Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft SentinelSECURE

List Azure Monitor Agent Connector Failures In Syslog

Wayne Andes 2 min read

Description

This KQL query detects latest failure events per AMA connector failures in Syslog in the last three days.

Risk

Failures in AMA connectors mean that no data is being ingested thus no potential alerts will be triggered.

Query

Microsoft Sentinel
Kusto
Syslog
| where TimeGenerated > ago(3d)
| extend sent_by_ama = column_ifexists('CollectorHostName','')
| where isnotempty(sent_by_ama)
| where isnotempty(HostName)
| summarize LastLogReceived = max(TimeGenerated) by HostName, HostIP
| project IsConnected = LastLogReceived > ago(3d), HostName, HostIP
| where IsConnected == "false"

You May Also Like

List Data Connector Changed From Success To Failed State

Wayne Andes

List Microsoft Teams Sending Or Receiving More Than 50GB In The Last 10 Minutes As Detected By Zscaler

Wayne Andes

List Suspicious File Found By VMware Carbon Black App Control

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *