A
AndreaFisher
Several Sentinel users raised the alarm that several of the data connectors they were using suddenly show as deprecated in the user interface.
The first thing you need to know is that your data has not stopped flowing. It’s still being happily delivered to the CommonSecurityLog or Syslog table. The analytic rules are still applying to the data. Workbooks and Playbooks should work exactly the same way they always have.
This change was actually meant to be a benefit. We’ve recently deprecated the log analytics agent – sometimes referred to as an MMA or OMS agent – and replaced it with the shiny new Azure Monitor Agent (AMA). There are many benefits to moving to the AMA agent including faster performance and its support for multihoming. Learn more about them here.
But for our purposes, the benefit is that instead of needing lots of different connectors based on specific solutions, you can use a single connector (Common Event Format for AMA) for anything that will write to the CommonSecurityLog. There is another one called the Syslog for AMA that does the same for Syslog. Documentation on how to install the CEF and Syslog data connectors can be found here.
I do have one more gotcha for you. If you have already shifted to the Common Event Format data connector and want to tidy up by deleting the deprecated connectors, you can’t. You’ll get an error. A fix is on the way.
Continue reading...
The first thing you need to know is that your data has not stopped flowing. It’s still being happily delivered to the CommonSecurityLog or Syslog table. The analytic rules are still applying to the data. Workbooks and Playbooks should work exactly the same way they always have.
This change was actually meant to be a benefit. We’ve recently deprecated the log analytics agent – sometimes referred to as an MMA or OMS agent – and replaced it with the shiny new Azure Monitor Agent (AMA). There are many benefits to moving to the AMA agent including faster performance and its support for multihoming. Learn more about them here.
But for our purposes, the benefit is that instead of needing lots of different connectors based on specific solutions, you can use a single connector (Common Event Format for AMA) for anything that will write to the CommonSecurityLog. There is another one called the Syslog for AMA that does the same for Syslog. Documentation on how to install the CEF and Syslog data connectors can be found here.
I do have one more gotcha for you. If you have already shifted to the Common Event Format data connector and want to tidy up by deleting the deprecated connectors, you can’t. You’ll get an error. A fix is on the way.
Continue reading...