Don’t Panic! Deprecated Data Connectors in Sentinel are Actually an Upgrade

Several Sentinel users have noticed that some data connectors are now marked as deprecated. But before you hit the panic button, let me assure you:

Your data is still flowing freely. It continues to be delivered to the CommonSecurityLog or Syslog tables, just as before.
Everything keeps working. Analytic rules, workbooks, and playbooks will continue to function as usual.

This change is actually a good thing! We’ve recently retired the older Log Analytics agent (MMA/OMS) and replaced it with the powerful Azure Monitor Agent (AMA). AMA offers several advantages, including faster performance and multihoming support. You can learn more about these benefits here (link not provided).

Here’s the biggest benefit for Sentinel users: instead of juggling multiple connectors for different solutions, you can now use a single connector! The Common Event Format (CEF) for AMA connector handles everything that writes to CommonSecurityLog, while the Syslog for AMA connector does the same for Syslog data. Documentation for installing these connectors is available here (link not provided).

Now, there’s one small caveat. If you’ve already switched to the CEF connector and want to clean up by deleting the deprecated ones, you’ll encounter an error. Don’t worry, a fix is on the way.

In short, this change simplifies your workflow and leverages the latest data collection technology. No need to panic, your data is safe and secure.Featured Image