Query Details
Sysmon AMA
Query
//Computers using the AMA sending Sysmon data to Sentinel SecurityEvent | join Heartbeat on Computer | where TimeGenerated >= ago(1h) | where Category == "Azure Monitor Agent" | where EventSourceName == "Microsoft-Windows-Sysmon" | distinct Computer, Category, EventSourceName
Explanation
This query retrieves computers that are using the Azure Monitor Agent (AMA) and sending Sysmon data to Sentinel. It filters the results to include only events generated within the last hour and displays the distinct computers, category, and event source name.
Details
Rod Trent
Released: August 18, 2022
Tables
SecurityEventHeartbeat
Keywords
SecurityEvent,Heartbeat,Computer,TimeGenerated,Category,AzureMonitorAgent,EventSourceName,Microsoft-Windows-Sysmon
Operators
joinwhereagodistinct