Using the new AMA agent and DCR, collect Security Events in Microsoft Sentinel.

7 min readJul 27, 2023

Introduction AMA vs MMA

Let’s start with the main comparison between the previous legacy Microsoft Monitoring Agent (MMA) and the new Azure Monitoring Agent (AMA).

AMA is supported for multiple environments, Azure Arc is a requirement for environments outside Azure. On-premises resources requires onboarding with Azure Arc.

Microsoft Monitoring Agent (MMA)

The Microsoft Monitoring Agent supports 4 options for specific data collections.

All events — All Windows security and AppLocker events.
Common — A standard set of events for auditing purposes. The Common event set may contain some types of events that aren’t so common. This is because the main point of the Common set is to reduce the volume of events to a more manageable level, while still maintaining full audit trail capability.
Minimal — A small set of events that might indicate potential threats. This set does not contain a full audit trail. It covers only events that might indicate a successful breach, and other important events that have very low rates of occurrence.
None — No security or AppLocker events. (This setting is used to disable the connector.)

Azure Monitoring Agent (AMA)

The Azure Monitoring Agent (AMA) is re-written from the ground and the replacement for the Microsoft Monitoring Agent used by Log Analytics.

The Azure Monitor agent uses data collection rules (DCR) to configure data to collect from each agent. Data collection rules enable the manageability of collection settings at scale for different groups of environments or machines, which results in less cost and fewer events.

Have a single special Event Log on a specific server you want to collect? We can do that now without collecting it from any other servers.

The list of supported OS’s can be found here, basically, Windows Server 2008R2 SP1 and above are supported. Outside Windows, Linux is supported. You can of course use Azure Policy for the deployment.

Xpath?

Before explaining the usage, let’s start with explaining Xpath. XPath stands for XML (Extensible Markup Language) Path language and is used to explore specific XML details. XPath entries are written in the form LogName!XPathQuery

Below mapping based on Security EventID 4624 Security!*[System[(EventID=4624)]]

Micosoft Sentinel dataconnectors

Currently, there are many data connectors in Microsoft Sentinel. The following data connectors are mapped against the MMA or AMA agent. For using the new DCR collection use the Windows Security Events via AMA connector.

Security events via legacy agent: Legacy version based on the MMA agent / Log Analytics (1)
Windows Security via AMA: New version based on Azure Monitoring agent (2)

Enable the Microsoft Sentinel connector

Multiple options are available for installing the Azure Monitoring Agent, in this blog post the installation based on Microsoft Sentinel is explained. For more detailed standalone install instructions check the following source: Manage the Azure Monitor agent | Microsoft Docs

For Azure cloud machines no extra Azure Arc configuration is required. For enabling the new connector, take the following Microsoft Sentinel steps:

Open Microsoft Sentinel
In the menu select Data connectors (1)
Select the Windows Security event via AMA connector (2) Tip: Search for Security events
Open the connector page (3)

Now from the connector page configure the new data sources. Make sure you have read and write permissions. For collecting security events from Windows agents and installing the AMA agent. Start with creating a new data collection rule (DCR). For creating the new rule click the button Create data collection rule

The Data Collection Rule is the location where the data should be sent. In this blog we use the Microsoft Sentinel Log Analytics workspace.

Fill in the following values:

Rule name: Name for specific Data Collection Rule
Subscription: Select the subscription
Resource Group: Select resource group ( Data Collection rule is Azure Resource.

Now select the devices or Resource groups/ subscriptions and press Apply. After enabling the installation of the Azure Monitoring agent will be automatically installed on these machines. Selection for single virtual machines is possible or complete resource groups/ subscriptions:

Single machine: targeting one single machine

Resource group: targeted all selected subscriptions

Review the selected resources and go to the tab; collect.

For collecting events select one of the event groups:

All Security Events
Common
Minimal
Custom — defining custom queries using Xpath (explained later in blog)

After completing Azure Policy will force the Azure Monitoring extension installation directly to the selected resources. Name of the extension type: Microsoft.Azure.Monitor.AzureMonitorWindowsAgent.

Rule associations

Multiple rules can be associated based on multiple Data Collection Rules.

For example, consider an environment with a set of virtual machines running a line of business applications and others running SQL Server. You might have one default data collection rule that applies to all virtual machines and separate data collection rules that collect data specifically for the line of business application and for SQL Server. The associations for the virtual machines to the data collection rules would look similar to the following diagram.

Enable the connector — Azure Arc

For Azure Arc machines the configuration is almost the same. For the on-premises resources make sure it is onboarded correctly with Azure Arc en visible in the infrastructure — server blade.

The scope part of the Sentinel connector shows the Azure Arc devices.

After completing Azure Policy will force the Azure Monitoring extension installation directly to the selected resources. Name of the extension type: Microsoft.Azure.Monitor.AzureMonitorWindowsAgent.

Create Custom Collection

After finalizing the setup you can change the rule with more events of different types. The selection custom enables the custom event configuration.

Collect only event 4625 (failed sign-in)

Security!*[System[(EventID=4625)]]

Collect event 4625( failed sign-in and 4624 (Successfully logged on)

Security!*[System[(EventID=4624) or (EventID=4625)]]

Collect event 1, 299, 4624, 2625, 4661, 4662, 4663, 4664, 4665

Security!*[System[(EventID=1) or (EventID=299) or (EventID=4624) or (EventID=4625) or (EventID=4661) or (EventID=4662) or (EventID=4663) or (EventID=4665)]]

Collect all critical, Error, Warning, and Information events from the system log except Event ID 6.

System!*[System[(Level=1 or Level=2 or Level=3) and (EventID != 6)]]

For validating rules before adding in Sentinel, PowerShell can be used for validating XPath queries. use the Get-WinEvent cmdlet to validate the XPath query.

$XPathQuery = "*[System[(EventID=4625)]]" 
Get-WinEvent -LogName Security -FilterXPath $XPathQuery

Result PowerShell:

However, there’s a shortcut for creating XPath queries using the Event Viewer. Open the Event Viewer and select the log file. Choose Filter Current log and enter the Event IDs you want to collect. Click on XML for opening the Xpath structure.

Events Microsoft Sentinel

After some time we should start seeing some events collected by the connector and DCR rules. Go to Logs and run the following KQL query for summarizing the EventID

SecurityEvent
| summarize count () by EventID

View the connector page for the data received view part of the Windows Security Events connector:

Monitoring workbook — AMA migration tracker workbook

Enable in Microsoft Sentinel the AMA migration tracker workbook for some extra visibility into migrations from MMA to the new AMA agent. The AMA migration tracker workbook gives visibility in the installed Azure and Azure Arc servers with the MMA or AMA agent and visibility in the attached Data Collection Rules for each associated VM, or DCR’s associated with DCR rules.

Open Microsoft Sentinel
In the menu select Workbooks
Select the Templates tab and search for AMA migration tracker
Save the AMA Migration tracker workbook

The following tabs are available:

Servers and extensions installed: Overview of current VM,s and which machines are connected with AMA, MMA, or installed with both agents. Useful for migrations and visibly during MMA migrations.

Data Collection Rules under Subscriptions: Shows all configured Data Collection Rules under the subscriptions. The view contains the OS, Streams, xPath, name, and connected resourceGroup. When selecting a specific DCR all associated VMs are visible in the view

VMs with AMA: Shows all servers with AMA installed. Select each server individually for viewing the connected Data Collection Rules which are associated with the machine.