![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 62%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Matthew Agosta Apologies for the delayed response in reviewing this post, Yes it is possible that the disconnected status of the 'Common Event Format via AMA' Data Connector is due to the lack of a Data Collection Rule associated with it. A Data Collection Rule is used to specify which logs should be collected by a Data Connector. Without a Data Collection Rule, the Data Connector may not be able to collect any logs, which could result in a disconnected status.
Review this documentation where it states DCR is required to have logs ingested in Sentinel - https://video2.skills-academy.com/en-us/azure/sentinel/connect-cef-syslog-ama?tabs=portal#:~:text=TLS%20%E2%80%93%20syslog%2Dng-,Configure%20the%20data%20connector,-The%20setup%20process
Feel free to reach out if you have any more questions. If you've already found a solution, please consider sharing it here to benefit other community members.