Got 1 Linux Computers Connected via Log Analytics Linux agnet (legacy) after clean uninstall Azure Arc Machines
I got trouble when want to clean uninstall Arc Machine in Ubuntu 22 because when i run troubleshoot while finised installed omsagent it says it's not support in Ubuntu 22. So i want to make another machine with ubuntu 20, i'm running command for…
Upgrade GitHub App Azure-Sentinel
We have been using the Azure-Sentinel GitHub App to synchronize our repository to Sentinel. Its been a while since its been installed and lately we have been getting the following error: deploy-content Node.js 16 actions are deprecated. Please update…
Azure Activity Log Data Connector Configuration
Hi, Recently, I onboarded Azure activity by following the instructions on the data connector page and completed the configuration successfully. This process involved creating a policy to send the logs to the log analytics workspace. During the setup, I…
How to get additional details about Mitre attacks like(mitre_tactic_id mitre_technique_id mitre_tactic mitre_technique mitre_subTechnique) ?
Hello, Greetings of the day We are using the below endpoint to collect the alerts. These alerts consist of a wide range of data including mitreTechniques. Further, I would like to know if it is possible to extract more information about Mitre Attacks…
Finding classic automation in Sentinel analytics
I have the ability to search through ARM templates for the Sentinel analytics and I'm hoping to find a way to detect the use of classic alert automation. Does anyone know what i should be searching for in the ARM template? We have not used this method,…
Extensions AMA - Impossible to install agent
Hello, I'm trying to deploy an AMA extension but I m stuck in "creating" with the following error messages from the Guestconfig file on a RHEL 9 linux servers: [2024-05-15 15:52:30.135] [PID 1117] [TID 1629] [Pull Client] [INFO] Successfully…
How to generate data in Alert, AlertHistory, AlertEvidence and AlertInfo tables in Log Analytics workspace?
We would like to generate the data in the following tables in Azure Monitor and Security categories described in the docs, https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/alert …
Testing Microsoft Defender XDR with Azure Sentinel in a CDX-like Environment
I'm looking to try out Microsoft Defender XDR with Azure Sentinel, but my current setup—a CDX tenant under an E5 subscription—doesn't have an active Azure subscription. Any suggestions for workarounds or similar environments where I can test Microsoft…
Problems with data collectors and syslog
So, i have a task to integrate security logs that are beeing sent via syslog protocol formatted as CEF https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama?tabs=syslog%2Cportal I do have an VM linux It does have the python…
Issue with Microsoft Sentinel Connectors
Hello! Prior to May the 7th 2024, There were roughly 20 connectors that were connected and working as expected with respect to the Microsoft Sentinel and the log analytics workspace. On the mentioned date we noticed this anomaly where out of the 20 odd…
Sentinel Kusto Query todatetime function does not work with dynamic values.
I have a kusto query to calculate MTTR by client. When an incident is resolved, an analyst comments the resolution time in the format R: time where time is when the incident was resolved and R is to make the comment unique. Example R: Friday, May 10,…
Not allowing to connect Sentinel Data connector with Defender XDR
Hello, I was trying to connect the "Microsoft Defender XDR" connector with "Microsoft Sentinel", but I am facing the below error. I am not sure why Sentinel is not allowing to establish the XDR connector. As I am the Owner of the…
Remote Desktop Connection error- Windows 11
A newbie here trying to setup Azure Sentinel (SIEM) & connect it to a live virtual machine that will act as a honeypot. But facing an error with RDP, Windows 11 home edition doesn't support Remote Desktop.…
How to separate logs receiving on syslog port 514 to separate table during ingestion and avoid duplication.
Hi Team, I have centralized log forwarders setup which collects logs on 514 port from different application, I want to send those logs to separate table by filtering them at ingestion time. Currently all logs are going to syslog using default DCR rule,…
Failed to save analytics rule query.
I can create any active analytics rule query in Microsoft Sentinel. While trying to create a new one a error occurs: "Failed to save the analytics rule query. Log Analytics workspace 'xxx' could not be found." It started when the previous…
Respond to incidents across multiple tenants deploying Defender XDR from One Centralized Ms Sentinel
Hello, I have a customer having 3 tenant A,B and C. Tenant A and C each are using Microsoft Defender XDR. MS Sentinel is configured on Tenant B. He want to centralize all events and logs on Sentinel and want to configure responses if any incident is…
Watchlist Azure Sentinel Update
Is there anyone who has or knows of a source of information that can provide a more comprehensive or extensive list of SocRA than what is available in this link: https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv? I…
Inquiry Regarding Multiple 4624 Event ID Logs for Single User Login
Hello Team, I am reaching out to inquire about a matter related to our Windows Security logs. Specifically, we have observed multiple instances of Event ID 4624 being logged for a single user login event in the Security Events table. As part of our…
Error upon setting up playbook.
I a using this guide to setup a playbook for the Alien Vault OTX. However I get the following error message when I try and save the logic - "Workflow validation failed for the workflow ''.…
How to add a function app for azure workbook and sentinel solution
Hi, I am working on contributing to an azure sentinel solution in github, My solution contains data connector and workbooks. Now, I want to add a workbook that talks to a custom endpoint. In this case, the custom endpoint is a function app http…