Microsoft Sentinel

API Version Discrepancies for 'Data Connector Definitions' in Sentinel

Hello MS Community, Would you please help explain the discrepancy regarding API references to "data connector definitions"? I noticed the API related link…

Syslog through AMA (CEF) Connector

Hi, Follwing up on my last question: https://learn.microsoft.com/en-us/answers/questions/1690671/syslog-through-ama-connector-not-showing-in-the-co I have now installed Arc, and the machine is showing up on Azure Arc. The AMA is installed and is…

how Azure ARM templates process placeholders please?

Could you explain how Azure ARM templates process placeholders and variables during deployment, especially comparing the '[variables]' syntax with templating mechanisms like {{variables}}? I see some of the codes (from Sentinel Solution folder @ github)…

DataConnector connectorUI attributes - sampleQueries

hey folks, I was working on some data connectors and seemingly some of the old features are not working anymore. I tried to use some fields which seem to be dated now. The most relevant would be the 'sampleQueries' attribute. I remember having these in…

logo size for Sentinel Content Preparation

Hello, I am preparing the Sentinel content according to the following steps from github, my question is if there's requirement about the size of the logo? Thanks.

Syslog Transformation DCR not working

I need assistance troubleshooting a Syslog Transformation DCR used with Microsoft Sentinel. The Transformation DCR looks to work correctly in the Create Transformation wizard, but doesn't actually filter out the records. I have a few Syslog/CEF…

Sentinel - Sophos Endpoint Protection (using REST API) (Preview) - Fails due to trying to create a table with a hyphen!

When trying to configure and deploy the new Sophos API connector for Sentinel it fails. Looks like it's trying to create a new table called Custom-SophosEPAlerts_CL but tables cannot contain hyphens so needs changing to CustomSophosEPAlerts_CL…

Extensions AMA - Impossible to install agent

Hello, I'm trying to deploy an AMA extension but I m stuck in "creating" with the following error messages from the Guestconfig file on a RHEL 9 linux servers: [2024-05-15 15:52:30.135] [PID 1117] [TID 1629] [Pull Client] [INFO] Successfully…

Query set to run in my Logic App is timing out and failing

Hello everyone. I am trouble shooting an issue with my Logic App in which after an incident triggers, the next step is to run the query and list the results, but this part of the Logic App is what is timing out and failing. When reading the timeout…

Microsoft Defender for Office 365 (0/5 connected)​ : In Defender XDR connector, Office 365 logs cannot be connected in Sentinel.

Cannot view Sentinel alert for some incidents but the alert can be found in Defender for Endpoint portal using Graph

I have enabled automatic incident creation for Defender for Endpoint in Sentinel but when I try to view some alerts associated with the created incidents, nothing is displayed. Despite this, I can locate the relevant alert in the Security (Defender for…

Getting Error while saving Analytics rule as "the provided 'productFilter' was not recognized as a valid product"

Team, I am trying to Create Analytics Rule, Also created a Automation Rule with default options and created one playbook to run n action of that automation rule. But while Saving the Analytics Rule, Sentinel through below error. Failed to save analytics…

Sentinel widgets and private endpoint

Do the widgets and Insights works Incidents panel in Sentinel when the Log Analytics Workspace uses private endpoints? "externaldata operator"…

Playbook ARM template generator broken

Hey, I have been using the playbook ARM template generator for years and the past week it does not work at all. It tries to log into local host to present the portal but it does not work correctly. I have tried it on 3 machines and several browsers. …

Microsoft SentinelCEF Installer

I have tried installing cef installer on linux machine - 404 not found error

Azure Sentinel - Update incident (preview) - ObjectId (over lighthouse) not resolved to source user

Hey, It seems that if you provide either the UPN (with #EXT#)/ or the objectId (that is assigned if you manually assign the incident owner, so it's available) through the logic app block Update Incident (Preview) It does not assign the underlying…

how to have logs sent from multiple different non connected azure and aws tenants to one instance of Azure Sentinel

i have 1 main tenant with our azure arc and azure sentinel instance. i need to get all the machines on several non connected azure and aws tenants to send their logging to our azure sentinel. no vpns are allowed between the tenants. azure arc will work…

Azure VM not reporting to LAW | Event Id 4001 Operations Manager

Hi folks, I have an Azure hosted machine which is unable to connect to Azure OMS to export Logs to Azure LAW. However, I am getting connectivity related errors in MMA config manager, Event Id 4001 in Event Logs etc. Though, I have validated the…

Why I can't see threat intelligence in Sentinel?

I made auto ti indicator using HTTP connector in Logic Apps And, HTTP connector is well, they bring 201 code, success result. enter image description here enter image description here But I can't see result in threatintelligence. enter image description…

How to establish a connection between NSG data connector to Sentinel

I'm facing issue while connecting NSG data connector and Azure Activity data connector to Sentinel. But it is asking for " Policy​: owner role assigned for each policy assignment scope.​" I'm not knowing what role to assign to what…