AMA agent detection

Soumya Banerjee 126 Reputation points
2021-11-29T05:32:09.54+00:00

In sentinel, how do I confirm amongst the reporting computers , which all are coming from AMA agent.
Is there any specific Field in heartbeat which I can query to see how many are coming through AMA agents ?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Stanislav Zhelyazkov 14,026 Reputation points Microsoft MVP
    2021-11-29T13:32:29.553+00:00

    Hi,
    Currently there is not an easy way to distinguish if the Heartbeat data is coming from Azure Monitor Agent or from Log Analytics agent. When the same computer is using both agents the heartbeat data will be logged by both agents. I have spotted the following differences when data is coming from both agents:

    For Linux:

    • SourceComputerId is different for each agent data
    • Version is different for each agent. For example for AMA it is 1.12.2 currently and for LAA is 1.13.40-0
    • values in Solutions will also be different depending on what you use each agent for
    • Seems AMA agent currently does not send data for column ComputerPrivateIPs. This could be some bug or missing feature that would be fixed at some point or may be it applies only for my environment.

    Based on this we can come up with the following queries.

    Heartbeat  
    | where OSType == "Linux"  
    | where isnull(ComputerPrivateIPs)  
    
    
    Heartbeat  
    | where OSType == "Linux"  
    | where Version !contains "-"  
    

    For Windows:

    • OSName is logged by AMA only
    • AMA version is 1.1.2.0 where LAA is 10.20.18053.0

    Based on this we can come up with the following queries.

    Heartbeat  
    | where OSType == "Windows"  
    | where OSName != ""  
    
    
    Heartbeat  
    | where OSType == "Windows"  
    | where Version startswith "1."  
    

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    No comments

  2. Soumya Banerjee 126 Reputation points
    2021-12-09T06:19:27.03+00:00

    Thanks.

    Based on my findings I put up below queries based on distinct version that are reporting to heartbeat in our environment.

    ///Windows Computers with AMA///
    Heartbeat
    |where OSType contains "Windows"
    |where Version in ("1.1.3.2","1.1.2.0","1.1.1.0","1.0.12.0")
    |distinct Computer

    +++++++++++++++++++++++++++++++++++++++

    /// Linux Computers with AMA ///
    Heartbeat
    |where Version contains "1.14.5"
    |distinct Computer

    +++++++++++++++++++++++++++++++++++++++

    ///Computers not through AMA ///
    Heartbeat
    |where Version !in ("1.1.3.2","1.1.2.0","1.1.1.0","1.0.12.0","1.14.5")
    |distinct Computer

    I deduced it based on

    Version for Linux AMA: https://learn.microsoft.com/en-us/answers/questions/591695/azure-monitor-agent-unable-to-communicate-with-log.html Here I found the comment "AnuragSingh-MSFT commented • Nov 10 2021 at 8:49 AM
    @Peter Smit , As now documented, AMA Linux 1.12.2.0 has a regression on Arc machines. Rollout of next version 1.14 is in progress "

    Version reference table for AMA: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell%2CPowerShellWindows%2CPowerShellWindowsArc%2CCLIWindows%2CCLIWindowsArc#extension-versions