How to view security event logs for AMA agents for windows.

Copper Contributor

there is nothing coming up in sentinel with query SecurityEvent.

AMA connector says "Disconnected" however i created DCR from log analytic workspace => Agent management.( all are azure virtual machines ) so i believe ARC is not required.


Connector "Security Events via Legacy Agent" shows connected automatically , not the "Windows Security Events via AMA"






4 Replies



Have you enabled that connector, and see the DCR listed?  



i have created DCR rules through Log Analytic workspaces==> agent management

@Victor1989 Is the DCR listed, I don't have any but if I did, they would be below?  If they are not here then we know Sentinel is unable to see them, may they're aligned to another workspace or RG?



@Clive_Watson they are not listed 


but they are there in correct subscription / RG though agent management