4 min read

Monitor Windows LAPS Events with Microsoft Sentinel

Monitor Windows LAPS Events with Microsoft Sentinel

Windows Local Administrator Password Solution (LAPS) is a crucial security feature that helps organizations manage local administrator passwords for their domain-joined computers. In this blog post, we will explore how to create Data Collection Rules (DCRs) for Sentinel that will collect LAPS events from your environment.

💡
If you're interested in implementing the new Windows LAPS but need some help getting started, don't hesitate to reach out for assistance.

Before you continue read my previous blog posts:

Creating xPath queries for Windows LAPS

We will use a PowerShell script to create xPath queries that collect Windows LAPS events. This script retrieves a list of Event IDs from an XML file stored on my GitHub repository and then generates the XPath queries that can be used in the Data Collection Rules for Microsoft Sentinel.

💡
Keep in mind that it is not necessary to collect every event; rather, you should focus on gathering the Event IDs that are truly relevant to your needs. In this example, we have included all available Event IDs.
$LAPSEventIDs = "https://raw.githubusercontent.com/Kaidja/Microsoft-Sentinel/main/Data%20Collection%20Rules/LAPS-All-EventIDs.xml"

$DCRRules = @()
$XPathContent = [XML](Invoke-WebRequest -Uri $LAPSEventIDs -UseBasicParsing).Content
foreach($DCRXPath in $XPathContent.QueryList.Query.Select){
    $DCRRules += -join ($DCRXPath.Path, '!', $DCRXPath.'#text')
    
}
$DCRRules

This script creates the following output:

Microsoft-Windows-LAPS/Operational!*[System[(EventID=10003)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10004)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10005)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10021)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10022)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10023)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10018)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10029)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10020)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10031)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10041)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10042)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10043)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10044)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10033)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10066)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10017)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10015)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10009)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10055)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10052)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10011)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10054)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10057)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10016)]]
Windows LAPS xPath Queries

Configuring Sentinel

To configure Microsoft Sentinel to collect the Windows LAPS events, follow these steps:

  • Sign in to the Azure portal.
  • Navigate to Microsoft Sentinel -> Data connectors.
  • Locate and click on the "Windows Security Events via AMA" data connector.
  • Click on the "+Create Data Collection Rule" button.
  • On the Create Data Collection Rule page, enter the following information:
    • Rule Name: Windows-LAPS-Event-IDs
    • Subscription
    • Resource Group
  • On the Resource page, select the Azure Arc-connected servers
  • On the Collect page, select Custom
  • Copy the Event ID 10017 xPath query and click Add
  • Click Next
  • Review the configuration and click Create

Once the Data Collection Rule has been deployed, allow some time for the process to complete. Then, select one of your Azure Arc connected nodes and execute the following query. This query will display the total count of collected Event IDs:

SecurityEvent
| summarize count () by EventID

Once you see the data in Sentinel, proceed to create an Analytics Rule. Keep in mind that Event ID 10017 indicates insufficient delegated permissions in Active Directory or other issues present in your environment.

Incident in Sentinel: LAPS failed to update Active Directory with the new password

Summary

In this blog post, we have explored how to create Data Collection Rules (DCRs) for Microsoft Sentinel to effectively monitor and collect Windows LAPS events from your domain-joined computers. By following the outlined steps, you can configure Sentinel to gather crucial information and help you detect potential security incidents related to local administrator passwords. Remember to review the earlier blog posts on Windows LAPS for a comprehensive understanding of the solution.