Disabling the Azure Activity Sentinel connector

%3CLINGO-SUB%20id%3D%22lingo-sub-3301150%22%20slang%3D%22en-US%22%3EDisabling%20the%20Azure%20Activity%20Sentinel%20connector%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3301150%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EI%20have%20an%20issue%20with%20the%20amount%20of%20logs%20the%20Azure%20Activity%20connector%20is%20ingesting%20into%20sentinel%2C%20and%20I'd%20like%20to%20disable%20it%20so%20that%20i%20could%20review%20what%20subscriptions%20i%20want%20to%20have%20in%20my%20sentinel%20.%20Now%20I%20know%20that%20i%20do%20that%20by%20disabling%20the%20diagnostic%20Settings%20on%20my%20resources%2C%20however%20I%20do%20not%20know%20how%20do%20so%20en%20masse%2C%20since%20I%20have%20a%20lot%20of%20resources.%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20disable%20the%20connector%20for%20all%20resources%3F%20via%20policy%20or%20any%20other%20way%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3301150%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EData%20Collection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Data%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESIEM%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3301344%22%20slang%3D%22en-US%22%3ERe%3A%20Disabling%20the%20Azure%20Activity%20Sentinel%20connector%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3301344%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20the%20Azure%20Activity%20logs%20not%20configured%20solely%20on%20a%20subscription%20level%20though%3F%3CBR%20%2F%3ESo%20you%20should%20only%20need%20to%20remove%20the%20diagnostic%20settings%20once%20per%20subscription.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20diagnostics%20settings%20on%20a%20resource%20level%20map%20to%20other%20connectors%20such%20as%20Azure%20Firewall%2C%20Azure%20Key%20Vault%20etc%20if%20I%20am%20not%20mistaken.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3301242%22%20slang%3D%22en-US%22%3ERe%3A%20Disabling%20the%20Azure%20Activity%20Sentinel%20connector%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3301242%22%20slang%3D%22en-US%22%3EYou%20could%20probably%20use%20a%20policy%20to%20Modify%20and%20remove%20a%20property%20(in%20this%20case%20the%20logging)%2C%20but%20a%20policy%20would%20only%20trigger%20when%20a%20resource%20is%20added%2Fupdated%20so%20it%20would%20not%20help%20you%20much.%3CBR%20%2F%3E%3CBR%20%2F%3EMaybe%20a%20PowerShell%20program%20that%20iterates%20through%20all%20the%20resources%20in%20a%20subscription%20and%20removes%20the%20logging%20if%20it%20is%20present%20would%20work%20better%20for%20you.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all,

I have an issue with the amount of logs the Azure Activity connector is ingesting into sentinel, and I'd like to disable it so that i could review what subscriptions i want to have in my sentinel . Now I know that i do that by disabling the diagnostic Settings on my resources, however I do not know how do so en masse, since I have a lot of resources.

Is there any way to disable the connector for all resources? via policy or any other way?

Thanks

2 Replies
You could probably use a policy to Modify and remove a property (in this case the logging), but a policy would only trigger when a resource is added/updated so it would not help you much.

Maybe a PowerShell program that iterates through all the resources in a subscription and removes the logging if it is present would work better for you.

Is the Azure Activity logs not configured solely on a subscription level though?
So you should only need to remove the diagnostic settings once per subscription.

The diagnostics settings on a resource level map to other connectors such as Azure Firewall, Azure Key Vault etc if I am not mistaken.