This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 28.999999999999996%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
We recently activated Sentinel to give it a trial run. I set up a separate workspace for Sentinel and installed some data connectors. However, the WAF is still showing as disconnected even after installing and configuring it.
We've only got WAF, not Front Door, so I set up a diagnostic setting to send logs to the Sentinel workspace. However, it still shows as disconnected. I've even tried reinstalling it, but nothing seems to be working.
I manually performed some basic attacks to generate some logs, and while they're showing up in the workspace logs, they're not appearing in Sentinel. Could it be because the destination table should be set to Azure Diagnostics instead of resource-specific?
Correct, that Solution assumes the data is in AzureDiagnostics
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Web%20Application%20Firewall%20(WAF)/Data%20Connectors/template_WAF.JSON Which you can see from the example
As data is coming in, you are working (but the connector will always be "disconnected"). Workbooks or Analytics wont be using your Tables, so you could amended them to match or revert to AzureDiagnostics
Hi @clive watson
Awesome, it worked! I can see the logs flowing in the graph now, and the status has changed to connected.
Next, when attempting to enable the rule template, I encountered the following error in the log query: "where' operator: Failed to resolve column or scalar expression named 'action_s'" for every FGW rule. Additionally, if I need to disconnect any of the data connectors, such as Defender for Cloud Apps and XDR because we don't have a license for them, how can I do that?
Disconnect is usually done from the [Content Hub]
Thanks for your help @Clive Watson