Syslog Transformation DCR not working
I need assistance troubleshooting a Syslog Transformation DCR used with Microsoft Sentinel. The Transformation DCR looks to work correctly in the Create Transformation wizard, but doesn't actually filter out the records. I have a few Syslog/CEF…
Syslog through AMA (CEF) Connector
Hi, Follwing up on my last question: https://learn.microsoft.com/en-us/answers/questions/1690671/syslog-through-ama-connector-not-showing-in-the-co I have now installed Arc, and the machine is showing up on Azure Arc. The AMA is installed and is…
API Version Discrepancies for 'Data Connector Definitions' in Sentinel
Hello MS Community, Would you please help explain the discrepancy regarding API references to "data connector definitions"? I noticed the API related link…
DataConnector connectorUI attributes - sampleQueries
hey folks, I was working on some data connectors and seemingly some of the old features are not working anymore. I tried to use some fields which seem to be dated now. The most relevant would be the 'sampleQueries' attribute. I remember having these in…
how Azure ARM templates process placeholders please?
Could you explain how Azure ARM templates process placeholders and variables during deployment, especially comparing the '[variables]' syntax with templating mechanisms like {{variables}}? I see some of the codes (from Sentinel Solution folder @ github)…
logo size for Sentinel Content Preparation
Hello, I am preparing the Sentinel content according to the following steps from github, my question is if there's requirement about the size of the logo? Thanks.
Sentinel - Sophos Endpoint Protection (using REST API) (Preview) - Fails due to trying to create a table with a hyphen!
When trying to configure and deploy the new Sophos API connector for Sentinel it fails. Looks like it's trying to create a new table called Custom-SophosEPAlerts_CL but tables cannot contain hyphens so needs changing to CustomSophosEPAlerts_CL…
Extensions AMA - Impossible to install agent
Hello, I'm trying to deploy an AMA extension but I m stuck in "creating" with the following error messages from the Guestconfig file on a RHEL 9 linux servers: [2024-05-15 15:52:30.135] [PID 1117] [TID 1629] [Pull Client] [INFO] Successfully…
Tenable Io sentinel solution can not identify log analytics work space?
Tenable Io sentinel solution can not identify log analytics work space?
Remove a mobile device from a user
Anyone has built a sentinel playbook / logic app to be able to remove active sync device from a user? And could share some details on how this was done?
Query set to run in my Logic App is timing out and failing
Hello everyone. I am trouble shooting an issue with my Logic App in which after an incident triggers, the next step is to run the query and list the results, but this part of the Logic App is what is timing out and failing. When reading the timeout…
Cannot view Sentinel alert for some incidents but the alert can be found in Defender for Endpoint portal using Graph
I have enabled automatic incident creation for Defender for Endpoint in Sentinel but when I try to view some alerts associated with the created incidents, nothing is displayed. Despite this, I can locate the relevant alert in the Security (Defender for…
Getting Error while saving Analytics rule as "the provided 'productFilter' was not recognized as a valid product"
Team, I am trying to Create Analytics Rule, Also created a Automation Rule with default options and created one playbook to run n action of that automation rule. But while Saving the Analytics Rule, Sentinel through below error. Failed to save analytics…
CloudWatch ASIM Parser
I have successfully connected AWS CloudWatch to Sentinel, and I am receiving events from multiple log groups. However, I am facing an issue with parsing the events, particularly with the 'Message' field that is in JSON format. Currently, the 'Message'…
Azure VM not reporting to LAW | Event Id 4001 Operations Manager
Hi folks, I have an Azure hosted machine which is unable to connect to Azure OMS to export Logs to Azure LAW. However, I am getting connectivity related errors in MMA config manager, Event Id 4001 in Event Logs etc. Though, I have validated the…
Playbook ARM template generator broken
Hey, I have been using the playbook ARM template generator for years and the past week it does not work at all. It tries to log into local host to present the portal but it does not work correctly. I have tried it on 3 machines and several browsers. …
Sentinel widgets and private endpoint
Do the widgets and Insights works Incidents panel in Sentinel when the Log Analytics Workspace uses private endpoints? "externaldata operator"…
Error data connector Github audit logs
Hi everyone. I am trying to make the connection between github and sentinel. I am trying to have the GitHub Enterprise Audit Log connector up, but somehow when I put the name of the Organization and the API key I got an error " Forbidden -…
Azure Sentinel - Update incident (preview) - ObjectId (over lighthouse) not resolved to source user
Hey, It seems that if you provide either the UPN (with #EXT#)/ or the objectId (that is assigned if you manually assign the incident owner, so it's available) through the logic app block Update Incident (Preview) It does not assign the underlying…