The Preview Tag Drops from the Windows Security Events Data Connector for Azure Sentinel

The Data Connector that utilizes the modern agent (AMA) for collecting Windows Events has now been released into GA.

Legacy and Current

Azure Sentinel customers will notice a couple things for this connector.

First off, the preview tag is missing. But, secondly, the original Security Events connector is now labeled as the Legacy Agent.

Docs: Connect to Windows servers to collect security events

Customers ask quite a bit about when to start migrating to the AMA agent and now with this connector coming out of preview, I’m sure it will be asked again. We do have formal guidance coming soon that will be part of the official docs. Until then…I’ll repeat something I’ve said recently…

As you may or may not know, the Log Analytics agent will be retired in 2024. That seems like a long way off, but its really not. Preparing to use the new Azure Monitor Agent (AMA) is an important planning step for organizations over the next couple years. Make sure this is addressed in planning meetings this year.

I’m asked constantly for my recommendation on when to migrate to the new the AMA – particularly for Azure Sentinel environments since not every underlying service (and Sentinel itself) doesn’t quite support AMA’s full capability. As function parity between the LA agent and AMA gets closer, you will absolutely hear from me. I’ll be one of the first to start to raise the alarm. For now, just focus on where it makes sense and where the AMA capability is critical for your operation. We have a couple years to go, and I promise that as we get closer to the cutoff date, the issues customers raise about AMA deployment techniques and having to rely on the ARC agent alongside will be moot.

Rod Trent, October 1, 2021

Additionally, there is now the On-Prem Security Monitoring for Sentinel solution that can help collect and filter on-prem events before sending to Azure Sentinel.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

[Subscribe to the Bi-Weekly Azure Security Center Newsletter]


Leave a Reply