Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft SentinelSECURE

Detect Azure Monitor Agent Connector Failures In CommonSecurityLog

Wayne Andes 2 min read

Description

This KQL query detects latest failure events per AMA connector failures in CommonSecurityLog in the last three days.

Risk

Failures in AMA connectors mean that no data is being ingested thus no potential alerts will be triggered.

Query

Microsoft Sentinel
Kusto
CommonSecurityLog
| where TimeGenerated > ago(3d)
| extend sent_by_ama = column_ifexists('CollectorHostName','')
| where isnotempty(sent_by_ama)
| where isnotempty(DeviceVendor)
| summarize LastLogReceived = max(TimeGenerated) by DeviceVendor, DeviceProduct
| project IsConnected = LastLogReceived > ago(3d), DeviceVendor, DeviceProduct
| where IsConnected == "false"

You May Also Like

Visualize MITRE ATT&CK Tactics Triggered On Microsoft Sentinel Incidents

Wayne Andes

List Domain User Account Added To Sensitive Group Using Command-line

Wayne Andes

List Top N Accounts Longest Period Without Password Reset

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *