Azure Activity data Connector for Azure sentinel has recently been changed. As we know Microsoft is constantly focused on providing the best services to its customers, and in the process, they upgrade/change the underlying infrastructure/ procedure every now and then to ensure that all the services are working optimally.
As we know that Azure Activity log provides subscription-level events and insight thereof. Through this log, you can have information like ‘what, who, and when for any operation that was performed on any resource created in the subscription. Through the Azure Activity Data connector, one can stream all this event information in Azure Sentinel.
Recently the aforesaid connector adopted a diagnostic setting pipeline and switched from the legacy method of collecting events. This has brought schema change in the AzureActivity table along with the plethora of performance improvements like Improved ingestion latency (now the events are ingested within 2-3 minutes of occurrence instead of 15-20 minutes which it took earlier), Improved reliability, Improved performance, Support for all categories of events logged by the Activity log service, Management at scale with Azure policy, Support for MG-level activity logs (though it is in preview as of now).
But along with all these performance improvements the users, who are used to the previous procedure of enabling the Connector, are facing some issues as the connector doesn’t come as connected straight away after following the given steps (which can be found here).
For catering this issue I am summarizing all the steps from the beginning of creating new resource of Azure sentinel and configuring the Azure Activity Data connector with screenshots as below:
Search for Azure Sentinel in search of the portal and open it, afterwards click Create for creating Azure Sentinel and choose/create your log analytics workspace.
after the Azure Sentinel is created, under configuration choose Data Connectors
Find and choose Azure Activity under the connectors.
Under the Azure Activity blade under click “Open connector page”
Here is where the change steps in as firstly we have to disconnect the subscription from the legacy method and then we have to create the Policy for the subscription to apply a single Azure Subscription log streaming configuration.
Under the scope of the policy remember to choose only the subscription under which you have that workspace.
Then choose your Log Analytics workspace under the parameters tab.
It is an important step, under the remediation tab you have to create a remediation task, which will check and make your Subscription compliant to the policy.
For the sake of mentioning and completing the process, click create.
As per the Microsoft docs, the Azure Activity connector must come as connected after following the above steps, and it truly does so after taking about 15 minutes. But in some cases when the remediation task is failed you have to follow some additional steps to ensure that all the resources are compliant with the policy. So here are few additional steps:
Go to policy and check the resource are coming as compliant with policy and also crosscheck if the scope of the policy is your subscription only not any sub-resources.
Go to the Remediation > Remediation tasks and check if the remediation task that was created while creating the policy is completed or failed.
In case it is stuck in Evaluating stage or has failed you can go back to the policy and create a new remediation task.
Once the remediation task is completed wait for a couple of minutes and check if the resources are 100% compliant with the policy. If not wait for a couple of minutes and try refreshing the page.
If everything is good then you can go back to the azure Sentinel > Data connectors > Azure Activity and will find it as connected.
Hope this will help in configuring the Azure activity Data Connector in Azure Sentinel and making the security posture of your organization with having insights through Sentinel.