SOLVED

azure activity connector not working

Iron Contributor

Hi there,

 

The Azure Activity Connector from the Sentinel Content Hub is not working for me.

 

I launched the Azure Policy Assignment wizard and created the Azure Policy as instructed.

 

For testing, I created and deleted a resource group.

 

The Azure Activity Log shows entries for the creation/deletion of the resource group.

Azure Policy shows the new collection policy - the scope is set at the subscription level, so no filtering, and it's Compliance state is 'compliant'.

 

Has anyone recently configure the Azure Activity connector? Any surprises?

 

Thanks.

5 Replies

@SocInABox you mean your not getting any incident in the sentinel portal when your creating or deleting a resource group in azure ?

best response confirmed by SocInABox (Iron Contributor)
Solution
Well heck, it's working now, I need to learn patience.

I just recreated the policy, created/deleted resource group named 'TEST123' and after waiting about 5 minutes the log showed up.

eliekarkafy, not not an incident, just a log in the AzureActivity table eg:
AzureActivity|where ResourceGroup == "TEST123"

All good now.
Yeh Azure Policy tooks sometimes up to 10 min to take effect. i saw your post on CCP as well :D

@eliekarkafy I have not been able to get it working. I have waited 10+ hrs and when I go to Data Connectors it still says not connected!!

If anyone could help please?

@RobbyD796 

There could be a number of reasons Azure Active data connector is disconnected. Has it ever been connected, or did it disconnect after working? If you haven't ever had it connected, I would check a few things:
1. Make sure you disconnect from legacy methods.
2. Make sure that your policy scope is at the resource group level. It will not send data at the subscription level.

Gregory_Wilson3468_0-1707154641961.png

Also make sure that you have checked the remediation task and set the remediation task. 


Gregory_Wilson3468_1-1707154735605.png

Finally, be sure to look in the Log Analytics workspace to determine if you have logs coming in. 

1 best response

Accepted Solutions
best response confirmed by SocInABox (Iron Contributor)
Solution
Well heck, it's working now, I need to learn patience.

I just recreated the policy, created/deleted resource group named 'TEST123' and after waiting about 5 minutes the log showed up.

eliekarkafy, not not an incident, just a log in the AzureActivity table eg:
AzureActivity|where ResourceGroup == "TEST123"

All good now.

View solution in original post