EPM data connector for Microsoft Sentinel

The BeyondTrust Privilege Management (PM) Cloud data connector for Microsoft Sentinel enables organizations to ingest security event data from BeyondTrust PM Cloud into Azure Sentinel for centralized monitoring, threat detection, and compliance reporting. This serverless connector automatically collects Activity Audit logs and Client Event logs from the BeyondTrust PM Cloud API and ingests them into custom Log Analytics tables for analysis and alerting.

The solution is available on the Azure Marketplace and in the Microsoft Sentinel Content Hub, making deployment streamlined and automated.

Key Features

• Automated Data Collection: Timer-triggered Azure Functions automatically poll BeyondTrust PM Cloud API at configurable intervals
• Dual Data Streams: Collects both Activity Audit logs (administrative actions) and Client Event logs (endpoint security events)
• Stateful Processing: Maintains checkpoint state to prevent duplicate ingestion and enable incremental data collection
• Flexible Hosting Options: Support for Consumption (Y1), Flex Consumption (FC1), and Elastic Premium (EP1-3) hosting plans
• Configurable Polling Intervals: Customize collection frequency for each data type (default: 15 min for audits, 5 min for events)
• Azure Monitor Integration: Built-in Application Insights logging for comprehensive monitoring and diagnostics
• Custom Log Analytics Tables: Data ingested into dedicated custom tables (BeyondTrustPM_ActivityAudits_CL, BeyondTrustPM_ClientEvents_CL)
• Sentinel-Ready: Immediately available for analytics rules, workbooks, hunting queries, and incident investigation

Architecture

The connector is implemented as an Azure Function App (.NET 8.0 isolated worker) that:

1. Polls BeyondTrust PM Cloud API at scheduled intervals using timer triggers

   • Activity Audits Function: Runs every 15 minutes (configurable)
   • Client Events Function: Runs every 5 minutes (configurable)

2. Maintains state in Azure Table Storage to track the last processed timestamp for each data type

   • Enables incremental ingestion (only fetches new events since last run)
   • Prevents duplicate data ingestion
   • Survives function restarts and redeployments

3. Transforms and ingests data into Log Analytics custom tables

   • Maps BeyondTrust event schemas to Log Analytics table schemas
   • Sends data via HTTP Data Collector API
   • Handles batching and retries automatically

4. Logs telemetry to Application Insights for monitoring and troubleshooting

   • Function execution status
   • API response codes
   • Record counts processed
   • Error details and stack traces

Infrastructure Components:

• Azure Function App: Hosts the data collection logic
• App Service Plan: Compute resources (Consumption, Flex Consumption, or Elastic Premium)
• Storage Account: Stores function runtime files, deployment packages, and state table
• Application Insights: Collects telemetry, logs, and performance metrics
• Log Analytics Workspace: Destination for ingested BeyondTrust data (also powers Sentinel)

Prerequisites

Before deploying the connector, ensure you have:

Azure Requirements

• Azure Subscription with permissions to create resources
• Microsoft Sentinel enabled on a Log Analytics workspace (enable Sentinel)
• Resource Group where connector resources will be deployed
• Contributor role on the subscription or resource group (for resource creation)
• Log Analytics Contributor role on the workspace (for table creation)

BeyondTrust PM Cloud Requirements

• BeyondTrust PM Cloud subscription and tenant
• API Credentials (Client ID and Client Secret) with the following permissions:
  • Activity Audit logs: Read access
  • Client Event logs: Read access
• API Base URL for your BeyondTrust tenant (e.g., https://yourcompany.beyondtrustcloud.com)

Log Analytics Workspace Information

You'll need:

• Workspace ID (GUID format, found in workspace properties)
• Workspace Primary Key (Base64-encoded shared key for data ingestion)

To retrieve these values:

1. Navigate to your Log Analytics workspace in Azure Portal
2. Go to Settings → Agents
3. Copy the Workspace ID and Primary key

Or use the provided PowerShell utility:

.\utils\Get-WorkspaceInfo.ps1 -ResourceGroup "YourResourceGroup"

Installation Steps

The BeyondTrust PM Cloud solution is available through two streamlined deployment options:

Step 1: Install the Solution

Choose one of the following installation methods:

Option A: Install from Azure Marketplace (Recommended)

1. Navigate to the BeyondTrust PM Cloud solution on Azure Marketplace
2. Click "Get It Now"
3. Sign in with your Azure credentials
4. Select your Azure subscription
5. Click "Subscribe" to add the solution to your Sentinel workspace
6. The solution metadata (workbooks, analytics rules, hunting queries) will be deployed automatically

Option B: Install from Microsoft Sentinel Content Hub

1. Navigate to your Microsoft Sentinel workspace in the Azure Portal
2. Go to Content Hub in the left navigation menu
3. Search for "BeyondTrust PM Cloud"
4. Select the BeyondTrust Privilege Management Cloud solution
5. Click "Install"
6. The solution metadata will be deployed to your workspace

Installation Time: 2-3 minutes

Step 2: Deploy the Data Connector

After the solution is installed, deploy the Azure Function App data connector:

1. In your Microsoft Sentinel workspace, navigate to Configuration → Data connectors
2. Search for and select "BeyondTrust Privilege Management Cloud"
3. Click "Open connector page"
4. In the connector page, locate the Configuration section
5. Click the "Deploy to Azure" button
6. You will be redirected to a custom ARM template deployment with the function app resources
7. Fill in the required deployment parameters (see Configuration section below):
   • Workspace ID - Your Log Analytics workspace ID
   • Workspace Key - Your Log Analytics primary key
   • BeyondTrust API Base URL - Your BeyondTrust tenant URL
   • BeyondTrust Client ID - API client ID
   • BeyondTrust Client Secret - API client secret
   • Hosting Plan SKU - Choose Y1 (Consumption), FC1 (Flex), or EP1-EP3 (Premium)
   • Additional optional parameters for polling intervals and lookback periods
8. Click "Review + create" then "Create"
9. Wait for deployment to complete (3-5 minutes)

The function app code is automatically deployed from a pre-packaged zip file - no manual build or deployment steps are required.

Deployment Time: Approximately 3-5 minutes

Configuration

ARM Template Parameters

Hosting Plan Selection

Choose the plan that best fits your requirements:

Consumption Plan (Y1) - Recommended for Most Users

Best for: Cost-effective production deployments with moderate data volumes

• Cost: Pay-per-execution (~$5-15/month typical)
• Scaling: Automatic (0 to 200 instances)
• Cold Start: 10-30 seconds when idle
• Maturity: Generally Available (GA)
• Platform: Windows-based

--parameters HostingPlanSku="Y1"

Flex Consumption (FC1) - Preview

Best for: Testing new features or requiring faster scaling

• Cost: Similar to Consumption (~$5-20/month typical)
• Scaling: More granular (0 to 1000+ instances)
• Cold Start: 5-15 seconds
• Maturity: Preview (not recommended for production)
• Platform: Linux-based

--parameters HostingPlanSku="FC1"

Note: Flex Consumption is in preview and may have limited tool support.

Elastic Premium (EP1/EP2/EP3) - High Performance

Best for: High-volume environments, VNet integration, or zero cold-start requirements

• Cost: Always-on pricing ($150-600/month)
• Scaling: Pre-warmed instances
• Cold Start: None (always warm)
• Maturity: Generally Available (GA)
• Platform: Windows-based
• Features: VNet integration, longer timeouts, more memory

--parameters HostingPlanSku="EP1"  # 1 vCPU, 3.5GB RAM
--parameters HostingPlanSku="EP2"  # 2 vCPU, 7GB RAM
--parameters HostingPlanSku="EP3"  # 4 vCPU, 14GB RAM

Cron Schedule Examples

The connector uses NCRONTAB format for timer triggers: {second} {minute} {hour} {day} {month} {day-of-week}

Important: After changing cron expressions, restart the Function App for changes to take effect.

Post-Installation Verification

Step 1: Verify Function App is Running

Azure Portal:

1. Navigate to your Resource Group
2. Click on the Function App (name starts with beyondtrust-pmcloud-)
3. Check Status = "Running" in the Overview page

Azure CLI:

az functionapp show `
  --name "<your-function-app-name>" `
  --resource-group "<your-resource-group>" `
  --query "{Name:name, State:state, Status:availabilityState}" `
  -o table

Step 2: Verify Functions Are Executing

Azure Portal:

1. Go to Function App → Functions
2. You should see:
   • ActivityAuditsFunction
   • ClientEventsFunction
3. Click each function → Monitor tab
4. Look for recent successful executions (green checkmarks)

Or use the health check utility:

.\utils\Check-ConnectorHealth.ps1 -ResourceGroup "<your-resource-group>"

Step 3: Verify Data Ingestion

Wait Time: Allow 5-15 minutes after first deployment for custom tables to be created.

Check for tables:

.\utils\Check-LogAnalyticsTables.ps1 -ResourceGroupName "<your-resource-group>"

Query Log Analytics directly:

Navigate to Log Analytics workspace → Logs → Run:

// Check Activity Audits
BeyondTrustPM_ActivityAudits_CL
| where TimeGenerated > ago(1h)
| summarize count()

// Check Client Events
BeyondTrustPM_ClientEvents_CL
| where TimeGenerated > ago(1h)
| summarize count()

// Latest data from both tables
union BeyondTrustPM_ActivityAudits_CL, BeyondTrustPM_ClientEvents_CL
| summarize LatestRecord = max(TimeGenerated), RecordCount = count() by Type

Expected Results:

• Tables exist and return data
• TimeGenerated values are recent
• Record counts increase over time

Data Collection Workflow

Initial Collection (First Run)

1. Function App starts based on timer trigger schedule
2. Checks state table for last processed timestamp
   • If no state exists: Uses lookback period (default 24 hours)
   • If state exists: Uses last processed timestamp
3. Queries BeyondTrust API for new events within the time window
4. Transforms data to Log Analytics schema
5. Sends batch to Log Analytics via HTTP Data Collector API
6. Updates state table with latest processed timestamp and record count
7. Logs telemetry to Application Insights

Subsequent Collections (Incremental)

1. Function triggered by timer (e.g., every 15 minutes for audits)
2. Retrieves last processed timestamp from state table
3. Queries API for events since last timestamp
4. Processes new events (if any)
5. Updates state with new timestamp
6. Waits for next timer trigger

State Management

State is persisted in Azure Table Storage (BeyondTrustPMCloudState table):

State Behavior:

• Survives function app restarts
• Survives code redeployments
• Does NOT survive if state table is manually deleted
• Can be reset by running removal script with -PurgeStateAndData flag

Sentinel Integration

Accessing Data in Sentinel

Once data is flowing, it's automatically available in Microsoft Sentinel (if enabled on the Log Analytics workspace).

Important: Microsoft Sentinel and Log Analytics share the same data store. There is NO separate ingestion process. If you can query the tables in Log Analytics, they're already in Sentinel.

Create Analytics Rules

1. Navigate to Microsoft Sentinel → Analytics
2. Click + Create → Scheduled query rule
3. Configure detection logic using your custom tables

Example Rule - Privilege Elevation Detection:

BeyondTrustPM_ActivityAudits_CL
| where TimeGenerated > ago(5m)
| where ActionType_s in ("PrivilegeElevation", "AdminRightsGranted")
| where Result_s == "Success"
| summarize Count=count(), Users=make_set(UserName_s) by ActionType_s, TargetResource_s
| where Count > 5

Create Workbooks

1. Navigate to Microsoft Sentinel → Workbooks
2. Click + Add workbook
3. Add visualizations using your tables

Example Queries:

// Activity by user
BeyondTrustPM_ActivityAudits_CL
| where TimeGenerated > ago(24h)
| summarize Count=count() by UserName_s
| render barchart

// Events over time
BeyondTrustPM_ClientEvents_CL
| where TimeGenerated > ago(7d)
| summarize Count=count() by bin(TimeGenerated, 1h)
| render timechart

Hunting Queries

Navigate to Sentinel → Hunting → Create custom queries:

// Suspicious file executions
BeyondTrustPM_ClientEvents_CL
| where TimeGenerated > ago(24h)
| where EventType_s == "FileExecution"
| where FileName_s has_any ("powershell.exe", "cmd.exe", "wscript.exe")
| summarize Count=count() by HostName_s, UserName_s, FileName_s, FilePath_s

Operations & Maintenance

Adjusting Polling Intervals

To change data collection frequency:

1. Navigate to Function App in Azure Portal
2. Go to Configuration → Application settings
3. Update the cron expression settings:
   • For Consumption/Premium (Y1/EP): BeyondTrust:ActivityAuditsCron and BeyondTrust:ClientEventsCron
   • For Flex Consumption (FC1): BeyondTrust__ActivityAuditsCron and BeyondTrust__ClientEventsCron
4. Click Save
5. Restart the Function App for changes to take effect

Or via Azure CLI:

# For Y1/EP plans
az functionapp config appsettings set `
  --name "<function-app-name>" `
  --resource-group "<resource-group>" `
  --settings "BeyondTrust:ActivityAuditsCron=0 */30 * * * *"

# For FC1 plan
az functionapp config appsettings set `
  --name "<function-app-name>" `
  --resource-group "<resource-group>" `
  --settings "BeyondTrust__ActivityAuditsCron=0 */30 * * * *"

Pausing Data Collection

To temporarily stop data collection:

Option 1: Stop Entire Function App

az functionapp stop --name "<function-app-name>" --resource-group "<resource-group>"

• Stops all functions
• No cost for compute (Consumption plan)
• Storage costs still apply

Option 2: Disable Specific Functions

1. Go to Function App → Functions
2. Click on the function to disable
3. Click Disable

Option 3: Reduce Frequency

• Change cron expressions to run less often (e.g., every 6 hours)

Monitoring Health

Use the health check utility:

.\utils\Check-ConnectorHealth.ps1 -ResourceGroup "<your-resource-group>"

What it checks:

• Function App status and configuration
• Recent function executions
• Data ingestion to Log Analytics
• Application Insights availability
• Storage account health
• Timer trigger configuration

Expected Results:

• All checks show green ✓
• Functions executing on schedule
• Data ingesting successfully
• No recent errors

Viewing Logs

Application Insights - Function Execution:

1. Go to Function App → Application Insights
2. Click Logs
3. Query function executions:

traces
| where timestamp > ago(1h)
| where message contains "ActivityAudits" or message contains "ClientEvents"
| project timestamp, message, severityLevel
| order by timestamp desc

Application Insights - Successful Data Sends:

traces
| where timestamp > ago(1h)
| where message contains "Successfully sent"
| project timestamp, message
| order by timestamp desc

Application Insights - Errors:

traces
| where timestamp > ago(24h)
| where severityLevel >= 3  // Error or Critical
| project timestamp, message, customDimensions
| order by timestamp desc

Troubleshooting

Common Issues

Issue: Functions Not Executing

Symptoms:

• No recent executions in Monitor tab
• Function App shows "Running" but functions aren't triggering

Resolution:

1. Verify timer triggers are enabled:

   • Go to Function App → Functions → Click each function
   • Ensure status is "Enabled"

2. Check timer trigger configuration:

   • Verify cron expressions are valid
   • Restart Function App after any configuration changes

3. Review Application Insights for errors:

   kusto

   traces
   | where timestamp > ago(1h)
   | where severityLevel >= 3
   | project timestamp, message

Issue: No Data in Log Analytics

Symptoms:

• Functions executing successfully
• Tables don't exist or contain no data

Resolution:

1. Wait for table creation (first run): 5-15 minutes for custom tables to materialize

2. Verify Log Analytics credentials:

   • Check WorkspaceId and WorkspaceKey in Function App settings
   • Ensure workspace ID is correct GUID format
   • Verify workspace key is not expired

3. Check for API errors:

   kusto

   traces
   | where timestamp > ago(1h)
   | where message contains "HTTP" or message contains "API"
   | project timestamp, message

4. Verify BeyondTrust API credentials:

   • Test credentials work outside the connector
   • Check client ID and secret are correct
   • Verify API account has read permissions for audits and events

5. Check state table:

   • Navigate to Storage Account → Storage browser → Tables
   • Look for BeyondTrustPMCloudState table
   • Verify it contains rows for ActivityAudits and ClientEvents

Issue: Old Data Only, No New Ingestion

Symptoms:

• Tables exist with data
• TimeGenerated values are old (>1 hour)
• Functions show successful executions

Resolution:

1. Check if state is stuck:

   • Review state table timestamp values
   • If timestamp is in the past and not updating, state may be corrupted

2. Reset state to re-ingest:

   PowerShell

   .\utils\Remove-BeyondTrustConnector.ps1 -ResourceGroup "<your-rg>" -PurgeStateAndData

   Then redeploy to start fresh.

3. Verify BeyondTrust API has new data:

   • Confirm events are being generated in BeyondTrust
   • Check API directly for recent events

4. Review function logs for skipped records:

   kusto

   traces
   | where timestamp > ago(1h)
   | where message contains "No new records" or message contains "skipped"
   | project timestamp, message

Issue: Duplicate Data

Symptoms:

• Same events appearing multiple times in Log Analytics
• Record counts don't match expected values

Resolution:

1. Check for state table issues:

   • State table may have been deleted causing re-ingestion
   • Multiple function instances may be writing conflicting state

2. Verify state table structure:

   • Only one row per PartitionKey/RowKey combination should exist
   • Delete duplicates if present

3. Restart Function App to clear in-memory state:

   PowerShell

   az functionapp restart --name "<function-app-name>" --resource-group "<resource-group>"

Issue: High Costs / Unexpected Billing

Symptoms:

• Azure bill higher than expected
• Log Analytics ingestion costs increasing

Causes:

• High event volume from BeyondTrust
• Too frequent polling intervals
• Elastic Premium plan always running

Resolution:

1. Review ingestion volume:

   kusto

   union BeyondTrustPM_*
   | where TimeGenerated > ago(30d)
   | summarize GB = sum(_BilledSize) / 1024 / 1024 / 1024 by bin(TimeGenerated, 1d)
   | render timechart

2. Reduce polling frequency:

   • Change cron expressions to run less often
   • Example: Change from 5 min to 15 min intervals

3. Consider switching hosting plans:

   • If on Elastic Premium, consider Consumption plan
   • Consumption charges only for execution time

4. Implement data filtering (requires code modification):

   • Filter out low-value events before ingestion
   • Reduce lookback period if ingesting historical data

Diagnostic Queries

Check function execution success rate:

requests
| where timestamp > ago(24h)
| where name contains "ActivityAudits" or name contains "ClientEvents"
| summarize 
    TotalExecutions = count(),
    Successful = countif(success == true),
    Failed = countif(success == false),
    SuccessRate = round(100.0 * countif(success == true) / count(), 2)
    by name

Find recent errors:

traces
| where timestamp > ago(24h)
| where severityLevel >= 3
| project timestamp, message, severityLevel, customDimensions
| order by timestamp desc
| take 50

Check data ingestion rate:

union BeyondTrustPM_ActivityAudits_CL, BeyondTrustPM_ClientEvents_CL
| where TimeGenerated > ago(7d)
| summarize Count = count() by bin(TimeGenerated, 1h), Type
| render timechart

Verify latest data:

union BeyondTrustPM_ActivityAudits_CL, BeyondTrustPM_ClientEvents_CL
| summarize 
    LatestRecord = max(TimeGenerated),
    RecordCount = count(),
    OldestRecord = min(TimeGenerated)
    by Type

Check for data gaps (missed collections):

BeyondTrustPM_ActivityAudits_CL
| where TimeGenerated > ago(24h)
| summarize RecordCount = count() by bin(TimeGenerated, 15m)
| order by TimeGenerated asc
| where RecordCount == 0

Getting Help

Check function logs:

1. Azure Portal → Function App → Application Insights → Logs
2. Run diagnostic queries (see above)

Review state table:

1. Azure Portal → Storage Account → Storage browser → Tables → BeyondTrustPMCloudState
2. Check LastProcessedTimestamp values

Run health check:

.\utils\Check-ConnectorHealth.ps1 -ResourceGroup "<your-resource-group>"

Verify tables exist:

.\utils\Check-LogAnalyticsTables.ps1 -ResourceGroupName "<your-resource-group>"

Security Considerations

Credential Management

• Store secrets securely: ARM template parameters containing secrets should be stored in Azure Key Vault or secure parameter files
• Rotate credentials regularly: Change BeyondTrust API credentials and Log Analytics keys periodically (recommended: every 90 days)
• Use managed identities: Where possible, configure managed identity for Function App to access Azure resources
• Limit API permissions: BeyondTrust API account should have read-only access to audit and event logs only

Network Security

• Enable HTTPS only: Function App should enforce HTTPS (enabled by default)
• Consider VNet integration: For Elastic Premium plans, integrate with Azure VNet for network isolation
• IP restrictions: Configure Function App to accept traffic only from specific IP ranges if required
• Private endpoints: Use private endpoints for Storage Account and Log Analytics in highly secure environments

Monitoring & Auditing

• Enable diagnostic settings: Send Function App diagnostic logs to Log Analytics for audit trail
• Monitor authentication failures: Alert on repeated API authentication failures
• Track configuration changes: Enable Azure Activity Log alerts for Function App configuration changes
• Review access logs: Regularly review who has accessed Function App and related resources

Data Protection

• Encryption at rest: All Azure resources (Storage, Log Analytics) use Microsoft-managed encryption by default
• Encryption in transit: All API calls use TLS 1.2 or higher
• Data retention: Configure Log Analytics retention policy based on compliance requirements
• PII handling: Review ingested data for PII and implement appropriate retention/deletion policies

Compliance

• Log retention: Ensure Log Analytics retention meets regulatory requirements (default: 30 days)
• Audit trail: Function execution logs in Application Insights provide audit trail for data collection
• Access control: Use Azure RBAC to restrict who can view/modify connector configuration
• Backup: State table data is automatically replicated in Azure Storage (LRS/GRS based on configuration)

For more security best practices, see: Azure Functions security

Best Practices

Deployment

• Use Azure Marketplace or Content Hub: Leverage the official deployment paths for automatic updates and support
• Test in non-production first: Deploy to a test environment before production
• Document configuration: Keep a record of parameter values used for deployment
• Validate credentials: Test BeyondTrust API credentials before deployment
• Start with Consumption plan: Begin with Y1 (Consumption) plan and upgrade only if needed

Operations

• Monitor regularly: Schedule weekly health checks to ensure continuous operation
• Review costs monthly: Track Log Analytics ingestion volume and Function App execution costs
• Adjust polling intervals: Balance data freshness needs with cost considerations
• Plan for table creation delays: Allow 5-15 minutes for new custom tables to appear
• Implement alerting: Create Sentinel analytics rules to detect connector failures

Maintenance

• Keep credentials current: Rotate secrets before expiration
• Update function code: Apply updates when available for bug fixes and improvements
• Review logs regularly: Check Application Insights for warnings or performance issues
• Clean up test deployments: Remove unused test instances to avoid unnecessary costs
• Document changes: Maintain a log of configuration changes and their reasons

Performance Optimization

• Right-size polling intervals:
  • Activity Audits: 15-30 minutes sufficient for most scenarios
  • Client Events: 5-15 minutes based on event volume
• Choose appropriate hosting plan:
  • Consumption (Y1) for most deployments
  • Elastic Premium only if cold starts are problematic
• Monitor execution duration: If functions frequently time out, increase memory allocation (Premium plans)
• Batch API requests: Default implementation handles batching efficiently; avoid reducing batch sizes

Data Management

• Configure appropriate retention: Set Log Analytics retention based on compliance and cost requirements
• Archive historical data: Export old data to Azure Storage for long-term retention at lower cost
• Implement data lifecycle policies: Automatically delete or archive data older than required retention period
• Monitor ingestion costs: Set budget alerts for Log Analytics workspace to detect unexpected increases

Troubleshooting

• Preserve diagnostic data: Don't delete Application Insights when troubleshooting
• Use provided utilities: Run health check and table check scripts regularly
• Check sequentially: Start with Function App status, then execution logs, then data ingestion
• Restart strategically: Restarting Function App clears in-memory state but preserves persistent state
• Document issues: Keep notes on problems encountered and resolutions for future reference

Support

BeyondTrust Support

For issues related to:

• BeyondTrust PM Cloud API access
• API credentials or permissions
• BeyondTrust product functionality

Contact:

• Email: [email protected]
• Website: https://www.beyondtrust.com/
• Support Portal: Log in to your BeyondTrust account for ticket submission

Microsoft Support

For issues related to:

• Azure Function App or hosting plans
• Log Analytics workspace
• Microsoft Sentinel configuration
• Azure platform issues

Resources:

• Azure Support: https://azure.microsoft.com/support/
• Azure Functions Documentation: https://docs.microsoft.com/azure/azure-functions/
• Microsoft Sentinel Documentation: https://docs.microsoft.com/azure/sentinel/

Community Resources

• Azure Functions GitHub: https://github.com/Azure/Azure-Functions
• Microsoft Sentinel GitHub: https://github.com/Azure/Azure-Sentinel
• Azure Community Support: https://learn.microsoft.com/answers/tags/133/azure

Connector-Specific Support

For connector-specific issues:

1. Review this guide and related documentation in the docs/ folder
2. Check Application Insights logs for error messages
3. Run diagnostic utilities:
   • Check-ConnectorHealth.ps1
   • Check-LogAnalyticsTables.ps1
4. Review output for common issues

Additional Resources

• Azure Functions Documentation
• Microsoft Sentinel Documentation
• Log Analytics Query Language (KQL)
• Azure ARM Templates
• Azure Storage Tables