It is not possible to identify the user of the actions referring to the powershell events (SecurityEvent Table) through the AMA via xpath

Isaac Falcão 0 Reputation points



Initially when I started the installation in the environment, I noticed that Microsoft's recommendation for collecting Windows logs would be through the AMA agent. However, when starting the collection operational powershell logs via xpath, I identified that the events in question do not bring the field of the user who performed the action, not being possible to identify even in the eventdata. I checked that in the logs collected through the legacy agent bring the user. So, I would like to know how Microsoft is handling this case, considering that the legacy agent will be discontinued in 2024.




A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
1,856 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 43,986 Reputation points

    Hello Isaac Falcão,

    Xpath should bring the <SubjectUsername> log line if the event itself recorded that data. I suspect that it could be some sort of malfunction of the AMA configuration for which I would recommend you to check the next guid to troubleshoot AMA issues:

    --If the reply is helpful, please Upvote and Accept as answer--

  2. Isaac Falcão 0 Reputation points


    I have Acess to 3 env and neither of them is it possible to identify the user field of the event through the collection of logs powershell operational via xpath - AMA agent (Example eventid: 4104). Could you show me the print of this?

    0 comments No comments