Looking for query where we can get the following data from Azure Virtual Desktop under a particular host pool
Looking for query where we can get the following data from Azure Virtual Desktop under a particular host pool. Who has not logged in over the past 30 days For those who have logged in, how many days did they log in What is the amount of time users…
Not receiving windows security event from Azure ARC enabled servers
Successfully connected Windows server through Azure ARC but not receiving any security event logs through data collection rule in Sentinel connector. The AMA extension is showing running successfully.
Difficulty Identifying Edited Rules in Azure Firewall Logs via KQL
Hello, community! I'm having trouble identifying specific changes to Azure Firewall rules through KQL (Kusto Query Language). After modifying certain firewall rules, I can see that edits have occurred through the firewall’s logs tab (where it shows a…
How to enable Azure Activity Sentinel Data Connector
Hi, I'm trying to enable Azure Activity Sentinel Data Connector. I've manage to install it and when I follow the 'Launch Azure Policy Assignment Wizard' it completes successfully, however the Azure Activity Data Connector never shows 'green/connected'…
Using Logic Apps across multiple tenants
I am planning to onboard another tenant to my setup and considering using Lighthouse. My goal is to manage Microsoft Sentinel and create logic apps in one tenant while using them for automation in a different tenant. Could someone assist me with setting…
Sentinel Smart Deployment cannot push csv file to Azure DevOps
When I deploy content to sentinel using Azure DevOps, the content deploys successfully but when smart deployment enabled, it cannot push csv tracking file to Azure Repo with error [Warning] API call failed:…
Update to Python 3.11 got SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))
Hi, After we updated our Sentinel data connector(implemented in Azure Function) to use python3.11 from 3.10, we got SSL Error from urllib3 when making API calls: SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify…
Can we send Defender for Cloud's logs to Sentinel's LAW without "Defender for cloud connector" configured in Sentinel?
Question: While deploying Defender for Cloud, if we select the same LAW (workspace) that Sentinel is using, do we still need to configure Defender for Cloud connector and configure it in Sentinel? In this scenario, do Defender for Cloud and Sentinel's…
logic App to ingest notification of azure monitor alerte to Microsoft sentinel
Hi, In the alert rule configuration for Azure Monitoring, I need to set up an action group (Logic App) that will forward all alert notifications to Microsoft Sentinel. However, I require assistance with designing a Logic App that meets my needs, as I'm…
How to export piechart from MS Defender XDR Advanced Hunting?
Hello everyone, I am trying to export query result as a piechart, but there is no such an option. Do I miss something or is impossible? Thanks! Aleksandar
How to do a recursive function with KQL
I have table in Sentinel for all employees. Each lines has an name, employee ID and a direct supervisor ID. I want to be able to give the supervisor ID, and from there, have a recursive loop that will verify all employee who has that supervisor as a…
Sentinel - Summary rules doesn't send triggered events to destination
I have been exploring summary rules, created a summary rule that has a KQL. Source is one of my custom table that has some logs I want to trigger via summary rules and ingest in a custom analytic table. When I try to simulate the KQL query it shows me…
What is the application "Office 365 Management" (AppId 00b41c95-dab0-4487-9791-b9d2c32c80f2) and why is Conditional Access not applied to it?
I am investigating a security incident and I have identified entries in the MS Sentinel SigninLogs table that might be related to the breach with the attributes: AppDisplayName: Office 365 Management AppId:…
How can I configure Microsoft Sentinel to create a new incident instead of adding to an existing one?
I'm facing an issue in Microsoft Sentinel where incidents generated by an analytics rule are automatically closing and merging with an existing "multiple-stage" incident. As shown in the attached screenshot, each new incident created by the…
Cannot enable UEBA feature on Sentinel
Hi, I'm having some issues while trying to enable the UEBA feature in a Sentinel instance. When I try to turn the switch ON, I get the following error message: "Updating the Entity Providers failed". I've seen 2 questions related to this…
'updating the entity providers failed'. microsoft sentinal
I'm having some issues while enabling the UEBA feature in a Sentinel instance. When I try to turn the switch ON, I get the following error message: "Updating the Entity Providers failed". i am trying this with a global admin account but still…
How to find existing data connectors of Azure logic app workflow
Hello Team, We are facing issue with existing data connector in Microsoft Sentinel Playbook. We are unable to find the existing data connector at our end. Please help. Thank You.
Cant Import Sentinel Alert Rules
Good morning, I am having difficulty importing sentinel rules after I deleted old ones. I deleted the old rules on friday 9/27 9am EST and am getting the error the rule with ID 'xyz' was recently deleted. You need to allow some time before re-using the…
Sentinel duplicate alerts and incidents
In sentinel We have an alert "User Assigned Privileged Role" and it repeats every hour for a day or two. How do I stop it repeating itself. The rule itself triggers when an administrator changes permissions for another user (or themselves)…
How to Upload Carbon Black Logs and Alerts into Azure Sentinel for Evaluation
I am trying to evaluate how much Azure Sentinel helps my business's security needs. I am particularly interested in seeing how well Azure Sentinel can cluster alerts together. I have taken a small amount of EDR logs and alerts (which are in json format)…