Q2 2024 updates

[nlepagnez]

Required items, please complete

Change(s):

• Deprecate Microsoft Exchange Logs and Events and creating multiple Data Connectors dedicated for AMA
• Correct bug on lastReceivedData for Exchange On-Premise and Online Collector Data connector
• Add a comparison system in Workbooks

Reason for Change(s):

• Solution evolution

[itsjusthaif]

Hi
Currently in the process of deploying this solution and I am stuck at the same issue due to which this pull was raised. When can I expect the solution to be updated?

[nlepagnez]

Hi @v-prasadboke, @v-atulyadav do we have any news on the analysis of this PR ?

[nlepagnez]

Hi Currently in the process of deploying this solution and I am stuck at the same issue due to which this pull was raised. When can I expect the solution to be updated?

Hi itsjusthaif, we are waiting for review from MS Sentinel team. We will update you as soon as possible.

[itsjusthaif]

Hi @nlepagnez, any update on this, please? Still waiting to go ahead or will have to manually map our what changes were made and reflect that to our environment.

[nlepagnez]

Hi @itsjusthaif, no news on the Microsoft Sentinel team. As you can see, I don't received any answer on my last comment.
@v-prasadboke, @v-atulyadav we are waiting on you. For remember, this PR is now opened since more than 1 month.

[v-prasadboke]

Hello @nlepagnez & @itsjusthaif, Apologies for the inconvenience but I was on leave from 2nd of October till 6th of October IST

But I still see some validation failure for Provided permissions does not match with Azure Function Connector Template from last commit.
Guidelines are provided in the failure checks to resolve permissions failure, Template path is provided in the failure description.

[nlepagnez]

Hello @nlepagnez & @itsjusthaif, Apologies for the inconvenience but I was on leave from 2nd of October till 6th of October IST

But I still see some validation failure for Provided permissions does not match with Azure Function Connector Template from last commit. Guidelines are provided in the failure checks to resolve permissions failure, Template path is provided in the failure description.

Hi @v-prasadboke, as you can see in my previous comment, this connector is not an Azure Function Connector, but an Azure Monitor Connector ingesting data in a custom table. I will not add a permission "Website permission" to my connector just to satisfy a test, a permission that will confuse users.

The test script detect my connector as Azure function connector because it's a custom table (not event table) and it found the word "Azure Deploy" inside instruction. Is it means that we cannot use Azure Deploy to deploy the DCRs needed by the "New" AMA ?!

So again, I ask you to correct the test to be compatible with AMA collecting custom data, not adapting a Data connector because the test do not works.

[itsjusthaif]

Hi @v-prasadboke please see the comment above and help progress this. We have customers waiting on this solution and this is now delayed by a good margin.

[itsjusthaif]

Any update on this one please?

[v-prasadboke]

Hello @nlepagnez & @itsjusthaif, We skipvalidated the template but still not able to get this PR merged

We are working on this

[itsjusthaif]

Hi, Is this still being looked into? I was hoping this would have been merged by now.

[v-prasadboke]

Hello @itsjusthaif, We are discussing this internally and Nicolas is part of this discussion

[AndreasWiedner]

There is an issue in the ARM-template for option 2.B in Microsoft Exchange Message Tracking Logs in line 43:
"dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]",

Should be:
"dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]",

Using the template as is results in the following error:
{"code":"DeploymentFailed","target":"/subscriptions/b7f61e46-7840-4334-bfbd-e32f5ad05186/resourceGroups/rg-GWC-Sentinel-Test/providers/Microsoft.Resources/deployments/Microsoft.Template-20241106133128","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"InvalidEndpoint","message":"The specified data collection endpoint '/subscriptions/b7f61e46-7840-4334-bfbd-e32f5ad05186/resourceGroups/rg-GWC-Sentinel-Test/providers/Microsoft.operationalinsights/dataCollectionEndpoints/ESI-ExchangeServers' must have a valid resource type Microsoft.Insights/dataCollectionEndpoints)"}]}

Editing the template works.

[nlepagnez]

Hello @AndreasWiedner, thank you for this issue and the resolution path. I will see that asap.

[nlepagnez]

@AndreasWiedner, thank you, for your information, the DCR ARM Templates would be corrected following your help : #11381