Oct 23 2023 08:30 AM - edited Oct 23 2023 08:32 AM
Hi there,
I have questions about the proper procedure for configuring the Azure Activity Log Connector in Sentinel.
The 'old' way, which still seems to work, and it's easy:
Activity Log > Export Activity Logs > enable diagnostics for EACH subscription and point to the log analytics workspace - done!
The 'new' way:
Sentinel > Azure Activity Log Connector > create a policy to pull the logs.
It's this 'new' way I have questions about eg are my assumptions correct:
- It is NOT recommended to assign this policy at the root tenant level - this will fail unless you apply additional roles to the global admin - correct?
- It IS recommended to assign this policy at either a subscription level or a subscription group level - correct?
- For any existing subscriptions you may need to apply a remediation as the policy will only apply to NEW resources - correct?
Your experience on this matter is appreciated.
Oct 23 2023 08:40 AM
Oct 23 2023 01:29 PM