Microsoft sentinel - Data connector shows disconnected after installing

Someiah C S 60 Reputation points
2024-04-03T09:28:25.2866667+00:00

We recently activated Sentinel to give it a trial run. I set up a separate workspace for Sentinel and installed some data connectors. However, the WAF is still showing as disconnected even after installing and configuring it.

User's image

We've only got WAF, not Front Door, so I set up a diagnostic setting to send logs to the Sentinel workspace. However, it still shows as disconnected. I've even tried reinstalling it, but nothing seems to be working.

User's image

I manually performed some basic attacks to generate some logs, and while they're showing up in the workspace logs, they're not appearing in Sentinel. Could it be because the destination table should be set to Azure Diagnostics instead of resource-specific?

User's image

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
986 questions
0 comments
Accepted answer
  1. Clive Watson 5,716 Reputation points MVP
    2024-04-03T09:45:59.6666667+00:00

    Correct, that Solution assumes the data is in AzureDiagnostics

    https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Web%20Application%20Firewall%20(WAF)/Data%20Connectors/template_WAF.JSON Which you can see from the example
    User's image

    As data is coming in, you are working (but the connector will always be "disconnected"). Workbooks or Analytics wont be using your Tables, so you could amended them to match or revert to AzureDiagnostics

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest