A short while ago, we started recommending that customers use the new Policy-based method of connecting the Azure Activity log to Microsoft Sentinel.
Recently, we have started to see some customers that have used this method where the Data Connector shows as not connected in the Microsoft Sentinel console.
While we diagnose this, there’s an easy fix. If this is something affecting your Microsoft Sentinel environment, you only need to manually reset the Azure Policy.
To accomplish this…
[1] Go to Azure Policy in the Azure portal and located the Configure Azure Activity logs to stream to specified Log Analytics workspace for the proper scope. The scope in this instance will be the subscription\workspace name of the Microsoft Sentinel Log Analytics workspace.
[2] Open the policy and simply click or tap on the Remediate button.
[3] After the remediation is accepted and processed you need to wait for a bit. Give it a good 10-15 minutes before looking at the Data Connector in the Microsoft Sentinel console again.
Once the process has completed, you should see the Azure Activity Data Connector show green and connected.
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Bi-Weekly Defender for Cloud Newsletter]