Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

How to view security event logs for AMA agents for windows.

Copper Contributor

there is nothing coming up in sentinel with query SecurityEvent.

AMA connector says "Disconnected" however i created DCR from log analytic workspace => Agent management.( all are azure virtual machines ) so i believe ARC is not required.


Connector "Security Events via Legacy Agent" shows connected automatically , not the "Windows Security Events via AMA"






4 Replies



Have you enabled that connector, and see the DCR listed?  



i have created DCR rules through Log Analytic workspaces==> agent management

@Victor1989 Is the DCR listed, I don't have any but if I did, they would be below?  If they are not here then we know Sentinel is unable to see them, may they're aligned to another workspace or RG?



@Clive_Watson they are not listed 


but they are there in correct subscription / RG though agent management