AMA on client devices

OneOfMany · ‎Jun 06 2024

We have followed the guidance outlined below to get AMA installed and working on a few test client devices and they are sending logs to the Event table in our Sentinel workspace.

https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client

The problem we face is with the Windows Security Events via AMA connector. Is there a supported way to get client devices to populate security events into the SecurityEvent table? I see the events in the 'Event' table but not the SecurityEvent table. It seems like the Sentinel security events connector only sees DCR's that are created in Sentinel, it does not see the DCR's that are created outside of Sentinel. Is that a bug or by design?

Any guidance is appreciated, we have had data in SecurityEvent from client devices via MMA for a few years and expected to be able to continue to ingest them properly via AMA.

‎Jun 07 2024

Create another DCR for testing from Security Events via AMA connector page.

‎Jun 10 2024

Thanks @Sidra_Raza, I was able to get this working by adding a new DCR in Sentinel and then associating that DCR with the tenant monitoring object. One DCR for security events, one for regular events. Seems to be working properly now.

AMA on client devices

AMA on client devices

Re: AMA on client devices

Re: AMA on client devices

Products (49)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

AMA on client devices