Log data for connecting and disconnecting Sentinel Data Connectors

Question

Just wondering if anyone has any knowledge of where log data for connecting and disconnecting Sentinel Data connectors might be stored. We ran into this scenario in my production environment where the Azure Active Directory connectors for AuditLogs and SigninLogs were suddenly disconnected and no one has any record of when or why. I've since turned the connectors back on but I can't isolate the event or actor where the log was turned off.

Has anyone had any experience with this, or could point me to a doc where I might generate a query to find this event? I can see roughly when the logs were turned off, and they were off for over a week.

mattburrows · Accepted Answer

gcorsini&nbsp;Without physically testing my self the AAD connector, going off the link below I would assume the logs should be in the Azure Activity Table. Ive made changes to the DNS connector recently which involved turning off/on and I could see the events in the logs. Hope this helps.&nbsp;https://docs.microsoft.com/en-us/azure/sentinel/audit-sentinel-data&nbsp;MICROSOFT SENTINEL DATA INCLUDED IN AZURE ACTIVITY LOGSOperation:Deleted&nbsp;Information types:Alert rulesBookmarksData connectorsIncidentsSaved searchesSettingsThreat intelligence reportsWatchlistsWorkbooksWorkflow&nbsp;Operation:Updated&nbsp;Information types:Alert rulesBookmarksCasesData connectorsIncidentsIncident commentsThreat intelligence reportsWorkbooksWorkflow

Forum Discussion

Log data for connecting and disconnecting Sentinel Data Connectors

Share

Resources