there is nothing coming up in sentinel with query SecurityEvent.
AMA connector says "Disconnected" however i created DCR from log analytic workspace => Agent management.( all are azure virtual machines ) so i believe ARC is not required.
Connector "Security Events via Legacy Agent" shows connected automatically , not the "Windows Security Events via AMA"
@Victor1989 Is the DCR listed, I don't have any but if I did, they would be below? If they are not here then we know Sentinel is unable to see them, may they're aligned to another workspace or RG?
@Clive_Watson they are not listed
but they are there in correct subscription / RG though agent management
