Microsoft Sentinel is Microsoft’s SIEM/SOAR. It is used to collect and evaluate logs.

If you choose to collect security logs from Windows Server, Microsoft Sentinel can collect predefined log sets using the built-in settings. By default, you have the option to select from the predefined sets All Security Events, Common, or Minimal.

Built-in sets of Event IDs in Microsoft Sentinel Data Collection Rules

Microsoft has described in its documentation which Event ID belongs to which group.

All events

All Windows security and AppLocker events.

Commons events

A standard set of events for auditing purposes. A full user audit trail is included in this set. For example, it contains both user sign-in and user sign-out events (event IDs 4624, 4634). There are also auditing actions such as security group changes, key domain controller Kerberos operations, and other types of events in line with accepted best practices.

The Common event set may contain some types of events that aren’t so common. This is because the main point of the Common set is to reduce the volume of events to a more manageable level, while still maintaining full audit trail capability.

Collected Event IDs

1, 299, 300, 324, 340, 403, 404, 410, 411, 412, 413, 431, 500, 501, 1100, 1102, 1107, 1108, 4608, 4610, 4611, 4614, 4622, 4624, 4625, 4634, 4647, 4648, 4649, 4657, 4661, 4662, 4663, 4665, 4666, 4667, 4688, 4670, 4672, 4673, 4674, 4675, 4689, 4697, 4700, 4702, 4704, 4705, 4716, 4717, 4718, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4733, 4732, 4735, 4737, 4738, 4739, 4740, 4742, 4744, 4745, 4746, 4750, 4751, 4752, 4754, 4755, 4756, 4757, 4760, 4761, 4762, 4764, 4767, 4768, 4771, 4774, 4778, 4779, 4781, 4793, 4797, 4798, 4799, 4800, 4801, 4802, 4803, 4825, 4826, 4870, 4886, 4887, 4888, 4893, 4898, 4902, 4904, 4905, 4907, 4931, 4932, 4933, 4946, 4948, 4956, 4985, 5024, 5033, 5059, 5136, 5137, 5140, 5145, 5632, 6144, 6145, 6272, 6273, 6278, 6416, 6423, 6424, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8222, 26401, 30004

Minimal

A small set of events that might indicate potential threats. This set does not contain a full audit trail. It covers only events that might indicate a successful breach, and other important events that have very low rates of occurrence. For example, it contains successful and failed user logons (event IDs 4624, 4625), but it doesn’t contain sign-out information (4634) which, while important for auditing, is not meaningful for breach detection and has relatively high volume. Most of the data volume of this set consists of sign-in events and process creation events (event ID 4688).

Collected Event IDs

1102, 4624, 4625, 4657, 4663, 4688, 4700, 4702, 4719, 4720, 4722, 4723, 4724, 4727, 4728, 4732, 4735, 4737, 4739, 4740, 4754, 4755, 4756, 4767, 4799, 4825, 4946, 4948, 4956, 5024, 5033, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8222

How to collect custom Event IDs to Microsoft Sentinel

However, if you need to collect some custom Event IDs that do not belong to the above built-in categories, or simply want your own set of Event IDs to collect, you can define your own Event IDs using XPath queries.

XPath (XML Path Language) is a query language used for selecting nodes from an XML document. It allows you to navigate through elements and attributes in XML documents, making it a powerful tool for extracting specific pieces of information. XPath is commonly used in combination with XML parsers to filter and locate data based on complex conditions.

How to create XPath queries

XPath entries are written in the form LogName!XPathQuery. For example, you might want to return only events from the Application event log with an event ID of 1035. The XPathQuery for these events would be *[System[EventID=1035]]. Because you want to retrieve the events from the Application event log, the XPath is Application!*[System[EventID=1035]].

XPath queries can be also easily retrieved from Event Viewer on Windows. Open the Event Viewer on Windows (eventvwr.msc), expand Windows Logs and open the log type that is used for the Event IDs that you want to collect.

Collect custom Event ID 36871

Let’s say that you want to collect Event ID 36871 (“A fatal error occurred while creating a TLS client credential“) to track errors related to the TLS changes in Microsoft Azure for example. This Event ID goes to the System log and does not belong to any of the built-in sets, so we need to create a custom XPath query for that.

In Windows Event Viewer, expand Windows Logs and open System. On the right side, click on Filter current log.

Create a custom Event ID filter

In the filter, fill in the Event ID 36871 and in the top, switch to XML. There is the XPath query you need also in Microsoft Sentinel.

Create a custom Event ID filter
Get the XPath query

In Microsoft Sentinel, got to Connectors and open Windows Security Events via AMA. Click on Create a data collection rule.

Create a custom Data Collection Rule

Fill in the data collection rule name. On the Resources tab, select the resource you want this rule to apply to. On the Collect tab, select Custom. Paste the XPath query System!*[System[EventID=36871]] there and click Add.

Add the XPath query

Finish the DCR wizard. Now you have started collection logs with the specified Event ID from the selected resources.

Testing XPath queries with PowerShell

If you want to make sure that the XPath query is valid, you can test it via PowerShell.

Get-WinEvent -FilterXPath 'System!*[System[EventID=36871]]'