subscription**| The subscription to store the DCR. The subscription doesn't need to be the same subscription as the virtual machines. |
36
-
|**Resource group**| A resource group to store the DCR. The resource group doesn't need to be the same resource group as the virtual machines. |
32
+
| Setting | Description |
33
+
|:---|:---|
34
+
|**Rule Name**| A name for the DCR. The name should be something descriptive that helps you identify the rule. |
35
+
|**Subscription**| The subscription to store the DCR. The subscription doesn't need to be the same subscription as the virtual machines. |
36
+
|**Resource group**| A resource group to store the DCR. The resource group doesn't need to be the same resource group as the virtual machines. |
37
37
38
38
1. Select **Next:Resources >**.
39
39
@@ -45,18 +45,18 @@ After the solution is installed, connect the data connector.
45
45
46
46
1. As an example, you can enter the following events log location (XPath format) to collect Sysmon events:
47
47
48
-
```xml
49
-
Microsoft-Windows-Sysmon/Operational!*
50
-
```
48
+
```xml
49
+
Microsoft-Windows-Sysmon/Operational!*
50
+
```
51
51
52
52
1. Select the **Add** button to add the Sysmon events log location.
53
53
54
54
1. Select the **Next: Review + create >** button, after validation passes, select **Create**.
55
55
56
-
:::image type="content" source="../media/sysmon-log-location.png" alt-text="Screenshot of Log Analytics Sysmon configuration." lightbox="../media/sysmon-log-location.png":::
56
+
:::image type="content" source="../media/sysmon-log-location.png" alt-text="Screenshot of Log Analytics Sysmon configuration." lightbox="../media/sysmon-log-location.png":::
57
57
58
-
> [!NOTE]
59
-
> At the end of this process, the Azure Monitor Agent is installed on any selected machines that don't already have the agent.
58
+
> [!NOTE]
59
+
> At the end of this process, the Azure Monitor Agent is installed on any selected machines that don't already have the agent.
60
60
61
61
1. After the DCR is created, select the **Refresh** button to see the rule. You can also edit or delete existing rules from the **Configuration** section of the connector page.
0 commit comments