Custom Data Connector into Sentinel Content-Hub
Hello Microsoft Community, We are planning to build & integrate our custom data connector into the Sentinel Content-Hub to enable data analysis services for our customers who are interested in Azure Sentinel. And our data, which is unique and…
How Do I Configure JSON Items for Different Types of Data Connectors?
Hello, I'm wondering if there're any wiki pages that give explanation and how to properly configure the data connectors. Thank you! I've been exploring the variety of data connectors available in Azure, such as GenericUI, APIPolling, and others, through…
The request type when fetching to S3
Hi all, I would like to connect S3 and microsoft sentinel. I have a question. ・I think you fetch files from microsoft sentinel to S3, is the request type GET? The following is the page to which we…
Moving Sentinel to a different management group
Hey folks, I know that moving Sentinel from one subscription to a different one is not supported and can break things. Could somebody tell me, whether moving a whole subscription that contains a Sentinel instance from one management group to another…
Threat Intelligence Sharing
Hi all, Is it possible to use threat intelligence from a third party solution with Microsoft sentinel? And if possible, how would you connect them? Custom connectors? regard,
Mismatch in amount of data received in logs analytics workspace and DCR metrics
I have defined a data collection rule and am using logs ingestion api to send data to 2 custom tables. I have defined diagnostic settings for the DCR such that error logs are sent to logs analytics workspace. For about an hour, I have events ingested…
How to get additional details about Mitre attacks like(mitre_tactic_id mitre_technique_id mitre_tactic mitre_technique mitre_subTechnique) ?
Hello, Greetings of the day We are using the below endpoint to collect the alerts. These alerts consist of a wide range of data including mitreTechniques. Further, I would like to know if it is possible to extract more information about Mitre Attacks…
Testing Microsoft Defender XDR with Azure Sentinel in a CDX-like Environment
I'm looking to try out Microsoft Defender XDR with Azure Sentinel, but my current setup—a CDX tenant under an E5 subscription—doesn't have an active Azure subscription. Any suggestions for workarounds or similar environments where I can test Microsoft…
Sentinel Kusto Query todatetime function does not work with dynamic values.
I have a kusto query to calculate MTTR by client. When an incident is resolved, an analyst comments the resolution time in the format R: time where time is when the incident was resolved and R is to make the comment unique. Example R: Friday, May 10,…
Sentinel bicep deployment : InvalidParameter - Solution product cannot start with 'OMSGallery/' as it is reserved for Microsoft first party solutions.
Hello, i am learning how to script and i wish to deploy Sentinel with bicep. I have created a script from Microsoft templates and have added variables as well as a jsonc parameters file. I use VSC with the bicep extension in order to "easily"…
How are github links created/referenced in function app
I am finding it difficult to understand how are these links generated. https://aka.ms/sentinel-ApigeeXDataConnector-azuredeploy https://aka.ms/sentinel-ApigeeXDataConnector-functionapp I am building a similar function app json for my solution, and I…
Inquiry Regarding Multiple 4624 Event ID Logs for Single User Login
Hello Team, I am reaching out to inquire about a matter related to our Windows Security logs. Specifically, we have observed multiple instances of Event ID 4624 being logged for a single user login event in the Security Events table. As part of our…
Respond to incidents across multiple tenants deploying Defender XDR from One Centralized Ms Sentinel
Hello, I have a customer having 3 tenant A,B and C. Tenant A and C each are using Microsoft Defender XDR. MS Sentinel is configured on Tenant B. He want to centralize all events and logs on Sentinel and want to configure responses if any incident is…
How to add a function app for azure workbook and sentinel solution
Hi, I am working on contributing to an azure sentinel solution in github, My solution contains data connector and workbooks. Now, I want to add a workbook that talks to a custom endpoint. In this case, the custom endpoint is a function app http…
KQL validation is failing locally
I ran dotnet test as per https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally [xUnit.net 00:00:00.41] Exception discovering tests from Kqlvalidations.Tests: System.BadImageFormatException: Could not load file or assembly…
Failed to save analytics rule query.
I can create any active analytics rule query in Microsoft Sentinel. While trying to create a new one a error occurs: "Failed to save the analytics rule query. Log Analytics workspace 'xxx' could not be found." It started when the previous…
Can I create a playbook in Microsoft Sentinel that is able to disable a compromised hybrid user account whose authentication authority is an on-premises Active Directory Domain controller?
I would like to create a playbook that disables a compromised account. The account is synchronised from an on-premises Active Directory Domain Controller. Synchronisation to Microsoft Entra ID is through Microsoft Entra Connect Sync. Password hash…
30 day challenge for security operations analyst cert module numbers inconsistent
I am doing the 30 day challenge for sc-200 Security Operations Analyst. I have done the 53 modules stated in the challenge, however, my status says 53 of 54 modules completed. I have no info how to get to the 54th module if it exists! URL:…
Error Whille setting up SMTP Email V3 connection
Hi Team, I am configuring SMTP connection and getting below error Failed to create connection: { "error": { "code": 502, "source": "logic-apis-easteurope.azure-apim.net", "clientRequestId": "",…
Missing permission 'Microsoft.OperationsManagement/register/action' on scope '/subscriptions/8c507d2e-37ef-4ae1-864f-fd05f45b3cdb' is required to add Microsoft Sentinel to the selected workspace
Hi I'm facing problem when I tried to subscribe to Microsoft Sentinel. When I tried to add Microsoft Sentinel to my desire workspace , this notification pops up. I do have the Owner and Security Administrator permission. Can someone please enlighten me…