Creating Data Collection Rule in Azure Sentinel.

Question

Creating Data Collection Rule in Azure Sentinel.

Renat Khamzin 21

Hi there.

Several days I'm trying to create Data Collection Rule to collect only specified events from event viewer.
If I specify in the DCR to collect All Security Events then I can see that logs are received and I can query/filter Logs and see Microsoft-Windows-WLAN-AutoConfig/Operational!*[System[EventID=8001]] events.

But the task is to collect not all Security Events but only events with event id 8001 from Microsoft-Windows-WLAN-AutoConfig/Operational (it is required to decrease the size of injected data).

The question is what/how I should write filter in the Edit DCR wizard in the Collect part when I choose Custom?
If I write Microsoft-Windows-WLAN-AutoConfig/Operational!*[System[EventID=8001]] then I stop to received any logs at all.

Thank you in advance for your assistance sentinel_DCR

Swaroop Kolli 3,345 Reputation points Microsoft External Staff Moderator

2025-07-28T23:37:17.7966667+00:00

Hello @Renat Khamzin,

Following up to check if you had a chance to review the provided details. If you have any questions or query, please do let us know.
Swaroop Kolli 3,345 Reputation points Microsoft External Staff Moderator

2025-07-29T23:43:48.88+00:00

Hello @Renat Khamzin,

Following up to check if you had a chance to review the provided details. If you have any questions or query, please do let us know.

2 answers

Your answer

Swaroop Kolli 3,345 Reputation points Microsoft External Staff Moderator

2025-07-28T23:37:17.7966667+00:00

Hello @Renat Khamzin,

Following up to check if you had a chance to review the provided details. If you have any questions or query, please do let us know.
Swaroop Kolli 3,345 Reputation points Microsoft External Staff Moderator

2025-07-29T23:43:48.88+00:00

Hello @Renat Khamzin,

Following up to check if you had a chance to review the provided details. If you have any questions or query, please do let us know.

Answer 1

Hello @Renat Khamzin,

As per my understanding, you're trying to configure a Data Collection Rule (DCR) to collect only Event ID 8001 from the Microsoft-Windows-WLAN-AutoConfig/Operational log, but your current XPath filter seems to block all logs.

The query you are using is-

Microsoft-Windows-WLAN-AutoConfig/Operational!*[System[EventID=8001]]

Can you please make a small modification to the query and try to use this-

Microsoft-Windows-WLAN-AutoConfig/Operational!*[System[(EventID=8001)]]

Please let us know if this worked or else we can troubleshoot further.

Answer 2

EduardsGrebezs 941

Hi,

To collect specific XPath Query from your machine.

Have Azure Arc installed (if not Azure Machine),
Select it as resource,
For collection use this syntax as your has errors - Microsoft-Windows-WLAN-AutoConfig/Operational!*[System[(EventID=8001)]]

Share via

Creating Data Collection Rule in Azure Sentinel.

2 answers

Your answer