What to do if your Sentinel Data Connector is showing as [DEPRECATED]
I’ve had several Sentinel users raise the alarm that some of the data connectors they were using suddenly show as deprecated in the user interface.
When you click into the data connector itself, it doesn’t indicate any reason why it’s been deprecated or what you should do about it. But that what’s we’re here to talk about.
The first thing you need to know is that your data has not stopped flowing. It’s still being happily delivered to the CommonSecurityLog or Syslog tables. The analytic rules are still applying to the data. Workbooks and Playbooks should work exactly the same way they always have.
This change was actually meant to be a benefit. We’ve recently deprecated the log analytics agent – sometimes referred to as an MMA or OMS agent – and replaced it with the shiny new Azure Monitor Agent (AMA). There are many benefits to moving to the AMA agent including faster performance and its support for multihoming. Learn more about them here.
But for our purposes, the benefit is that instead of needing lots of different connectors based on specific solutions, you can use a single connector (Common Event Format for AMA) for anything that will write to the CommonSecurityLog. There is another one called the Syslog for AMA that does the same for Syslog. Documentation on how to install the CEF and Syslog data connectors can be found here.
I do have one more gotcha for you. If you have already shifted to the Common Event Format data connector and want to tidy up by deleting the deprecated connectors, you can’t. You’ll get an error. It’s a bug and a fix is on the way.