Forum Discussion

Chris_321's avatar
Chris_321
Copper Contributor
Oct 05, 2021
Solved

Creation of AMSI deactivation rule in Azure Sentinel

Hello guys,   I am investigating about the detection of a rule in Azure sentinel, I want to monitor if AMSI has been disabled on a Windows 10 device.   I have run the disable command, but it does...
  • m_zorich's avatar
    Oct 06, 2021
    Hey Cristian,

    What kind of logging / agents do you have deployed to your Windows 10 fleet to send your data to Sentinel? That will answer the question of to start hunting for your events.

    The SecurityEvent table is a subset of what will appear in the Security Event log on the device itself, when you run that command on a device does it appear in the local Security Event log? If not, then it won't appear in Azure Sentinel. If it appears on the local Security Event log but not in Azure Sentinel then you will need to make sure you have configured the agent correctly to send the proper data up. There are some guides here - https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=LAA or https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=AMA

    If you have Defender for Endpoint then make sure you are sending the logs from Defender to Sentinel - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/threat-protection-integration?view=o365-worldwide#azure-sentinel, then you will be looking in the Device* tables, such as DeviceProcessEvents