AMA Version Tracking: New Function for Azure Monitor Agent Deployment Management

What Changed

Added a new KQL workspace function AMAVersionReport() that provides centralized visibility into Azure Monitor Agent deployments across the Sentinel environment.

Function Logic

The function queries the Heartbeat table to extract the most recent Azure Monitor Agent telemetry per resource:

Filters for Category == “Azure Monitor Agent”
Uses summarize arg_max(TimeGenerated, *) to get the latest heartbeat per _ResourceId
Returns distinct records showing Computer name, AMA Version, OS Name, Environment, and Resource ID

Security Impact

This function enables proactive monitoring of AMA deployment health and version compliance. SOC teams can identify outdated agents that may have security vulnerabilities or missing log collection capabilities. Regular execution helps ensure consistent data ingestion quality across the environment.

Affected Files

Functions/AMAVersionReport.txt

What Changed#

Function Logic#

Security Impact#

Affected Files#

What Changed

Function Logic

Security Impact

Affected Files