Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure Sentinel Built-in Data Connector Does not Ingest Logs from Storage Container into Log Table

Copper Contributor

We were receiving logs from a particular log source (Cloudflare Firewall logs) into Sentinel using Sentinel's built-in data connectors. (The data connector was automatically deployed using ARM Template.)
Few days ago we made some configuration changes on the log source so that the logs would be pushed into Sentinel when matching certain criteria ( for example when they are associated with a particular host). But, after those config changes, the data connector stoped ingesting logs into the table. The logs are still being pushed into the storage container on Azure and are being consistently updated, but the are not being pushed into the log table. We even tried to reverse the changes on the source side so that logs would be exactly the same as before, but the problem still persists.
Trying to reconfigure the data connector by redeploying it using ARM Template also didn't help.

 

We would appreciate it if anybody could assist us on this urgent issue.

5 Replies

Hello @ParsaZ,

 

This connector is under Preview and there can be bugs with it.

Did you create a new Storage Account for the new Data connector?

@mikhailf Yes. We tried 2 different storage account. But it problem is the same. The logs are being pushed into them. But, there is no log in the Cloudflare_CL table even after automatic deployment of the data connector using ARM template. We reverted the changes on the log source and even created new low push jobs on the source, but the issue persists and the logs do not appear in the log table.

Hello @ParsaZ,

 

By deploying the data connector you deploy Azure Function. Please, find this function and under "Overview" verify that the Function Execution Count is not 0.

 

 

 

The count is more than 0 because we are pushing different type of Cloudflare logs into Sentinel. But, Sentinel is only pushing the logs that we haven't made any changes on into the log table ( In the container, there are for example 5 log folders. One is for example DNS logs folder, one is Network, one is firewall etc. The logs in the firewall folder ( which are the logs that we tried to make changes on) are not being pushed into the Cloudflare table. But the logs in the other folders are. So, that is why the function app count is not 0.

We created another container specifically for the firewall logs. The logs are being pushed in the container but again, not in the log table. And as we check the related function app's execution count, it is more than 0. But still no logs.