Microsoft sentinel - Data connector shows disconnected after installing

Someiah C S 80 Reputation points
2024-04-03T09:28:25.2866667+00:00

We recently activated Sentinel to give it a trial run. I set up a separate workspace for Sentinel and installed some data connectors. However, the WAF is still showing as disconnected even after installing and configuring it.

User's image

We've only got WAF, not Front Door, so I set up a diagnostic setting to send logs to the Sentinel workspace. However, it still shows as disconnected. I've even tried reinstalling it, but nothing seems to be working.

User's image

I manually performed some basic attacks to generate some logs, and while they're showing up in the workspace logs, they're not appearing in Sentinel. Could it be because the destination table should be set to Azure Diagnostics instead of resource-specific?

User's image

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,135 questions
Azure Startups
Azure Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Startups: Companies that are in their initial stages of business and typically developing a business model and seeking financing.
258 questions
0 comments
Accepted answer
  1. Clive Watson 6,356 Reputation points MVP
    2024-04-03T09:45:59.6666667+00:00

    Correct, that Solution assumes the data is in AzureDiagnostics

    https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Web%20Application%20Firewall%20(WAF)/Data%20Connectors/template_WAF.JSON Which you can see from the example
    User's image

    As data is coming in, you are working (but the connector will always be "disconnected"). Workbooks or Analytics wont be using your Tables, so you could amended them to match or revert to AzureDiagnostics

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.