Microsoft Sentinel - UEBA connector not feeding data

Sebastian Wiszowaty 5 Reputation points
2023-09-19T13:08:25.24+00:00

GH Issue

https://github.com/Azure/Azure-Sentinel/issues/8883

Issue at hand

As currently it is impossible to get UEBA enabled with bicep in a reliable way due to: https://github.com/Azure/bicep/issues/10850

I opted for enabling it using az cli. Using az cli succeeds in both creating and updating the setting (after having parsed the etag if it is created)

However the data refuses to flow in. My suspicion is that because not all 4/4 data sources are available but it succeeeds. I was asked to raise a support case but because I don't have paid support I'm raising it here.

resource id:

/subscriptions/6b0e8ce2-30d3-4e81-a0a6-b8c50b4fb91f/resourceGroups/rg-dev-dev-sentinel/providers/Microsoft.OperationalInsights/workspaces/laswosocpmfersj6tpwe

UEBA enabled:

uebasettings

No data in la workspace (no BehaviorAnalytics table):

enter image description here

The LA had been deployed for quite some time now, so I don't believe that would be the '''15 minute period''' before it flows in here.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,205 questions
{count} votes

1 answer

Sort by: Most helpful
  1. SamiL 0 Reputation points MVP
    2024-01-02T12:26:42.1766667+00:00

    Hi @Sebastian Wiszowaty ,

    I've seen same kind of situation (data now flowing in) with UEBA in a few Sentinel environments. The workaround was to disable and enable UEBA data flows. After reconfiguration it took approx.15-30min that data was starting to flow in to Log Analytics.

    The issue I faced was not related to bicep anyhow but wanted to raise this up if you are still having the issue on your hands.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.