Data types in Microsoft Sentinel are not connected despite that various data connectors are connected

Andreas Bjelven 135 Reputation points
2024-01-17T10:39:28.8566667+00:00

Hi!

I am trying to learn Microsoft Sentinel from my own lab tenant. I have created a Log Analytic workspace and enabled Sentinel.

I understand from Quickstart: Onboard in Microsoft Sentinel | Microsoft Learn that Microsoft Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Microsoft Sentinel.

I have currently connected the following data connectors:
Data connectors

I have also enabled the following:User's image

Now this is my question/problem, let's take Microsft Entra ID for example. If we open up the data connector page, we can see that the prerequisites are valid.
User's image

And, If we check, we can see that I have data coming in from Entra ID to Sentinel and that there are currently 3 data types active/connected. My question is how come the rest of the data types (that i've configured in the picture above) isn't active as well?
User's image

I have the same problem for other data connectors like Microsoft 365. Let's take a look. I meet the prerequisites and I've made my configuration:
User's image

But, when I check, the data types, they are not connected:
User's image

If we look at Entra ID Protection:
User's image

It's the same, the data type is not connected despite that the data connector is connected:
User's image

I don't know if there's something I'm missing. I've been reading online and someone mentioned that I need at least a Microsoft 365 E3 license to make the data types active, is this true?

Many thanks!

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,218 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,181 questions
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 17,906 Reputation points Microsoft Employee
    2024-01-18T13:31:36.3866667+00:00

    @Andreas Bjelven

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you have added Microsoft supported data connectors and want to know why does the "data types" does show green status (connected).

    Please do correct me by responding in the comments section for any discrepancies.

    I was able to test this in my lab an found that the connector pulls the data for past 24 hours by default. Once event logs are pulled for a specific data type it gets displayed in the graph.

    If no activity has been observed in your tenant for a particular datatype then no events would be pulled and since its a new setup it would not show in green state.

    For example: I don' have any events under Service principal sign-ins in Entra ID, hence I don't see any active/green status for this data type on my connector. User's image

    User's image

    Once I have any events generated it will be pulled my data connector in next polling cycle.

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks, Akshay Kaushik

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Clive Watson 7,006 Reputation points MVP
    2024-01-18T10:24:31.8+00:00

    Hi, so for Entra you haven't ticked all the boxes (in the screen shot provided), so the unticked logs wont show up - e.g. "Non-interactive User Sign-in) isnt selected, so you wont get logs.

    Also remember the connector wont go green until there is data sent, so in the case of M365, you might be able to connect but until something is sent there wont be any data, so its will show as disconnected.

    User's image

    Also make sure you are using the version in the [Content hub] blade - that is where all data connector deployments should be done now.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.