Forum Discussion

SocInABox's avatar
SocInABox
Iron Contributor
Jul 13, 2023

azure activity connector not working

Hi there,

 

The Azure Activity Connector from the Sentinel Content Hub is not working for me.

 

I launched the Azure Policy Assignment wizard and created the Azure Policy as instructed.

 

For testing, I created and deleted a resource group.

 

The Azure Activity Log shows entries for the creation/deletion of the resource group.

Azure Policy shows the new collection policy - the scope is set at the subscription level, so no filtering, and it's Compliance state is 'compliant'.

 

Has anyone recently configure the Azure Activity connector? Any surprises?

 

Thanks.

  • SocInABox's avatar
    SocInABox
    Jul 13, 2023
    Well heck, it's working now, I need to learn patience.

    I just recreated the policy, created/deleted resource group named 'TEST123' and after waiting about 5 minutes the log showed up.

    eliekarkafy, not not an incident, just a log in the AzureActivity table eg:
    AzureActivity|where ResourceGroup == "TEST123"

    All good now.
  • SocInABox you mean your not getting any incident in the sentinel portal when your creating or deleting a resource group in azure ?

    • RobbyD796's avatar
      RobbyD796
      Copper Contributor

      eliekarkafy I have not been able to get it working. I have waited 10+ hrs and when I go to Data Connectors it still says not connected!!

      If anyone could help please?

      • G_Wilson3468's avatar
        G_Wilson3468
        Iron Contributor

        RobbyD796 

        There could be a number of reasons Azure Active data connector is disconnected. Has it ever been connected, or did it disconnect after working? If you haven't ever had it connected, I would check a few things:
        1. Make sure you disconnect from legacy methods.
        2. Make sure that your policy scope is at the resource group level. It will not send data at the subscription level.

        Also make sure that you have checked the remediation task and set the remediation task. 


        Finally, be sure to look in the Log Analytics workspace to determine if you have logs coming in. 

    • SocInABox's avatar
      SocInABox
      Iron Contributor
      Well heck, it's working now, I need to learn patience.

      I just recreated the policy, created/deleted resource group named 'TEST123' and after waiting about 5 minutes the log showed up.

      eliekarkafy, not not an incident, just a log in the AzureActivity table eg:
      AzureActivity|where ResourceGroup == "TEST123"

      All good now.
      • eliekarkafy's avatar
        eliekarkafy
        MVP
        Yeh Azure Policy tooks sometimes up to 10 min to take effect. i saw your post on CCP as well 😄

Resources