Duplicate SecurityEvent logging after migrating from MMA to AMA

mpls 80 Reputation points
2024-12-06T20:24:41.8566667+00:00

Greetings, I added a few extra tags to this as we are not quite sure of why we cannot Disconnect or Delete the Security Events Via the Legacy Agent Connector from our Sentinel environment. All Azure VMs have been migrated from the MMA (Legacy) agent to the AMA agent. When I review the AMA migration workbook I see all virtual machines using AMA and non with the Legacy agent still installed.

Yet we cannot remove the Legacy connector and we have seen a huge spike in costs related directly to the SecurityEvent table in the past 3 weeks. It is defiinitely getting duplicate data and we think the most likely contributor is the Legacy connector. We have engaged a consultant and they haven't been able to find it. We have been scouring through many Microsoft posts around this topic. Any help would be greatly appreciated.

User's image

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,449 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,194 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
229 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sándor Tőkési 171 Reputation points
    2024-12-08T12:30:53.33+00:00

    This error message typically indicates that you previously configured auto-provisioning of the MMA agent and used a Sentinel instance to send some logs there. However, I have encountered some environments where I could not locate this configuration, while in others, I was able to identify and remove it. The first step should be to check if this configuration exists anywhere in Defender for Cloud.

    You can also confirm that the issue is with the legacy agent by checking if any of the machines have both agents installed. By querying the agent category, you can determine if both agents are present, which might indicate that they are both sending logs to Sentinel.

    Heartbeat
    | where TimeGenerated > ago(21d)
    | summarize make_set(Category) by Computer
    

    Currently, Heartbeat logs use a different endpoint than real events. This means that it's possible for someone to block Heartbeat logs while still allowing security events. You can verify if logs are coming from both sources by checking specific fields that are unique to logs created by the newer version of the AMA agent. For example, the EventRecordId field is only present in the newer version of the AMA agent and does not appear in logs from the MMA or older AMA versions.

    SecurityEvent
    | where TimeGenerated > ago(21d)
    | extend IsEventIdPresent = iif(isempty(EventRecordId), false, true)
    | summarize make_set(IsEventIdPresent) by Computer
    

    However, in my experience, duplicates are often caused by DCR misconfigurations. This typically happens when multiple DCRs are assigned to the same machine or when logs are processed through multiple ingestion-time transformations, resulting in duplicates being output to the same table.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.