Microsoft Active Directory Certificate Services Event Logs

I recently published a blog post about how to enable Active Directory Certificate Services (ADCS) audit logs and send them to Microsoft Sentinel. To help others with this process, I created an Excel spreadsheet that lists all the relevant Event ID's and includes XPath queries for each event.

I posted these queries on my GitHub account. To collect Windows Security Events through Advanced Monitoring Agent (AMA), you need to create Data Collection Rules and specify one or more XPath queries. I wrote a script that reads these queries from an XML file and converts them for use in the Data Collection Rules.

This script reads all the events from my GitHub account and prints out the correct format for Microsoft Sentinel.

$URL = "https://raw.githubusercontent.com/Kaidja/Azure-Sentinel/main/Data%20Collection%20Rules/ADCS-All-Events.xml"
$XPathContent = [XML](Invoke-WebRequest -Uri $URL).Content
foreach($DCRXPath in $XPathContent.QueryList.Query.Select){
    -join ($DCRXPath.Path, '!', $DCRXPath.'#text')
    
}

ADCS XPath queries based on the different categories.

Active Directory Certificate Services Event Logs

Download the Excel spreadsheet

Microsoft-Sentinel/Data Collection Rules at main · Kaidja/Microsoft-Sentinel

Microsoft Sentinel related content. Contribute to Kaidja/Microsoft-Sentinel development by creating an account on GitHub.

GitHubKaidja

Summary

Are you looking to improve your organization's security and gain better visibility into potential threats? Contact me today and I can help you implement Microsoft Sentinel, a powerful security platform that uses artificial intelligence and machine learning to help you detect, investigate, and respond to security incidents.