How connectivityCriteria works in Sentinel

Question

Regarding the below sample json-code, I am trying to understand how the connectivityCriteria/IsConnectedQuery functions in Azure Sentinel.

1/Specifically, what happens when the KQL query within returns a positive result?

2/And suppose our server hasn't sent any events to Sentinel for an extended period, like 30 days. How can our server prove that the connection is still operational under these circumstances?

Thank you!

"connectivityCriteria": [
  {
    "type": "IsConnectedQuery",
    "value": [
      "GitHubAuditLogPolling_CL \n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
    ]
  }
],

Answer 1

@LXF Thank you for reaching out to us, above information looks good to me, however I will try to explain the same in different words

The connectivityCriteria property in Azure Sentinel is used to define a set of criteria that determine whether a data connector is connected and operational.

In the case of the IsConnectedQuery type, the value property contains a Kusto Query Language (KQL) query that is used to determine whether the data connector is connected. The query in the example you provided checks whether the GitHubAuditLogPolling_CL table has received any logs in the last 30 days. If the query returns a positive result (i.e., IsConnected = true), then the data connector is considered to be connected and operational.

If your server hasn't sent any events to Sentinel for an extended period, like 30 days, then the query in the IsConnectedQuery criteria will return IsConnected = false, indicating that the data connector is not connected. To ensure that the data connector remains connected, you should configure your server to send events to Sentinel on a regular basis. You can also adjust the ago() function in the query to a shorter time period to ensure that the data connector is checked more frequently.

I hope this helps! Let me know if you have any further questions.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Answer 2

Hi @LXF,

Your question: Specifically, what happens when the KQL query within returns a positive result?

Reply: When the KQL query within the IsConnectedQuery returns a positive result, it means that the data connector is successfully ingesting data. In this specific case, the query checks whether the LastLogReceived (the most recent log timestamp) is greater than 30 days ago. If the result is positive (i.e., IsConnected = true), the data connector is considered connected.

Your question: And suppose our server hasn't sent any events to Sentinel for an extended period, like 30 days. How can our server prove that the connection is still operational under these circumstances?

Reply: If your server hasn’t sent any events to Sentinel for an extended period (e.g., 30 days), the query will evaluate to false. In other words, the data connector will be considered disconnected if no logs have been received within the specified timeframe. To prove that the connection is still operational, you’ll need to ensure that your server starts sending events again.

The IsConnectedQuery helps monitor the health of data connectors, but it doesn’t actively test connectivity. If your server remains inactive for an extended period, consider investigating why no logs are being sent and take appropriate action to resume data ingestion.