Moving Azure Activity Connector to an improved method

Published Jun 24 2021 03:32 AM 2,508 Views

The Activity log is a platform log in Azure that provides insight into subscription-level events. This includes such information as when a resource is modified or when a virtual machine is started. You can view the Activity log in the Azure portal or retrieve entries with PowerShell and CLI. For additional functionality, you should create a diagnostic setting to send the Activity log to your Azure Sentinel.



What changed?

The Azure Activity connector used a legacy method for collecting Activity log events, prior to its adoption of the diagnostic settings pipeline. If you're using this legacy method, you are strongly encouraged to upgrade to the new pipeline, which provides better functionality and consistency with resource logs.

Diagnostic settings send the same data as the legacy method used to send the Activity log with some changes to the structure of the AzureActivity table.

The columns in the following table have been deprecated in the updated schema. They still exist in AzureActivity but they will have no data. The replacement for these columns are not new, but they contain the same data as the deprecated column. They are in a different format, so in the event, you have any private or internal content (such as hunting queries, analytics rules, workbooks, etc.) based on the deprecated columns, you may need to modify it and make sure that it points to the right columns.





Here are some of the key improvements resulting from the move to the diagnostic settings pipeline:

  • Improved ingestion latency (event ingestion within 2-3 minutes of occurrence instead of 15-20 minutes).
  • Improved reliability.
  • Improved performance.
  • Support for all categories of events logged by the Activity log service (the legacy mechanism supports only a subset - for example, no support for Service Health events).
  • Management at scale with Azure policy.
  • Support for MG-level activity logs (coming in preview now).


Set up the (new) Azure Activity connector

The new Azure Activity connector includes two main steps- Disconnect the existing subscriptions from the legacy method, and then Connect all the relevant subscriptions to the new diagnostics settings pipeline via azure policy.










Please go to Connect Azure Activity log data to Azure Sentinel to learn more about the new connector experience.


Occasional Contributor

@ShaharAviv , @Tiander Turpijn  Thanks for sharing this article. I have 30+ analytic rules based on azure activity logs. Is there any way to update the new column names in all the analytic rules at once? I would also like to know by when the deprecated columns will be removed permantely. 


Hi @Pavan_Gelli1910 , thanks for reaching out!

Unfortunately, I'm not familiar with a good and effective way to update all analytic rules at once. The deprecated columns will not be removed permanently in the near future (a few years) but we do not recommend using them. 

Respected Contributor

How can we tell if the old connector is still being used so that it can be upgraded?


Hi @Dean Gross,

In step #1 on the connector page, we check which of the subscriptions you own are connected through the old pipeline (you will see them in the scrolling list below). In case there are a few- just click on the "Disconnect All" button below the list.


Make sure that you connecting them all back using the Policy in step #2 or manually enable diagnostic settings logs for each subscription.

Respected Contributor

@ShaharAviv thanks, we use Lighthouse and have many instances of Sentinel. Do you have any recommendations about how to this at scale?


@Dean Gross The best way is to assign a Policy for each Tenant. Feel free to contact me for more details/guidance.

Respected Contributor

@ShaharAviv thanks for the offer. How should I contact you to get more details?


@Dean Gross You can find me at:

Version history
Last update:
‎Jun 24 2021 04:53 AM
Updated by: