Azure Activity - Connector does not show up as connected (no data being sent), policy is applied #8871
Comments
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
2 similar comments
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Hi @Kaloszer, thanks for flagging this issue, we will soon get back to you on this. Thanks! |
|
Hello @Kaloszer, we are connecting with our concerned team for this issue, once we get any information on this, we will update you. Thanks! |
|
Hi @Kaloszer, The Azure Activity connector takes 10-15 minutes to connect and create a table in LAW; in some cases, it can take up to 20 minutes because of latency issues. Please let us know if it still showing as disconnected after more than mentioned minutes. Thanks! |
|
@v-sudkharat as mentioned within the initial issue description it was >15 minutes. Also note that this doc refers to `legacy integration' which I am not using. I am using a policy which is the new integration, albeit on an RG level to validate automation. |
|
Hi @Kaloszer, Azure Activity connector applies the Azure policy to send the logs into Log Analytic workspace and for the first-time policy takes time to apply it. Please let us know if policy is already applied though the connector is taking time to connect then there is issue. Thanks |
|
Policy is not being applied 'through' the connector - as that would require manual action on the portal through UI - but through a bicep template, it being a normal policy that you would apply to a resource. So the root issue here is, how do you programmatically enable that policy so it applies to the resource in 'the correct way'. As AZ CLI has that particular flag but it does not work - as you can see in Azure/azure-cli#27190 |
|
Hello @Kaloszer, we are connecting with our concerned team for this issue, once we get any information on this, we will update you. Thanks |
|
@v-sudkharat |
|
@Kaloszer, we have not received the update yet, once received we will update you. Thanks |
|
Hello @Kaloszer, we received the concern team's update and team just want to clarify, the policy for the Azure Activity diagnostic setting was assigned to a workspace, but the data isn't flowing into the Log Analytics Workspace? |
|
The policy is not being assigned to the workspace- the policy is assigned to the resource group that contains the workspace and targets the workspace LA. But as mentioned 2465583e-4e78-4c15-b6be-a36cbc7c8b0f policy was applied, it seemed to apply as per the screenshots in the initial report and no data was flowing in when the policy was applied through code. |
|
Hello @Kaloszer, thank you for the clarification. We have shared this information with the concern team, we will update you once we get any information on this. Thanks |
|
Hi @Kaloszer, we received the response from concern team and just want to know, did you open a support case for this? It looks like the problem might be related to the Azure Activity policy, rather than the data connector in Sentinel. |
|
@v-sudkharat No, I do not have paid support available on my dev subscription. I will have to recreate the issue and try to open one if that's needed. |
|
Hi @Kaloszer, could you please try and let us know once it done. Thanks |
|
@Kaloszer, we are waiting for your response about. thanks! |
|
Hey, |
|
Hi @Kaloszer, ok, please let us know once you done. Thanks |
|
Hi @Kaloszer, |
|
Hi @Kaloszer, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 29-09-2023 date, we will be closing this issue. |
Describe the bug
I've been making a programmatic way of deploying microsoft sentinel for some time now and have circled back to this issue. We are unable to enable Azure Activity connector programatically, for some reason even though the policy that is required is applied correctly it does not feed data. The resource is compliant
To Reproduce
Steps to reproduce the behavior:
Diagnostic setting OK - policy had applied:
Data Connector has not 'connected' and is not feeding any data:
Expected behavior
Data connectors reports connected after <15 minutes of applying the policy and remediation completing (data is being fed into the LA workspace)
Additional context
This seems to be the case for this person aswell, even setting up the workspace manually:
https://learn.microsoft.com/en-us/answers/questions/1188787/connectors-are-not-connected-to-microsoft-azure-ac
Can not execute the DC creation in azure cli either:
Azure/azure-cli#27190
I can share the bicep module in private.
The text was updated successfully, but these errors were encountered: