Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Monitoring data connectors in Sentinel - Check if any connectors are down

Copper Contributor

Hi,

You will have to forgive my basic Azure knowledge, as I'm a DBA looking after about 250 servers for various clients, but have been asked by my company if I could write some KQL that will alert them if a data connector goes down or is deleted.

 

I have managed to write some KQL that tells me if a resource hasn't raised any events in the last hour or X hours, depending on the resource, but when I try and create an alert based on this KQL it passes validation, but then I get the message failed to create the rule as your query contains "union" and "search". I have read it's not possible to use union and search in such queries, but is there an alternative method? Due to the amount of connectors we have, we don't want to create an individual alert rule for each connector.

We'd like to set the query to run every hour or so and get an alert if no events have been raised by a data connector.

 

Also, is there anyway to specifically check if a data connector that previously existed is no longer working or has been deleted? And how do you actually  delete a data connector once you've created it? Is it possible to do it from the porta las I can't seem to find a way to do it for my testing

 

Thanks and sorry for my lack of Azure knowledge, but learning all the time! If anyone needs DBA help, more than happy to help.

2 Replies
best response confirmed by sijmalik (Copper Contributor)
Solution

@sijmalik 

 

Search and Union wildcards are not allowed (i.e union *) but you can name the Tables, as per this simple example using two common Tables:

union SecurityAlert, SecurityEvent
| limit 10

(within a Analytics scheduled rule in Azure Sentinel) 

@CliveWatson Ah. OK, yes I was using union *, it works fine when I put the table names in. Thanks Clive, much appreciated!

 

So, just being a bit cheeky does anyone know how to delete a connector, as I need to do this for testing? I'm assuming I have to use HTTP and pass in the URI parameters. But as an example, I've got an Azure SQL Database connector that I want to delete. Where would I find the connector ID? I tried just putting in 'Azure SQL Database' in the connector ID parameter but I got a 204 code back.

 

Thanks

1 best response

Accepted Solutions
best response confirmed by sijmalik (Copper Contributor)
Solution

@sijmalik 

 

Search and Union wildcards are not allowed (i.e union *) but you can name the Tables, as per this simple example using two common Tables:

union SecurityAlert, SecurityEvent
| limit 10

(within a Analytics scheduled rule in Azure Sentinel) 

View solution in original post