Forum Discussion
SocInABox
Jul 13, 2023Iron Contributor
azure activity connector not working
Hi there,
The Azure Activity Connector from the Sentinel Content Hub is not working for me.
I launched the Azure Policy Assignment wizard and created the Azure Policy as instructed.
For testing, I created and deleted a resource group.
The Azure Activity Log shows entries for the creation/deletion of the resource group.
Azure Policy shows the new collection policy - the scope is set at the subscription level, so no filtering, and it's Compliance state is 'compliant'.
Has anyone recently configure the Azure Activity connector? Any surprises?
Thanks.
- Well heck, it's working now, I need to learn patience.
I just recreated the policy, created/deleted resource group named 'TEST123' and after waiting about 5 minutes the log showed up.
eliekarkafy, not not an incident, just a log in the AzureActivity table eg:
AzureActivity|where ResourceGroup == "TEST123"
All good now.
SocInABox you mean your not getting any incident in the sentinel portal when your creating or deleting a resource group in azure ?
- RobbyD796Copper Contributor
eliekarkafy I have not been able to get it working. I have waited 10+ hrs and when I go to Data Connectors it still says not connected!!
If anyone could help please?
- G_Wilson3468Iron Contributor
There could be a number of reasons Azure Active data connector is disconnected. Has it ever been connected, or did it disconnect after working? If you haven't ever had it connected, I would check a few things:
1. Make sure you disconnect from legacy methods.
2. Make sure that your policy scope is at the resource group level. It will not send data at the subscription level.Also make sure that you have checked the remediation task and set the remediation task.
Finally, be sure to look in the Log Analytics workspace to determine if you have logs coming in.
- SocInABoxIron ContributorWell heck, it's working now, I need to learn patience.
I just recreated the policy, created/deleted resource group named 'TEST123' and after waiting about 5 minutes the log showed up.
eliekarkafy, not not an incident, just a log in the AzureActivity table eg:
AzureActivity|where ResourceGroup == "TEST123"
All good now.- Yeh Azure Policy tooks sometimes up to 10 min to take effect. i saw your post on CCP as well 😄