Sorting out the Azure Activity Connector in Microsoft Sentinel

TL;DR – Just a few tips and tricks for configuring the Azure Activity Connector in Microsoft Sentinel.

Personally, I learn by doing, so whenever anyone asks me what’s the best way to learn Microsoft Sentinel, I point them to the Training Lab, which is available right from the Sentinel Content hub.

It’s a wonderful tool to learn the basics and get comfortable with Microsoft Sentinel. As people move through the training lab modules, one of the most common questions I get is when they reach module 2 and they need to configure the Azure Activity connector, because they follow the steps, but the connector still remains ‘not connected’ (not green, as shown below).

Normally, it is a straight forward configuration, however, if you are using a subscription that was previously configured to send logs to another source or if you set the scope to a higher level (i.e. root management group), then it may not be updated as expected immediately.

First, you need to ensure you check the box to ‘Create a remediation task’ so that when the new policy is assigned to your existing subscriptions, they are updated to send logs to the specified Log Analytics workspace, the one that is configured for Microsoft Sentinel.

Then, to verify the subscription was updated to send logs to the correct workspace, navigate to your subscription, select the ‘Activity log’ blade, and then click on ‘Export Activity Logs’, as shown below:

Ensure the ‘Log Analytics workspace’ value is the same workspace you configured with Microsoft Sentinel:

If it isn’t, go ahead an update it. Once you update it and the workspace starts receiving data, you should see the status of the connector change to green, while also showing the time the last log was received, as shown below:

You should still check the Azure policy assignment to ensure only the expected policies are assigned and configured at the correct level, which may be management group level, subscription, or resource group level. Also, ensure the parameters specify the workspace that is configured with Microsoft Sentinel.

If you haven’t tried out the Training Lab, I highly recommend you do. You can use the free trial that is available for the first 31 days. Have fun learning!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: