Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

How to view security event logs for AMA agents for windows.

Copper Contributor

there is nothing coming up in sentinel with query SecurityEvent.

AMA connector says "Disconnected" however i created DCR from log analytic workspace => Agent management.( all are azure virtual machines ) so i believe ARC is not required.

 

Connector "Security Events via Legacy Agent" shows connected automatically , not the "Windows Security Events via AMA"

Victor1989_0-1667825035123.png

 

Victor1989_1-1667825135069.png

Victor1989_0-1667836460959.png

@rodtrent 

4 Replies

@Victor1989 

 

Have you enabled that connector, and see the DCR listed?  

Clive_Watson_0-1667835794742.png

 




i have created DCR rules through Log Analytic workspaces==> agent management

@Victor1989 Is the DCR listed, I don't have any but if I did, they would be below?  If they are not here then we know Sentinel is unable to see them, may they're aligned to another workspace or RG?

Clive_Watson_0-1667837415291.png

 

@Clive_Watson they are not listed 

Victor1989_1-1667838313016.png

but they are there in correct subscription / RG though agent management 

Victor1989_2-1667838406736.png