Ingestion of data into security and audit solution tables with new extensions

2024-08-18T19:24:55.2066667+00:00

How does data get ingested into the protection status and security baseline tables in Log Analytics after retiring MMA and enabling AMA extensions and MDE? Are there any additional configuration steps required to ensure successful ingestion? What are some common errors that can occur during the ingestion process and how can they be resolved? Providing code snippets or logs that showcase the ingestion process would be helpful in understanding the issue.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,202 questions
{count} votes

1 answer

Sort by: Most helpful
  1. SadiqhAhmed-MSFT 44,336 Reputation points Microsoft Employee
    2024-08-19T13:10:06.6133333+00:00

    @Namitha Go (Outokumpu, contractor) Greetings from Microsoft!

    When transitioning from the Microsoft Monitoring Agent (MMA) to the Azure Monitor Agent (AMA) and enabling Microsoft Defender for Endpoint (MDE), data ingestion into the protection status and security baseline tables in Log Analytics involves several steps. Here’s a detailed overview:

    Data Ingestion Process

    1. Retiring MMA: As the Log Analytics agent (MMA) is being retired, all Defender for Servers security features and capabilities will be provided with a single agent (Microsoft Defender for Endpoint), complemented by agentless machine scanning.

    Enabling AMA: The Azure Monitor Agent (AMA) is the new standard for data collection in Azure Monitor. It provides better performance, reliability, and security compared to MMA. When you enable AMA, it will start collecting data from your VMs and other resources.

    Configuring Data Collection Rules (DCRs): To ensure that data is ingested into the correct tables, you need to configure Data Collection Rules (DCRs). These rules define what data should be collected and where it should be sent.

    Additional Configuration Steps

    • Create and Assign DCRs: You need to create DCRs in the Azure portal and assign them to the appropriate resources. This ensures that the data is collected and ingested into the correct tables in Log Analytics.
    • Enable MDE Integration: Ensure that Microsoft Defender for Endpoint is properly integrated with Azure Monitor. This involves configuring the necessary settings in both services to allow data flow.

    Common Errors and Resolutions

    1. Missing Permissions: Ensure that the account used to configure AMA and DCRs has the necessary permissions. Missing permissions can prevent data from being ingested correctly.
      • Resolution: Verify and assign the required roles and permissions in the Azure portal.
    2. Incorrect DCR Configuration: If the DCRs are not configured correctly, data might not be ingested into the desired tables.
      • Resolution: Double-check the DCR settings and ensure they are correctly configured to collect and send data to the protection status and security baseline tables.
    3. Network Issues: Network connectivity issues can prevent data from being ingested.
      • Resolution: Ensure that the VMs and other resources have proper network connectivity to Azure Monitor.

    Example Code Snippets

    Here’s an example of how to create a Data Collection Rule using Azure CLI:

    User's image

    Logs for Troubleshooting

    To troubleshoot data ingestion issues, you can check the logs in the Azure portal. Navigate to the Log Analytics workspace and use the following query to check for any errors: User's image

    This query will help you identify any errors or issues related to data ingestion into the protection status and security baseline tables.

    If you encounter any specific issues or need further assistance, feel free to ask!

    Hope this helps!


    If the response helped, do "Accept Answer" and up-vote it

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.