Merge pull request #212057 from limwainstein/cef-ama-connector

New CEF AMA connector

Author: v-stsavell

articles/sentinel/TOC.yml

@@ -248,6 +248,8 @@
         href: ama-migrate.md
       - name: CEF over Syslog sources
         href: connect-common-event-format.md
+      - name: CEF via AMA
+        href: connect-cef-ama.md
       - name: DNS via AMA
         href: connect-dns-ama.md
       - name: Syslog (raw) sources

articles/sentinel/connect-cef-ama.md

@@ -5,7 +5,7 @@ author: limwainstein
 ms.topic: how-to
 ms.date: 01/05/2022
 ms.author: lwainstein
-#Customer intent: As a security operator, I want proactively monitor Windows DNS activities so that I can prevent threats and attacks on DNS servers.
+#Customer intent: As a security operator, I want to proactively monitor Windows DNS activities so that I can prevent threats and attacks on DNS servers.
 ---
 
 # Stream and filter data from Windows DNS servers with the AMA connector

articles/sentinel/connect-dns-ama.md

@@ -528,6 +528,14 @@ See Barracuda instructions - note the assigned facilities for the different type
 | **Vendor documentation/<br>installation instructions** | [Configuring the Log to a Syslog Server action](https://help.symantec.com/cs/DLP15.7/DLP/v27591174_v133697641/Configuring-the-Log-to-a-Syslog-Server-action?locale=EN_US) |
 | **Supported by** | Microsoft |
 
+## Common Event Format (CEF) via AMA
+
+| Connector attribute | Description |
+| --- | --- |
+| **Data ingestion method** | **[Azure monitor Agent-based connection](connect-cef-ama.md)** |
+| **Log Analytics table(s)** | [CommonSecurityLog](/azure/azure-monitor/reference/tables/commonsecuritylog) |
+| **DCR support** | Standard DCR |
+| **Supported by** | Microsoft |
 
 ## Check Point
 

articles/sentinel/data-connectors-reference.md

@@ -31,6 +31,7 @@ If you're looking for items older than six months, you'll find them in the [Arch
 - [Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)](#microsoft-365-defender-now-integrates-azure-active-directory-identity-protection-aadip)
 - [Out of the box anomaly detection on the SAP audit log (Preview)](#out-of-the-box-anomaly-detection-on-the-sap-audit-log-preview)
 - [IoT device entity page (Preview)](#iot-device-entity-page-preview)
+- [Common Event Format (CEF) via AMA](#common-event-format-cef-via-ama-preview)
 
 ### Account enrichment fields removed from Azure AD Identity Protection connector
 
@@ -120,6 +121,18 @@ The new [IoT device entity page](entity-pages.md) is designed to help the SOC in
 
 Learn more about [investigating IoT device entities in Microsoft Sentinel](iot-advanced-threat-monitoring.md).
 
+### Common Event Format (CEF) via AMA (Preview)
+
+The [Common Event Format (CEF) via AMA](connect-cef-ama.md) connector allows you to quickly filter and upload logs over CEF from multiple on-premises appliances to Microsoft Sentinel via the Azure Monitor Agent (AMA). 
+
+The AMA supports Data Collection Rules (DCRs), which you can use to filter the logs before ingestion, for quicker upload, efficient analysis, and querying.
+
+Here are some benefits of using AMA for CEF log collection:
+
+- AMA is faster compared to the existing Log Analytics Agent (MMA/OMS). 
+- AMA provides centralized configuration using Data Collection Rules (DCRs), and also supports multiple DCRs.
+- AMA is Syslog RFC compliant, a faster and a more resilient and reliant agent, more secure with lower footprint on the installed machine.
+
 ## September 2022
 
 - [Create automation rule conditions based on custom details (Preview)](#create-automation-rule-conditions-based-on-custom-details-preview)