Keyword attribute/field is not present in AMA

[Dhaval8951]

Hello Team,

I am working on implementation that requires keyword field to identify whether Audit is failed or success, But in Recent AMA logs, I am not able to find keyword field.

Example : In old logs format For example below URL mentioned logs has Keyword field associated with it. Which is not present in new log format.

0x8020000000000000

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4740

In new log format : keyword field is not present. How can I check whether Security Auditing event is success or failed. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events

Any help would be much appreciated. Thanks In Advance Dhavalkumar Chauhan

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 705ea04e-c7d0-8357-b016-6371e2d85e1c
• Version Independent ID: 7529775d-4f01-ab69-0e77-7a55ba0e5595
• Content: Collect Windows event log data sources with Log Analytics agent in Azure Monitor - Azure Monitor
• Content Source: articles/azure-monitor/agents/data-sources-windows-events.md
• Service: azure-monitor
• Sub-service: agents
• GitHub Login: @guywi-ms
• Microsoft Alias: guywild

[PesalaPavan]

@Dhaval8951 Thanks for your feedback! We will investigate and update as appropriate.

[JeffreyWolford]

The Azure Monitor team is urgently working to resolve this issue. I do not have an ETA, but multiple engineers are currently working on this issue.

[Dhaval8951]

@JeffreyWolford Much appreciated response, Thank you for this.

May I know that mentioned field/attribute will going to be introduced in AMA logs or if it is possible what kind of solution will be provided for this to identify whether security audit is success or failure ?

Warmest Regards, Dhavalkumar Chauhan

CC @PesalaPavan

[Dhaval8951]

Hi @guywi-ms

Greetings of the Day !

Can you please provide any kind of update you have that you can share with us ?

It is blocking us, because of Audit Success or Audit Failure is identification is not present in AMA Security logs.

Warmest Regards Dhavalkumar Chauhan

[guywi-ms]

Hi @Dhaval8951 Hope you're well! @JeffreyWolford can you please update @Dhaval8951? I believe this is a product issue.

[AaronMaxwell]

Thanks for your dedication to our documentation. This issue has been moved to an internal work item for triage and prioritization. Thanks in advance for your understanding as we investigate to provide the most accurate documentation updates. #please-close

Internal work item: https://dev.azure.com/msft-skilling/Content/_workitems/edit/262449

Please also note that GitHub documentation issues are being phased out completely. For more information see: https://aka.ms/ContentUserFeedback.

Our support team is available to assist you if you have any pressing questions or problems that need to be resolved. You can create a support ticket by visiting the following link: https://azure.microsoft.com/support/create-ticket/

You may also ask support questions to our Q&A forums or on Stack Overflow when the questions are related to coding.