A Blog about a Blog: Upgrade Your Azure Sentinel AzureActivity Data Connector

I generally hate it when someone takes a blog and writes an article or blog about it. There’s a number of websites that do this and it drives me nuts. HOWEVER, you’re going to catch me doing this today – but for good reason. A significant change in a Data Connector is worth highlighting twice.

Data Connectors that work in Azure are going through some changes to improve how they function and improve performance. One of these announced today is for the Azure Activity Data Connector. See: Moving Azure Activity Connector to an improved method – Microsoft Tech Community.

For those that are using the free Azure Activity Data Connector, this means you’ll need to walk through the steps to deactivate the old connection method and enable the new connection through an Azure Policy. For those that have never worked with Azure Policy, I’ll walk through that here in a minute.

Its recommended that you perform this “upgrade.” There’s a number of reasons why, but a couple glaring reasons that make it important to do this sooner than later:

  1. There’s a schema change. There are certain data columns that no longer contain data, but that data exists in new columns. So, as you can guess, any future Analytics Rules will use this new schema.
  2. There’s an ingestion improvement. The old connection method provided a 15-20 minute latency in data ingestion. The new method promises 2-3 minutes. That’s a huge improvement and one that will provide serious value.

So….just based on those two items alone, perform this upgrade today or put it on your project list to accomplish soon because there’s both value in doing so and potential detriment in not doing so. If that’s not incentive enough, I don’t know what is.

The upgrade is easy. The product team supplied some good guidance on the current Data Connector page itself. But, let me walk through it quickly…

[1] In the Azure Sentinel console, on the Data Connector page for Azure Activity, first click the disconnect button to disable the old connection method.

[2] Then, click the button to launch the Policy creation wizard.

Disconnect and then Launch the Policy Wizard

Next, you want to walk through the Azure Policy Wizard. I’ve highlighted the areas that you need to pay heed to and make sure they are completed. If you want, click on the following image for a larger view of the wizard steps.

[1] Select the Scope (Subscription and Resource group) to which this policy will be applied using the ellipses to open a panel to make the selection.

[2] Again using the ellipses, select the Log Analytics workspace to which this new policy will be applied. FYI: The Log Analytics Contributor role is required to create this policy.

[3] Enable the Remediation task to ensure that this policy can be applied to existing resources, otherwise it will only take effect on newly created resources.

[4] A non-compliance message isn’t necessary, but to close the loops for those with OCDs like mine, go ahead and enter something meaningful.

[5] Finally, Save this new policy.

Walk through Azure Policy

Why Azure Policy?

Other than the benefits I mentioned above, familiarize yourself with Azure Policy. Azure Policy is an amazing way to ensure standardization and resource consistency across the org.

See: Overview of Azure Policy – Azure Policy | Microsoft Docs


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]