Query Details
Sentinel Taxii Connector Failures
Query
# Microsoft Sentinel - TAXII Connector failures ## Query Information ### Description When configuring the TAXII Connector in Sentinel, you might get the follwing error message. Failed to add TAXII connector: The TAXII connector could not be configured due to an unexpected error. Use the below query to retrieve Microsoft Sentinel TAXII Connector errors from the Azure Activity log. Tip: Make sure that you have the latest version of the TAXII connector installed, check the Sentinel Content Hub for updates. ### Log Analytics (requires Azure Activity logs) ```kql AzureActivity | where Level == "Error" | where OperationNameValue == "MICROSOFT.SECURITYINSIGHTS/DATACONNECTORS/WRITE" | extend resourceGroup_ = tostring(parse_json(Properties).resourceGroup) | extend code = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).statusMessage)).error)).code) | extend message = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).statusMessage)).error)).message) | where message contains "TAXII" | project TimeGenerated, ResourceGroup, Caller, code, message ```
Explanation
This query retrieves errors related to the Microsoft Sentinel TAXII Connector from the Azure Activity log. It filters for error level logs and specifically looks for the operation of adding the TAXII connector. It extracts the resource group, error code, and error message from the log properties. It further filters for logs that contain the word "TAXII" in the error message. The query then projects the time generated, resource group, caller, error code, and error message for the identified errors.
Details
Alex Verboon
Released: February 3, 2024
Tables
AzureActivity
Keywords
AzureActivity,Level,OperationNameValue,MICROSOFT.SECURITYINSIGHTS/DATACONNECTORS/WRITE,Properties,resourceGroup_,code,message,TimeGenerated,ResourceGroup,Caller
Operators
whereextendtostringparse_jsoncontainsproject