Connect the Azure Activity connector
The Azure Activity Log is a subscription log that provides insight into subscription-level events that occur in Azure. The events included are from Azure Resource Manager operational data, service health events, write operations taken on the resources in your subscription, and the status of activities performed in Azure. The Azure Activity Data connector uses Azure Policy to apply an Azure Subscription log-streaming pipeline that sends the event data to Log Analytics.
Important
Prerequisites require your user to be assigned the owner role on the relevant subscription.
Install the solution
Start by installing the solution that contains the data connector.
- For Microsoft Sentinel in the Azure portal, under Content management, select Content hub.
For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Content management > Content hub. - Search for and select Azure Activity.
- On the right-hand side pane, select Install.
Configure the data connector
After the solution is installed, connect the data connector.
In the Microsoft Sentinel left navigation menu expand Configuration, and select Data connectors.
Select the Azure Activity Data connector.
Select Open connector page.
In the Instructions/Configuration area, scroll down and under 2. Connect your subscriptions... select Launch Azure Policy Assignment Wizard.
In the Basics tab, select the ellipsis button (...) under Scope and select your "Azure subscription" from the drop-down list and select Select.
Select the Parameters tab, choose your yourName-sentinel workspace from the Primary Log Analytics workspace drop-down list.
Select the Remediation tab and select the Create a remediation task checkbox. This action applies the subscription configuration to send the information to the Log Analytics workspace.
Note
To apply the policy to your existing resources, you need to create a remediation task.
Select the Review + Create button to review the configuration.
Select Create to finish.