Forum Discussion

Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Sep 20, 2019

Everything Azure Sentinel connectors

Hi Everyone,   I have finalized my blog series on ingesting data to Azure Sentinel and thought you might find a summary useful.    Even if you don't find the event, or enrichment, source in o...
jjsantanna's avatar
jjsantanna
Brass Contributor
Mar 20, 2020

Dear Ofer_Shezaf,
how to monitor the status of Sentinel connectors (using KQL)? in the context of my problem, there are two types of connectors  (1) the ones with frequent data ingestion (e.g. Azure Activity, Azure Active Directory, Syslog)  and (2) the ones with eventual data ingestion (e.g. Microsoft Cloud App Security, Azure Advanced Threat Protection, Azure Security Center, Microsoft Defender Advanced Threat Protection​). For the first type, it is easy to monitor via anomaly behaviour functions. My struggle is with the second type. Do you have any idea on how can I address this?

Thanks in advance.

  • Ofer_Shezaf's avatar
    Ofer_Shezaf
    Icon for Microsoft rankMicrosoft
    Mar 23, 2020

    jjsantanna : there is no easy way to detect anomalies or issues in a phenomenon that has not predictability. Nothing specific to Azure Sentinel here. I think that alerting on a fixed schedule if no alert was generated, or creating a simulation alert on a fixed schedule (both are rather similar solutions), might be a solution.

    • jjsantanna's avatar
      jjsantanna
      Brass Contributor
      Mar 23, 2020

      Ofer_Shezaf Thanks for your answer. unfortunately, I was expecting it. Still, how can an MSP guarantees to a client that those "not predictable" connectors are still "on"? The system/Azure/Azure Monitor/Log Analytics/Sentinel should have something that we could check via PowerShell, don't you think?

Resources