This article is contributed. See the original author and article here.
The Activity log is a platform log in Azure that provides insight into subscription-level events. This includes such information as when a resource is modified or when a virtual machine is started. You can view the Activity log in the Azure portal or retrieve entries with PowerShell and CLI. For additional functionality, you should create a diagnostic setting to send the Activity log to your Azure Sentinel.
The Azure Activity connector used a legacy method for collecting Activity log events, prior to its adoption of the diagnostic settings pipeline. If you’re using this legacy method, you are strongly encouraged to upgrade to the new pipeline, which provides better functionality and consistency with resource logs.
Diagnostic settings send the same data as the legacy method used to send the Activity log with some changes to the structure of the AzureActivity table.
The columns in the following table have been deprecated in the updated schema. They still exist in AzureActivity but they will have no data. The replacement for these columns are not new, but they contain the same data as the deprecated column. They are in a different format, so in the event, you have any private or internal content (such as hunting queries, analytics rules, workbooks, etc.) based on the deprecated columns, you may need to modify it and make sure that it points to the right columns.
Here are some of the key improvements resulting from the move to the diagnostic settings pipeline:
- Improved ingestion latency (event ingestion within 2-3 minutes of occurrence instead of 15-20 minutes).
- Improved reliability.
- Improved performance.
- Support for all categories of events logged by the Activity log service (the legacy mechanism supports only a subset – for example, no support for Service Health events).
- Management at scale with Azure policy.
- Support for MG-level activity logs (coming in preview now).
Set up the (new) Azure Activity connector
The new Azure Activity connector includes two main steps- Disconnect the existing subscriptions from the legacy method, and then Connect all the relevant subscriptions to the new diagnostics settings pipeline via azure policy.
Please go to Connect Azure Activity log data to Azure Sentinel to learn more about the new connector experience.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.