The Sentinel Change I Have Been Waiting For

A new update changes where data connectors and solutions are located

Last month, a new update was pushed to all sentinel instances which changed how sentinel data connectors are configured and installed. Previously there were some data connectors pre-installed onto sentinel and an engineer would just need to enable the relevant data connector(s) they needed. However, the new change moves all data connectors over to the Content Hub where an engineer will need to install the data connector specifically or the “Solution”, which will install the data connector, Analytical Rules, Workbooks, Playbooks, ect. all together to your sentinel workspace.

Prior to this change there was a split between which data connectors were pre-installed and which were located in the content hub. This was very confusing to find if Microsoft has a data connector for a product you would like to bring the logs into Sentinel for.

This cleans up the view of the data connectors which for someone that likes consistency, this has been a great change.

However, if you had a sentinel instance already installed and being used, then there may have been some confusion around the data connectors view once the changed hit productions environments. Users would have seen a data connector view where they couldnt see any data connectors enabled. Microsoft, did highlight in a banner at the top of the data connectors page, a tool that can be used to re-install all data connectors that were being used back into the data connector view. This didn’t stop customers data from being ingested this was only a cosmetic change that may have caused some confusion.

Although this is an amazing change to clean up the configuration page of log sources in sentinel, i think there could have been some customers that had been previously using sentinel a shock when the configurations suddenly disappeared.

Let me know your thoughts!