It is not possible to identify the user of the actions referring to the powershell events (SecurityEvent Table) through the AMA via xpath

Isaac Falcão 0 Reputation points
2023-01-19T12:34:56.9966667+00:00

Hi,

 

Initially when I started the installation in the environment, I noticed that Microsoft's recommendation for collecting Windows logs would be through the AMA agent. However, when starting the collection operational powershell logs via xpath, I identified that the events in question do not bring the field of the user who performed the action, not being possible to identify even in the eventdata. I checked that in the logs collected through the legacy agent bring the user. So, I would like to know how Microsoft is handling this case, considering that the legacy agent will be discontinued in 2024.

 

 

Regards,

PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
100 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 9,561 Reputation points
    2023-01-20T16:39:38.4433333+00:00

    Hello Isaac Falcão,

    Xpath should bring the <SubjectUsername> log line if the event itself recorded that data. I suspect that it could be some sort of malfunction of the AMA configuration for which I would recommend you to check the next guid to troubleshoot AMA issues:

    https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-troubleshoot-windows-vm

    --If the reply is helpful, please Upvote and Accept as answer--


  2. Isaac Falcão 0 Reputation points
    2023-01-20T19:25:49.85+00:00

    Hi,

    I have Acess to 3 env and neither of them is it possible to identify the user field of the event through the collection of logs powershell operational via xpath - AMA agent (Example eventid: 4104). Could you show me the print of this?

    No comments