Microsoft Sentinel - TAXII Connector failures
Sentinel Taxii Connector Failures
Query
AzureActivity
| where Level == "Error"
| where OperationNameValue == "MICROSOFT.SECURITYINSIGHTS/DATACONNECTORS/WRITE"
| extend resourceGroup_ = tostring(parse_json(Properties).resourceGroup)
| extend code = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).statusMessage)).error)).code)
| extend message = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).statusMessage)).error)).message)
| where message contains "TAXII"
| project TimeGenerated, ResourceGroup, Caller, code, messageAbout this query
Microsoft Sentinel - TAXII Connector failures
Query Information
Description
When configuring the TAXII Connector in Sentinel, you might get the follwing error message.
Failed to add TAXII connector: The TAXII connector could not be configured due to an unexpected error.
Use the below query to retrieve Microsoft Sentinel TAXII Connector errors from the Azure Activity log.
Tip: Make sure that you have the latest version of the TAXII connector installed, check the Sentinel Content Hub for updates.
Log Analytics (requires Azure Activity logs)
Explanation
This query retrieves errors related to the Microsoft Sentinel TAXII Connector from the Azure Activity log. It filters for error level logs and specifically looks for the operation of adding the TAXII connector. It extracts the resource group, error code, and error message from the log properties. It further filters for logs that contain the word "TAXII" in the error message. The query then projects the time generated, resource group, caller, error code, and error message for the identified errors.
Details

Alex Verboon
Released: February 3, 2024
Tables
Keywords
Operators