Troubleshoot disconnected state of Sentinel data connector for Cisco AMP

Question

Troubleshoot disconnected state of Sentinel data connector for Cisco AMP

Al2020s 5

Follow the steps for ARM deployment according to https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/cisco-secure-endpoint-amp?source=recommendations
Connector was deployed but it is in the disconnected state.

All parameters in ARM template were entered accordingly. How can I troubleshoot it?

Pauline Mbabu 925 Reputation points Microsoft Employee

2025-04-28T13:45:38.9366667+00:00

Hello @Al2020s ,
Is the Data Connector still showing as Disconnected?
After you configure the data connector, it might take some time for the data to be ingested into Microsoft Sentinel. When the data connector is connected, you see a summary of the data in the Data received graph, and the connectivity status of the data types.
If the Data is still not being streamed after some time, and the connector remains in a disconnected state, it is important to check the configuration and ensure that all prerequisites are met. Kindly do let me know if this is the case.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-29T17:26:29.25+00:00

Hello @Al2020s,

Following up to check if the provided information was helpful. If you have any further question or query, do let us know.
Al2020s 5 Reputation points

2025-04-29T18:53:12.65+00:00
Hi Jyotishree Moharana,

Thank you for your suggestions.

last refresh time Cisco AMP for Endpoints:

I checked all IDs, keys, and deleted/recreated data connector with the same results.

Yes, on Cisco side API has read rights.

The link to Cisco API is api.amp.cisco.com (default in the template)
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-30T15:15:04.4633333+00:00

Could you please try regenerating the key and update the new one in Sentinel and test once.

Also please try querying your API from your local machine using Postman or any other tool and check what result you're receiving.

If there is any firewall restrictions in your environment, please ensure that the API api.amp.cisco.com is allowed on port 443.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-05-03T05:33:31.0666667+00:00

Hello @Al2020s,

Thank you for the update. Glad to hear that the issue is now resolved.

2 answers

Your answer

Pauline Mbabu 925 Reputation points Microsoft Employee

2025-04-28T13:45:38.9366667+00:00

Hello @Al2020s ,
Is the Data Connector still showing as Disconnected?
After you configure the data connector, it might take some time for the data to be ingested into Microsoft Sentinel. When the data connector is connected, you see a summary of the data in the Data received graph, and the connectivity status of the data types.
If the Data is still not being streamed after some time, and the connector remains in a disconnected state, it is important to check the configuration and ensure that all prerequisites are met. Kindly do let me know if this is the case.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-29T17:26:29.25+00:00

Hello @Al2020s,

Following up to check if the provided information was helpful. If you have any further question or query, do let us know.
Al2020s 5 Reputation points

2025-04-29T18:53:12.65+00:00

Hi Jyotishree Moharana,

Thank you for your suggestions.

last refresh time Cisco AMP for Endpoints:

I checked all IDs, keys, and deleted/recreated data connector with the same results.

Yes, on Cisco side API has read rights.

The link to Cisco API is api.amp.cisco.com (default in the template)
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-30T15:15:04.4633333+00:00

Could you please try regenerating the key and update the new one in Sentinel and test once.

Also please try querying your API from your local machine using Postman or any other tool and check what result you're receiving.

If there is any firewall restrictions in your environment, please ensure that the API api.amp.cisco.com is allowed on port 443.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-05-03T05:33:31.0666667+00:00

Hello @Al2020s,

Thank you for the update. Glad to hear that the issue is now resolved.

Answer 1

Al2020s 5

Hello,

Thank you all. The issue is resolved. I opened a case with Microsoft support: I was told that everything is set correctly but the issue was on their side, and they made some changes on backend. They did not provide me any details.

Answer 2

Hello @Al2020s,

Few things can be checked to troubleshoot the issue.

Under Data connector, check the last refresh time Cisco AMP for Endpoints, check if there are any error messages. Check the diagnostic logs for any error messages that would indicate the reason causing the issue.
Check if the API key used for the connector is valid, verify AMP for Endpoints API endpoint is correct. You can test the connection to the API using Postman to confirm if it is accessible. Try re-authorizing i.e. removing and adding the API key again or you can regenerate API key from Cisco console and update in Sentinel. Verify that the API key has the necessary permissions (read permissions for events, alerts, etc.) to allow data collection. Check if AMP endpoint URL is correctly entered. The endpoint URL should match the one required by Cisco for the API (verify from Cisco AMP documentation).
Check for any firewall or proxy rules setup in the server hosting the connector, if there is any blocking.
From Cisco AMP Console ensure that the API Access is enabled for the required data. Check for any throttling issues that might affect the connection. Verify if the data sharing settings are configured correctly.

Share via

Troubleshoot disconnected state of Sentinel data connector for Cisco AMP

2 answers

Your answer