cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Creating an azure activity logging policy via sentinel for 1 or more subscriptions.

SocInABox
Iron Contributor

‎Oct 23 2023 08:30 AM - edited ‎Oct 23 2023 08:32 AM

‎Oct 23 2023 08:30 AM - edited ‎Oct 23 2023 08:32 AM

Creating an azure activity logging policy via sentinel for 1 or more subscriptions.

Hi there,

I have questions about the proper procedure for configuring the Azure Activity Log Connector in Sentinel.

 

The 'old' way, which still seems to work, and it's easy:

Activity Log > Export Activity Logs > enable diagnostics for EACH subscription and point to the log analytics workspace - done!

 

The 'new' way:

Sentinel > Azure Activity Log Connector > create a policy to pull the logs.

It's this 'new' way I have questions about eg are my assumptions correct:
- It is NOT recommended to assign this policy at the root tenant level - this will fail unless you apply additional roles to the global admin - correct?

- It IS recommended to assign this policy at either a subscription level or a subscription group level - correct?

- For any existing subscriptions you may need to apply a remediation as the policy will only apply to NEW resources - correct?

 

Your experience on this matter is appreciated.

 

 

 

 

Labels:
571 Views
0 Likes
2 Replies
Reply
2 Replies
Clive_Watson

‎Oct 23 2023 08:40 AM

‎Oct 23 2023 08:40 AM

Re: Creating an azure activity logging policy via sentinel for 1 or more subscriptions.

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/moving-azure-activity-connector-to-an...

From now through 15 Sept 2026, you can manually move to use the Diagnostic Settings as explained here. We will also auto migrate all of the customers. The overall experience will stay the same.
Source: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/moving-azure-activity-connector-to-an...
0 Likes
Reply
SocInABox

‎Oct 23 2023 01:29 PM

‎Oct 23 2023 01:29 PM

Re: Creating an azure activity logging policy via sentinel for 1 or more subscriptions.

Thanks Clive,
I've asked my questions over on the other blog. Hopefully ShaharAviv is still around :).
0 Likes
Reply