Azure Sentinel blog: Moving Azure Activity Connector to an improved method

 Title: Moving Azure
Activity Connector to an improved method



The Activity log is a platform log in Azure that provides insight into
subscription-level events. This includes such information as when a resource is
modified or when a virtual machine is started. You can view the Activity log in
the Azure portal or retrieve entries with PowerShell and CLI. For additional
functionality, you should create a diagnostic setting to send the Activity log
to your Azure Sentinel.



What changed?

The Azure Activity connector used a legacy method for collecting Activity
log events, prior to its adoption of the diagnostic settings pipeline. If
you’re using this legacy method, you are strongly encouraged to upgrade to the
new pipeline, which provides better functionality and consistency with resource

Diagnostic settings send the same data as the legacy method used to send the
Activity log with some changes to the structure of the AzureActivity table.

The columns in the following table have been deprecated in the updated
schema. They still exist in AzureActivity but
they will have no data. The replacement for these columns are not new, but they
contain the same data as the deprecated column. They are in a different format,
so in the event, you have any private or internal content (such as hunting
queries, analytics rules, workbooks, etc.) based on the deprecated columns, you
may need to modify it and make sure that it points to the right columns.





Here are some of the key improvements resulting from the move to the
diagnostic settings pipeline:

  • Improved ingestion latency (event ingestion within 2-3
    minutes of occurrence instead of 15-20 minutes).
  • Improved reliability.
  • Improved performance.
  • Support for all categories of events logged by the
    Activity log service (the legacy mechanism supports only a subset – for
    example, no support for Service Health events).
  • Management at scale with Azure policy.
  • Support for MG-level activity logs (coming in preview now).


Set up the (new) Azure Activity connector

The new Azure Activity connector includes two main steps- Disconnect the existing
subscriptions from the legacy method, and then Connect all the relevant subscriptions to the
new diagnostics settings pipeline via azure policy.








Please go to Connect Azure Activity log data to Azure Sentinel to learn
more about the new connector experience.