Send subscription activity logs to Sentinel?

Felix Chan 1 Reputation point
2021-04-21T22:48:01.843+00:00

Hello,
I'd like to find out how to send activity logs for multiple subscriptions to Azure Sentinel.

I found in the docs https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-activity that the data source can be enabled within a few clicks in the console. But how would you do this programmatically for multiple subscriptions? I found that there are PS Cmdlets and Azure CLI command flags for doing this for Azure AD, ATP, and O365 data connectors, but not activity logs.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 20,596 Reputation points Microsoft Employee
    2021-04-21T23:04:24.48+00:00

    As you mentioned there does not seem to be an option send activity logs to Azure Sentinel programmatically yet. Usually the instructions like the one you linked would go over the various possible methods.

    If you would like to request this capability, you can create a feature request in user voice.

  2. Andrew Blumhardt 6,636 Reputation points Microsoft Employee
    2022-05-02T21:57:11.543+00:00

    Following up. When you activate the Azure Activity connector for Sentinel you enable a tenant-level policy. It will activate all current and future subscriptions to send activity logs to Sentinel. No need to setup diagnostics manually.

    The following link may help if the connector instructions in the portal are unclear.

    https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-windows-microsoft-services?tabs=SA%2CAMA#diagnostic-settings-based-connections