cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Activity Data Connector

Smittydude8822
Copper Contributor

‎Sep 22 2022 10:04 AM

‎Sep 22 2022 10:04 AM

Azure Activity Data Connector

Hi All,

 

My organization is currently working to stand up Sentinel and we are implementing our data connectors. However, we are unable to enable the Azure Activity data connector. All policies are written correctly and should be sending to Sentinel, but it is saying not connected. 

 

Any recommendations?

Labels:
7,318 Views
0 Likes
8 Replies
Reply
8 Replies
Clive_Watson

‎Sep 22 2022 10:12 AM

‎Sep 22 2022 10:12 AM

Re: Azure Activity Data Connector

@Smittydude8822 

 

How long have you waited so far, it can sometimes take an hour or more?

Have you actually checked to see if data is being sent - I've seen cases where its shown as "not connected" but you do get data?

Clive_Watson_0-1663866587123.png

 

0 Likes
Reply
Smittydude8822

‎Sep 22 2022 10:33 AM

‎Sep 22 2022 10:33 AM

Re: Azure Activity Data Connector

We've attempted to do this a few times over the past few weeks with no success. We've put the policy in place and waited over the period of time that has been suggested, but still no connection.
0 Likes
Reply
Clive_Watson

‎Sep 22 2022 11:21 AM

‎Sep 22 2022 11:21 AM

Re: Azure Activity Data Connector

Did you do the remediation task ok? There is a step by step walkthrough here:

https://intothecloudverse.com/2021/08/24/azure-activity-data-connector-for-azure-sentinel-issue-and-...
0 Likes
Reply
Smittydude8822

‎Sep 22 2022 01:32 PM

‎Sep 22 2022 01:32 PM

Re: Azure Activity Data Connector

It's really strange. I found that document as well. After a few minutes, it does register that the policy is compliant, but does not appear that it has connected.
0 Likes
Reply
tungdra

‎Sep 22 2022 08:41 PM

‎Sep 22 2022 08:41 PM

Re: Azure Activity Data Connector

@Smittydude8822 

You can manually export the Activity Log to Log Analytics. This is what the remediate task does.

 

https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#send-t... 

1 Like
Reply
acheca

‎Sep 23 2022 03:38 AM

‎Sep 23 2022 03:38 AM

Re: Azure Activity Data Connector

@Smittydude8822 

Check if your policy scope is the resource group instead of the subscription. I made that mistake the first time deploying the connector in a similar situation than the one described.

For it to work, the scope must be the susbscription.

 

Hope this helps.

1 Like
Reply
Smittydude8822

‎Sep 27 2022 08:15 AM

‎Sep 27 2022 08:15 AM

Re: Azure Activity Data Connector

Hi All,

I am looking to get away from the legacy method and connect via the new method. Does anyone know what permissions are needed for the policy to take affect? I have written the policy, but the logs are not being sent over and ingested by Sentinel.
0 Likes
Reply
MadMike2455

‎Apr 05 2023 06:12 AM

‎Apr 05 2023 06:12 AM

Re: Azure Activity Data Connector

@tungdra I've noticed that during deployment Azure have created Remediation task for Azure Activity connector along with service principal and rights in log analytics + subscription right in IAM.

Do you think it can be removed? Or data ingestion will stop after removal?

0 Likes
Reply