Edit

Connect Microsoft Sentinel to other Microsoft services by using diagnostic settings-based connections

  • Article

This article describes how to connect to Microsoft Sentinel by using diagnostic settings connections. Microsoft Sentinel uses the Azure foundation to provide built-in, service-to-service support for data ingestion from many Azure and Microsoft 365 services, Amazon Web Services, and various Windows Server services. There are a few different methods through which these connections are made.

This article presents information that is common to the group of data connectors that use diagnostic settings-based connections. Some of these types of connectors are managed by using Azure Policy. For the other connectors of this type, use the standalone instructions.

Note

For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.

Standalone diagnostic settings-based connectors

This section covers prerequisites and general installation instructions for the group of data connectors that use standalone diagnostic settings-based connections.

Prerequisites

To ingest data into Microsoft Sentinel:

  • You must have read and write permissions on the Microsoft Sentinel workspace.

Instructions

  1. From the Microsoft Sentinel navigation menu, select Data connectors.

  2. Select your resource type from the data connectors gallery, and then select Open Connector Page on the preview pane.

  3. In the Configuration section of the connector page, select the link to open the resource configuration page.

    If presented with a list of resources of the desired type, select the link for a resource whose logs you want to ingest.

  4. From the resource navigation menu, select Diagnostic settings.

  5. Select + Add diagnostic setting at the bottom of the list.

  6. In the Diagnostics settings screen, enter a name in the Diagnostic settings name field.

    Mark the Send to Log Analytics check box. Two new fields will be displayed below it. Choose the relevant Subscription and Log Analytics Workspace (where Microsoft Sentinel resides).

  7. Mark the check boxes of the types of logs and metrics you want to collect. See our recommended choices for each resource type in the section for the resource's connector in the Data connectors reference page.

  8. Select Save at the top of the screen.

For more information, see also Create diagnostic settings to send Azure Monitor platform logs and metrics to different destinations in the Azure Monitor documentation.

Azure Policy managed diagnostic settings-based connectors

This section covers prerequisites and general installation instructions for the group of data connectors that use Azure Policy managed diagnostic settings-based connections.

Prerequisites

To ingest data into Microsoft Sentinel:

  • You must have read and write permissions on the Microsoft Sentinel workspace.

  • To use Azure Policy to apply a log streaming policy to your resources, you must have the Owner role for the policy assignment scope.

  • Data connector specific requirements:

    Data connector Licensing, costs, and other information
    Azure Activity This connector now uses the diagnostic settings pipeline. If you're using the legacy method, you must disconnect the existing subscriptions from the legacy method before setting up the new Azure Activity log connector.

    1. From the Microsoft Sentinel navigation menu, select Data connectors. From the list of connectors, select Azure Activity, and then select the Open connector page button on the lower right.
    2. Under the Instructions tab, in the Configuration section, in step 1, review the list of your existing subscriptions that are connected to the legacy method, and disconnect them all at once by clicking the Disconnect All button below.
    3. Continue setting up the new connector with the instructions in this section.
    Azure DDoS Protection - Configured Azure DDoS Standard protection plan.
    - Configured virtual network with Azure DDoS Standard enabled
    - Other charges may apply
    - The Status for Azure DDoS Protection Data Connector changes to Connected only when the protected resources are under a DDoS attack.
    Azure Storage Account The storage account (parent) resource has within it other (child) resources for each type of storage: files, tables, queues, and blobs.
    When configuring diagnostics for a storage account, you must select and configure:

    - The parent account resource, exporting the Transaction metric.
    - Each of the child storage-type resources, exporting all the logs and metrics.

    You will only see the storage types that you actually have defined resources for.

Instructions

Connectors of this type use Azure Policy to apply a single diagnostic settings configuration to a collection of resources of a single type, defined as a scope. You can see the log types ingested from a given resource type on the left side of the connector page for that resource, under Data types.

  1. From the Microsoft Sentinel navigation menu, select Data connectors.

  2. Select your resource type from the data connectors gallery, and then select Open Connector Page on the preview pane.

  3. In the Configuration section of the connector page, expand any expanders you see there and select the Launch Azure Policy Assignment wizard button.

    The policy assignment wizard opens, ready to create a new policy, with a policy name pre-populated.

    1. In the Basics tab, select the button with the three dots under Scope to choose your subscription (and, optionally, a resource group). You can also add a description.

    2. In the Parameters tab:

      • Clear the Only show parameters that require input check box.
      • If you see Effect and Setting name fields, leave them as is.
      • Choose your Microsoft Sentinel workspace from the Log Analytics workspace drop-down list.
      • The remaining drop-down fields represent the available diagnostic log types. Leave marked as “True” all the log types you want to ingest.

    3. The policy will be applied to resources added in the future. To apply the policy on your existing resources as well, select the Remediation tab and mark the Create a remediation task check box.

    4. In the Review + create tab, click Create. Your policy is now assigned to the scope you chose.

With this type of data connector, the connectivity status indicators (a color stripe in the data connectors gallery and connection icons next to the data type names) will show as connected (green) only if data has been ingested at some point in the past 14 days. Once 14 days have passed with no data ingestion, the connector will show as being disconnected. The moment more data comes through, the connected status will return.

You can find and query the data for each resource type using the table name that appears in the section for the resource's connector in the Data connectors reference page. For more information, see Create diagnostic settings to send Azure Monitor platform logs and metrics to different destinations in the Azure Monitor documentation.

Next steps

For more information, see: