Log data for connecting and disconnecting Sentinel Data Connectors

%3CLINGO-SUB%20id%3D%22lingo-sub-2905828%22%20slang%3D%22en-US%22%3ELog%20data%20for%20connecting%20and%20disconnecting%20Sentinel%20Data%20Connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2905828%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20wondering%20if%20anyone%20has%20any%20knowledge%20of%20where%20log%20data%20for%20connecting%20and%20disconnecting%20Sentinel%20Data%20connectors%20might%20be%20stored.%20We%20ran%20into%20this%20scenario%20in%20my%20production%20environment%20where%20the%20Azure%20Active%20Directory%20connectors%20for%20AuditLogs%20and%20SigninLogs%20were%20suddenly%20disconnected%20and%20no%20one%20has%20any%20record%20of%20when%20or%20why.%20I've%20since%20turned%20the%20connectors%20back%20on%20but%20I%20can't%20isolate%20the%20event%20or%20actor%20where%20the%20log%20was%20turned%20off.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20had%20any%20experience%20with%20this%2C%20or%20could%20point%20me%20to%20a%20doc%20where%20I%20might%20generate%20a%20query%20to%20find%20this%20event%3F%20I%20can%20see%20roughly%20when%20the%20logs%20were%20turned%20off%2C%20and%20they%20were%20off%20for%20over%20a%20week.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2905828%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20Compliance%20and%20Identity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%20Data%20Connector%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2997496%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20data%20for%20connecting%20and%20disconnecting%20Sentinel%20Data%20Connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2997496%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1201314%22%20target%3D%22_blank%22%3E%40gcorsini%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EWithout%20physically%20testing%20my%20self%20the%20AAD%20connector%2C%20going%20off%20the%20link%20below%20I%20would%20assume%20the%20logs%20should%20be%20in%20the%20Azure%20Activity%20Table.%20Ive%20made%20changes%20to%20the%20DNS%20connector%20recently%20which%20involved%20turning%20off%2Fon%20and%20I%20could%20see%20the%20events%20in%20the%20logs.%20Hope%20this%20helps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Faudit-sentinel-data%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Faudit-sentinel-data%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMICROSOFT%20SENTINEL%20DATA%20INCLUDED%20IN%20AZURE%20ACTIVITY%20LOGS%3C%2FP%3E%3CP%3EOperation%3A%3CBR%20%2F%3EDeleted%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInformation%20types%3A%3CBR%20%2F%3EAlert%20rules%3CBR%20%2F%3EBookmarks%3CBR%20%2F%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSTRONG%3EData%20connectors%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3EIncidents%3CBR%20%2F%3ESaved%20searches%3CBR%20%2F%3ESettings%3CBR%20%2F%3EThreat%20intelligence%20reports%3CBR%20%2F%3EWatchlists%3CBR%20%2F%3EWorkbooks%3CBR%20%2F%3EWorkflow%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOperation%3A%3CBR%20%2F%3EUpdated%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInformation%20types%3A%3CBR%20%2F%3EAlert%20rules%3CBR%20%2F%3EBookmarks%3CBR%20%2F%3ECases%3CBR%20%2F%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSTRONG%3EData%20connectors%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3EIncidents%3CBR%20%2F%3EIncident%20comments%3CBR%20%2F%3EThreat%20intelligence%20reports%3CBR%20%2F%3EWorkbooks%3CBR%20%2F%3EWorkflow%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Just wondering if anyone has any knowledge of where log data for connecting and disconnecting Sentinel Data connectors might be stored. We ran into this scenario in my production environment where the Azure Active Directory connectors for AuditLogs and SigninLogs were suddenly disconnected and no one has any record of when or why. I've since turned the connectors back on but I can't isolate the event or actor where the log was turned off. 

 

Has anyone had any experience with this, or could point me to a doc where I might generate a query to find this event? I can see roughly when the logs were turned off, and they were off for over a week.

1 Reply

@gcorsini 

Without physically testing my self the AAD connector, going off the link below I would assume the logs should be in the Azure Activity Table. Ive made changes to the DNS connector recently which involved turning off/on and I could see the events in the logs. Hope this helps.

 

https://docs.microsoft.com/en-us/azure/sentinel/audit-sentinel-data

 

MICROSOFT SENTINEL DATA INCLUDED IN AZURE ACTIVITY LOGS

Operation:
Deleted

 

Information types:
Alert rules
Bookmarks
Data connectors
Incidents
Saved searches
Settings
Threat intelligence reports
Watchlists
Workbooks
Workflow

 

Operation:
Updated

 

Information types:
Alert rules
Bookmarks
Cases
Data connectors
Incidents
Incident comments
Threat intelligence reports
Workbooks
Workflow