Detect Azure Monitor Agent Connector Failures In CommonSecurityLog

Detecting Azure Monitor Agent connector failures with KQL is essential for maintaining consistent log ingestion and security alerting. This query focuses on identifying the latest failure events related to AMA connectors within CommonSecurityLog data over the last three days. Continuous monitoring ensures no data gaps disrupt your Microsoft Sentinel alerts.

Risk

When Azure Monitor Agent connectors fail, no data gets ingested into the security logs, causing potential blind spots. This results in missing critical security alerts and leaves the system vulnerable to undetected threats.

Query

Microsoft Sentinel

CommonSecurityLog
| where TimeGenerated > ago(3d)
| extend sent_by_ama = column_ifexists('CollectorHostName','')
| where isnotempty(sent_by_ama)
| where isnotempty(DeviceVendor)
| summarize LastLogReceived = max(TimeGenerated) by DeviceVendor, DeviceProduct
| project IsConnected = LastLogReceived > ago(3d), DeviceVendor, DeviceProduct
| where IsConnected == "false"

This KQL script scans the CommonSecurityLog for events generated in the last three days, filtering for those sent by the Azure Monitor Agent (identified by the presence of the CollectorHostName field). It groups logs by vendor and product, checking when the last log was received. Any device with no logs in the past three days is flagged as disconnected, signaling potential connector failure.