Monitor Windows LAPS Events with Microsoft Sentinel

Windows Local Administrator Password Solution (LAPS) is a crucial security feature that helps organizations manage local administrator passwords for their domain-joined computers. In this blog post, we will explore how to create Data Collection Rules (DCRs) for Sentinel that will collect LAPS events from your environment.
Before you continue read my previous blog posts:
- Introducing the New and Improved Windows LAPS: Local Administrator Password Solution (kaidojarvemets.com)
- Windows LAPS PowerShell Commands (kaidojarvemets.com)
- Windows LAPS EventIDs and XPath Queries (kaidojarvemets.com)
- Windows LAPS - New Group Policy Settings (kaidojarvemets.com)
- How to Update the Windows Server Active Directory Schema for the Latest Version of Windows LAPS (kaidojarvemets.com)
Creating xPath queries for Windows LAPS
We will use a PowerShell script to create xPath queries that collect Windows LAPS events. This script retrieves a list of Event IDs from an XML file stored on my GitHub repository and then generates the XPath queries that can be used in the Data Collection Rules for Microsoft Sentinel.
$LAPSEventIDs = "https://raw.githubusercontent.com/Kaidja/Microsoft-Sentinel/main/Data%20Collection%20Rules/LAPS-All-EventIDs.xml"
$DCRRules = @()
$XPathContent = [XML](Invoke-WebRequest -Uri $LAPSEventIDs -UseBasicParsing).Content
foreach($DCRXPath in $XPathContent.QueryList.Query.Select){
$DCRRules += -join ($DCRXPath.Path, '!', $DCRXPath.'#text')
}
$DCRRules

This script creates the following output:
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10003)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10004)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10005)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10021)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10022)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10023)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10018)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10029)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10020)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10031)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10041)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10042)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10043)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10044)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10033)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10066)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10017)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10015)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10009)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10055)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10052)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10011)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10054)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10057)]]
Microsoft-Windows-LAPS/Operational!*[System[(EventID=10016)]]
Configuring Sentinel
To configure Microsoft Sentinel to collect the Windows LAPS events, follow these steps:
- Sign in to the Azure portal.
- Navigate to Microsoft Sentinel -> Data connectors.
- Locate and click on the "Windows Security Events via AMA" data connector.
- Click on the "+Create Data Collection Rule" button.
- On the Create Data Collection Rule page, enter the following information:
- Rule Name: Windows-LAPS-Event-IDs
- Subscription
- Resource Group
- On the Resource page, select the Azure Arc-connected servers
- On the Collect page, select Custom
- Copy the Event ID 10017 xPath query and click Add
- Click Next
- Review the configuration and click Create

Once the Data Collection Rule has been deployed, allow some time for the process to complete. Then, select one of your Azure Arc connected nodes and execute the following query. This query will display the total count of collected Event IDs:
SecurityEvent
| summarize count () by EventID

Once you see the data in Sentinel, proceed to create an Analytics Rule. Keep in mind that Event ID 10017 indicates insufficient delegated permissions in Active Directory or other issues present in your environment.

Incident in Sentinel: LAPS failed to update Active Directory with the new password

Summary
In this blog post, we have explored how to create Data Collection Rules (DCRs) for Microsoft Sentinel to effectively monitor and collect Windows LAPS events from your domain-joined computers. By following the outlined steps, you can configure Sentinel to gather crucial information and help you detect potential security incidents related to local administrator passwords. Remember to review the earlier blog posts on Windows LAPS for a comprehensive understanding of the solution.
Member discussion