How to view security event logs for AMA agents for windows.

Question

there is nothing coming up in sentinel with query SecurityEvent.

AMA connector says "Disconnected" however i created DCR from log analytic workspace => Agent management.( all are azure virtual machines ) so i believe ARC is not required.

Connector "Security Events via Legacy Agent" shows connected automatically , not the "Windows Security Events via AMA"

Rod_Trent

clive_watson · Answer

Victor1989&nbsp;&nbsp;Have you enabled that connector, and see the DCR listed?&nbsp;&nbsp;&nbsp;

victor1989 · Answer

i have created DCR rules through Log Analytic workspaces==&gt; agent management

clive_watson · Answer

Victor1989&nbsp;Is the DCR listed, I don't have any but if I did, they would be below?&nbsp; If they are not here then we know Sentinel is unable to see them, may they're aligned to another workspace or RG?&nbsp;

victor1989 · Answer

Clive_Watson&nbsp;they are not listed&nbsp;but they are there in correct subscription / RG though agent management&nbsp;&nbsp;&nbsp;

Forum Discussion

How to view security event logs for AMA agents for windows.

Resources