The planned change specifies that you must configure a Data Collection Rule (DCR) to collect only system events with Event ID 4648 from VM2 and VM4.
A Data Collection Rule (DCR) in Azure Monitor defines how data is collected from resources, filtered, and sent to destinations like Log Analytics workspaces. To define or query this data within Azure Monitor Logs or Log Analytics, you use Kusto Query Language (KQL).
From the Microsoft Learn: Azure Monitor Logs Documentation:
“Log queries in Azure Monitor are written in Kusto Query Language (KQL), the same query language used by Azure Data Explorer.”
“KQL is optimized for querying large datasets, filtering by event IDs, sources, and event types.”
Other options:
WQL (WMI Query Language) – used for on-prem Windows event querying, not for Azure DCR.
T-SQL (Transact-SQL) – used for Azure SQL Database queries, not for monitoring data.
XPath – used in Event Viewer or XML-based event filtering, not within Azure Monitor DCR configuration.
Therefore, when you configure DCR1 to collect system events (Event ID 4648) from the specified VMs, the Kusto Query Language (KQL) is the correct and verified method to filter and process these events.
Example of a valid KQL expression for this requirement:
SecurityEvent
| where EventID == 4648
| where Computer in ("VM2", "VM4")
This aligns with the Azure Monitor and Log Analytics query methodology covered in AZ-104 official exam guide (Implement and manage monitoring).
