Forum Discussion
AMA on client devices
We have followed the guidance outlined below to get AMA installed and working on a few test client devices and they are sending logs to the Event table in our Sentinel workspace.
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client
The problem we face is with the Windows Security Events via AMA connector. Is there a supported way to get client devices to populate security events into the SecurityEvent table? I see the events in the 'Event' table but not the SecurityEvent table. It seems like the Sentinel security events connector only sees DCR's that are created in Sentinel, it does not see the DCR's that are created outside of Sentinel. Is that a bug or by design?
Any guidance is appreciated, we have had data in SecurityEvent from client devices via MMA for a few years and expected to be able to continue to ingest them properly via AMA.
2 Replies
- Create another DCR for testing from Security Events via AMA connector page.
- Thanks Sidra_Raza, I was able to get this working by adding a new DCR in Sentinel and then associating that DCR with the tenant monitoring object. One DCR for security events, one for regular events. Seems to be working properly now.
