Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

AMA agent DCR log filtering

Copper Contributor


I have previously created KQL queries for ingestion time transformation and was filtering out certain event ids and few other logs (e.g. | where not(EventID == 4799 and CallerProcessName contains "C:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe") ) .


Now I have almost 80+ filtering KQL queries which I have applied on securityEvent table to filter out specific logs. 


I have shifted my servers from MMA agent to AMA agent and AMA agent has its down DCR and my existing ingestion time transformation won't work now. I need to create xpath queries in new DCR.

Is there anyway I can convert all of the existing ingestion time transformation applied KQLs (example already mentioned above)?


Do I need to create separate DCRs for AMA to filterout specific events which are 80+? 

1 Reply
To filter down logs theres 2 places you could do it here, within the Sentinel Data Connector "Windows Events for AMA" or Table Transformations

To filter down logs add in only the windows events you want to see, from there apply the relevant KQL queries at the Table Transformations level...keep in mind, Table transformations can take up to 1hr to apply to your sentinel Instance.

If these steps have been applied, any chance you can share more information