What to do if your Sentinel Data Connector shows as [DEPRECATED]

Several Sentinel users have raised concerns that several data connectors they were using are suddenly showing as deprecated in the user interface.

The first thing to know is that the data flow is uninterrupted. It’s still happily passing through to the CommonSecurityLog or Syslog tables. Analysis rules still apply to the data. Workbooks and playbooks should always work the same way.

This change was intended to provide real benefits. We recently deprecated the log analysis agent, also known as MMA or OMS agent, and replaced it with the new Azure Monitor agent (AMA). There are many benefits to switching to an AMA agent, including faster performance and multihoming support. Learn more It’s here.

However, for our purposes, the advantage is that we can use a single connector (the Common Event Format for AMA) for everything we want to log to the CommonSecurityLog, rather than requiring many different connectors based on a specific solution. There is another one called Syslog for AMA that does the same thing for Syslog. You can find documentation on how to install CEF and Syslog data connectors. here.

I have one more question for you. If you’ve already switched to Common Event Format data connectors and want to clean up by deleting deprecated connectors, you can’t do that. An error occurs. We are working on resolving the issue.