The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

The Azure Sentinel product group continues to crank out new Data Connector after new Data Connector. There is a significant goal to provide as many customer requested Data Connectors as possible and I hope you’ve seen the mighty effort in place toward this goal. There’s new Data Connectors available constantly.

The Data Connector is intended as a supportable and easy method for connecting log files from various sources (on-prem, other clouds, Azure, etc.) to the Log Analytics workspace for Azure Sentinel. By enabling the capability, customers are able to easily ingest data that can be analyzed to expose potential threatening activity in the environment.

We’ve provided a number of Data Connectors “out-of-the-box” but what if one doesn’t exist and you still need to that log file? Ofer has a good post about data connections (Azure Sentinel: The connectors grand (CEF, Syslog, Direct, Agent, Custom and more)) which includes the many methods that can be used to collect and ingest the log files. Additionally, you can go the route of creating your own custom connector: Resources for creating Azure Sentinel custom connectors.

But from an Azure services perspective, connecting any Azure service is easier than might you think. The often overlooked Diagnostic Setting exists for the majority of Azure services and these settings are easy to create and connect to the Azure Sentinel Log Analytics workspace. A Diagnostic Setting essentially enables logging for the particular service and gives you the choice of where to send the logs.

Just locate the service, look for a Diagnostic settings option in the service’s console, and add a new one. Make sure when you create it that you select the same Log Analytics workspace that is being utilized by Azure Sentinel and the data from those new service log files will be available to your cyber analysts. Just be wary that you’re not enabling more logs than you need. For example, do you really need metrics logs for your security folks to sift through? Keep the focus on security.

Creating a Diagnostic Setting

Obviously, if an official Data Connector exists for an Azure service, use that. But if one doesn’t exist for the Azure service you want to connect, go the Diagnostic setting route.

Fast fact: Many of the Azure service Data Connectors in Azure Sentinel are simply a front-end for setting the Diagnostic setting. The Azure Active Directory connector is a good example of this.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]


Leave a Reply