Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,065 questions
Not receiving Windows WMI logs on Azure Sentinel
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 1%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Gaurav Mourya
1
Reputation point
We have a High priority Task related to WMI (Windows Management Instrumentation) logs ingestion to Azure Sentinel for a Client. We are facing some issues while ingesting WMI Logs to Azure Sentinel. We have installed the Microsoft Monitoring Agent on the machine and trying to ingest logs by adding the following Agents Configurations in Log Analytics Workspace
- Microsoft-Windows-WMI-Activity/Operational
- Microsoft-Windows-WMI-Activity/Trace
- SmbWmiAnalytic
- wmi
- WMI-Activity
We have referred to https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-to-go-part2-integrating-a-basic-windows-lab-via/ba-p/1742165 guide to implement the process.
We are receiving WMI Events on Windows Event Viewer but these events are not flowing to Log Analytics Workspace.
We have a good relation with the client, so need to resolve this on an urgent basis because to maintain our relationship.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
VipulSparsh-MSFT 16,256 Reputation points Microsoft Employee2021-06-28T13:56:09.153+00:00 @Gaurav Mourya Thanks for reaching out. Checking to see if you were able to see the WMI events, it might take some time to get uploaded after you have added the agent.
Let us know the status so that we can help you accordingly.
Sign in to comment