Query Details
Sentinel Azure Activity Data Connector Coverage
Query
# Sentinel - Azure Activity Connector - log collection coverage
## Query Information
### Description
Use the below query to Identify Azure Subscriptions that are not monitored by the Azure Activity Data Connector in Sentinel
#### References
- [Azure Activity connector for Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/azure-activity)
- [Moving Azure Activity Connector to an improved method](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/moving-azure-activity-connector-to-an-improved-method/ba-p/2479552)
### Microsoft Sentinel
```kql
// Identify Azure Subscriptions that are not monitored by the Azure Activity Data Connector in Sentinel
let allsubscriptions =
arg("").resourcecontainers
| where type == "microsoft.resources/subscriptions"
| distinct subscriptionId, name;
allsubscriptions
| join kind=leftouter (AzureActivity
| extend AzureActivitySyubscriptionId = SubscriptionId
| distinct AzureActivitySyubscriptionId)
on $left. subscriptionId == $right.AzureActivitySyubscriptionId
| extend IsMonitored = iff(isempty(AzureActivitySyubscriptionId),"No","Yes")
| project subscriptionId, name, AzureActivitySyubscriptionId, IsMonitored
```
Explanation
This query is used to identify Azure Subscriptions that are not monitored by the Azure Activity Data Connector in Sentinel. It retrieves all Azure subscriptions and then joins them with the AzureActivity table to determine if they are being monitored or not. The result includes the subscription ID, name, Azure Activity subscription ID, and a flag indicating if it is being monitored or not.
Details
Alex Verboon
Released: September 18, 2023
Tables
AzureActivity
Keywords
Azure,Subscriptions,AzureActivityDataConnector,Sentinel
Operators
argresourcecontainerswheretypedistinctjoinkindextenddistincton$left.$right.isemptyiffproject