Nov 08 2022 02:50 AM - edited Nov 08 2022 04:21 AM
Greetings
I few weeks ago a set up a fresh Log Analytics workspace and purchased Sentinel for it. Both are set up as PayGo for now. Yesterday when I came to work I was greeted by the error message "Workspace (my workspace) not found or does not have Microsoft Sentinel. Please select a different workspace and try again". The left menus of Sentinel are visible and I can access the logs in the workspace just fine byt Sentinel is gone. The error summary doesn't give me any further information like error codes and so on.
Kind'a hard when I just spent the most part of a week setting up all the data connectors and analytic templates.
Anyone have any ideas?
/Fredrik
Nov 08 2022 04:19 AM
Nov 08 2022 04:23 AM - edited Nov 08 2022 04:28 AM
Correct, that should all be Log Analytics workspace. I'm looking for the Azure Activity logs as we speak but I doubt someone could have deletede the Sentinel Instance by mistake. Also Sentinel is still visible for the workspace if I go to Azure-Resources-Sentinel.
Update: There is no delete event in the Azure monitor logs for the Sentinel instance but a health event for this Saturday with the title "More than 1 hour latency" but it's shown as resolved
/Fredrik
Nov 08 2022 04:50 AM
Nov 08 2022 05:04 AM
Nov 08 2022 08:40 AM - edited Nov 10 2022 04:21 AM
Hi
The partner just came back with the Microsoft ticket 2211100050001204 I don't know if that means anything to you.
Nov 08 2022 10:01 PM
Nov 09 2022 12:08 PM
@TheHoff70 I'm (my customer is) having this "Workplace not found" issue also.
I'm not sure if this is related or this is some other 'bug' but all the documentation states that in order to modify connector configuration for Azure Active Directory one would need either Global Admin or Security Admin role. Well, I have the latter activated via PIM. Sentinel still gives me a red cross over the "Diagnostic Settings: read and write permissions to AAD diagnostic settings." Sure enough, when I navigate to AAD diagnostics settings, I can't access. Okay, what AAD role does have access to the 'microsoft.aadiam/diagnosticsSettingsCategories/read" action? Turns out I can't find any from this list: Azure AD built-in roles - Azure Active Directory - Microsoft Entra | Microsoft Learn. What am I missing here? I've operated with GA role in other tenants and at least in the past that role could pretty much do anything, set the AAD diagnostics even. The customer tried this with his Global Admin role and nope. Couldn't modify the connector configuration, got the same red cross for the diagnostics settings as I did. I'm getting worried.
Dec 21 2022 10:27 PM