Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Sysmon log collection via Azure monitor agent (AMA)

Copper Contributor

Hi Team 

 

I have a quick question regarding Azure monitoring agent. I want to capture Sysmon logs from a Azure machine which has AMA extension installed and data collection rule set to all events. I have downloaded Sysmon package and configured it on the machine, however is there a link to docs which i can follow to configure DCR (Rule) in Azure sentinel to allow Sysmon logs to be capture by AMA agent? 

With LA agent its quite simple to do the same as i can just go to Agent configurations and add >  Microsoft-Windows-Sysmon/Operational and logs and its all good. Am i missing something ?

 

Thanks

 

4 Replies
Same question. Next year. It looks like you would have to configure some type of data collection rule (DCR) using xpath. Or some other coding. Has anybody done this? And yes, it appears far more complex with the AMA. Thanks, and I hope I am wrong.

A workaround to get the logs is to add - "Windows event log" configuration under the "Legacy agents managment" section of LA workspace. Check the screenshot below : 

Mike82_1-1664510729650.png

 I am sure there are better ways via DCR to do this. :) 

 

best response confirmed by Mike82 (Copper Contributor)
Great thanks for sharing :)
1 best response

Accepted Solutions
best response confirmed by Mike82 (Copper Contributor)