Jun 06 2024 09:15 AM
We have followed the guidance outlined below to get AMA installed and working on a few test client devices and they are sending logs to the Event table in our Sentinel workspace.
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client
The problem we face is with the Windows Security Events via AMA connector. Is there a supported way to get client devices to populate security events into the SecurityEvent table? I see the events in the 'Event' table but not the SecurityEvent table. It seems like the Sentinel security events connector only sees DCR's that are created in Sentinel, it does not see the DCR's that are created outside of Sentinel. Is that a bug or by design?
Any guidance is appreciated, we have had data in SecurityEvent from client devices via MMA for a few years and expected to be able to continue to ingest them properly via AMA.
Jun 07 2024 11:49 AM
Jun 10 2024 05:14 AM