AMA on client devices
We have followed the guidance outlined below to get AMA installed and working on a few test client devices and they are sending logs to the Event table in our Sentinel workspace.
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client
The problem we face is with the Windows Security Events via AMA connector. Is there a supported way to get client devices to populate security events into the SecurityEvent table? I see the events in the ‘Event’ table but not the SecurityEvent table. It seems like the Sentinel security events connector only sees DCR’s that are created in Sentinel, it does not see the DCR’s that are created outside of Sentinel. Is that a bug or by design?
Any guidance is appreciated, we have had data in SecurityEvent from client devices via MMA for a few years and expected to be able to continue to ingest them properly via AMA.
We have followed the guidance outlined below to get AMA installed and working on a few test client devices and they are sending logs to the Event table in our Sentinel workspace. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client The problem we face is with the Windows Security Events via AMA connector. Is there a supported way to get client devices to populate security events into the SecurityEvent table? I see the events in the ‘Event’ table but not the SecurityEvent table. It seems like the Sentinel security events connector only sees DCR’s that are created in Sentinel, it does not see the DCR’s that are created outside of Sentinel. Is that a bug or by design? Any guidance is appreciated, we have had data in SecurityEvent from client devices via MMA for a few years and expected to be able to continue to ingest them properly via AMA. Read More