Microsoft Sentinel Article Series: Direct Onboarding Windows Security Events via AMA Connector

Azure Monitor Analytics (AMA) is a powerful log analytics and query tool within the Azure ecosystem, tightly integrated with Microsoft Sentinel, providing advanced data analysis and threat detection capabilities.

Currently AMA Agent is the main connector if you want to ingest your Windows Event Log, because Windows Security Events Data Connector (using Log Analytics Agent) will be retired.

In this case I’m using native Azure Environment and the step is easy.

Source : https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate#windows-logs

1. Open your Microsoft Sentinel Data Connector and Search Connector name : Windows Security Events via AMA. Then open connector page.

Windows Security Events via AMA Connector

2. At the Right Side just Click +Create Data Collection Rule and fill the data. you can choose your Subscriptions and Resource Group.

Fill the data

3. Click +Add Resource(s) and Choose your Scope.

Insert Scope

4. And the result looks like below :

Resources

5. Custom what Event do you want to collect.

Select which want to collect

6. Review and create.

Review

7. Result the connector was received the Security Events.

Result Image

Result Log

References :

https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate#windows-logs