How to view security event logs for AMA agents for windows.

Copper Contributor

there is nothing coming up in sentinel with query SecurityEvent.

AMA connector says "Disconnected" however i created DCR from log analytic workspace => Agent management.( all are azure virtual machines ) so i believe ARC is not required.

 

Connector "Security Events via Legacy Agent" shows connected automatically , not the "Windows Security Events via AMA"

Victor1989_0-1667825035123.png

 

Victor1989_1-1667825135069.png

Victor1989_0-1667836460959.png

@Rod_Trent 

4 Replies

@Victor1989 

 

Have you enabled that connector, and see the DCR listed?  

Clive_Watson_0-1667835794742.png

 




i have created DCR rules through Log Analytic workspaces==> agent management

@Victor1989 Is the DCR listed, I don't have any but if I did, they would be below?  If they are not here then we know Sentinel is unable to see them, may they're aligned to another workspace or RG?

Clive_Watson_0-1667837415291.png

 

@Clive_Watson they are not listed 

Victor1989_1-1667838313016.png

but they are there in correct subscription / RG though agent management 

Victor1989_2-1667838406736.png