Forum Discussion
Solved
Creation of AMSI deactivation rule in Azure Sentinel
Hello guys, I am investigating about the detection of a rule in Azure sentinel, I want to monitor if AMSI has been disabled on a Windows 10 device. I have run the disable command, but it does...
- Hey Cristian,
What kind of logging / agents do you have deployed to your Windows 10 fleet to send your data to Sentinel? That will answer the question of to start hunting for your events.
The SecurityEvent table is a subset of what will appear in the Security Event log on the device itself, when you run that command on a device does it appear in the local Security Event log? If not, then it won't appear in Azure Sentinel. If it appears on the local Security Event log but not in Azure Sentinel then you will need to make sure you have configured the agent correctly to send the proper data up. There are some guides here - https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=LAA or https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=AMA
If you have Defender for Endpoint then make sure you are sending the logs from Defender to Sentinel - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/threat-protection-integration?view=o365-worldwide#azure-sentinel, then you will be looking in the Device* tables, such as DeviceProcessEvents
Hey Cristian,
What kind of logging / agents do you have deployed to your Windows 10 fleet to send your data to Sentinel? That will answer the question of to start hunting for your events.
The SecurityEvent table is a subset of what will appear in the Security Event log on the device itself, when you run that command on a device does it appear in the local Security Event log? If not, then it won't appear in Azure Sentinel. If it appears on the local Security Event log but not in Azure Sentinel then you will need to make sure you have configured the agent correctly to send the proper data up. There are some guides here - https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=LAA or https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=AMA
If you have Defender for Endpoint then make sure you are sending the logs from Defender to Sentinel - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/threat-protection-integration?view=o365-worldwide#azure-sentinel, then you will be looking in the Device* tables, such as DeviceProcessEvents
What kind of logging / agents do you have deployed to your Windows 10 fleet to send your data to Sentinel? That will answer the question of to start hunting for your events.
The SecurityEvent table is a subset of what will appear in the Security Event log on the device itself, when you run that command on a device does it appear in the local Security Event log? If not, then it won't appear in Azure Sentinel. If it appears on the local Security Event log but not in Azure Sentinel then you will need to make sure you have configured the agent correctly to send the proper data up. There are some guides here - https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=LAA or https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=AMA
If you have Defender for Endpoint then make sure you are sending the logs from Defender to Sentinel - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/threat-protection-integration?view=o365-worldwide#azure-sentinel, then you will be looking in the Device* tables, such as DeviceProcessEvents