Disabling the Azure Activity Sentinel connector

Copper Contributor

Hi all,

I have an issue with the amount of logs the Azure Activity connector is ingesting into sentinel, and I'd like to disable it so that i could review what subscriptions i want to have in my sentinel . Now I know that i do that by disabling the diagnostic Settings on my resources, however I do not know how do so en masse, since I have a lot of resources.

Is there any way to disable the connector for all resources? via policy or any other way?


2 Replies
You could probably use a policy to Modify and remove a property (in this case the logging), but a policy would only trigger when a resource is added/updated so it would not help you much.

Maybe a PowerShell program that iterates through all the resources in a subscription and removes the logging if it is present would work better for you.

Is the Azure Activity logs not configured solely on a subscription level though?
So you should only need to remove the diagnostic settings once per subscription.

The diagnostics settings on a resource level map to other connectors such as Azure Firewall, Azure Key Vault etc if I am not mistaken.