Microsoft Sentinel

Is there a way to Query all Table Schemas to count How many Columns every Table in Sentinel has using KQL

I am Trying to return a list of tables where they have more than a certain amount of columns, get schema works but it would be a painful task to run it for every table. The Table name is also not maintained when you run getSchema so I tried to union all…

Scaling your CICD pipeline - Default parameter file is not being used

I am currently working on a CICD pipeline in combination with MS Sentinel content. I just got in touch with the repository and the process of handling parameter files. I am just asking myself why the default parameter file is not being used. All of my…

How to execute microsoft sentinel's backups and recovery

Hi, I'm starting in Microsoft Sentinel and read a lot of documents but I couldn't find anything about backup and recovery. Anybody know something about this? Please give some advices Thank you in advance Best regards,

Azure virtual desktop session alerts triggered by hostname changes

Our Azure virtual desktop keeps raising "pass the ticket" attack alerts when the hostname of our computers changes from <hostname> to <hostname>-<random number>. However, our security logs remain the same inside the SIEM,…

Sentinel to azure firewall connection issues

I am having issues connecting sentinel to azure firewall. I have establish 9 other connections no problem but not to the azure firewall from sentinel data connector. I have rebuilt the firewall several times, I confirmed the diagnostic log setting and…

How to retrieve output data after the deployment

Hello there, I am wondering if there's a straightforward method to retrieve the output results after a deployment is completed. By 'straightforward,' I mean configuring a specific API-link during the deployment to which the output data, along with its…

Export Logs from Log Analytics Workspace to Blob Storage

Hi all, I have a Log Analytics Workspace that is linked to Sentinel. I have a lot of logs that I need to export from the Workspace into Blob Storage. Th logs date back 30 days and it is about 400GB, it is about 500 million logs. Please let me know what…

Azure Sentinel Log Screen KQL mode to start by default

Azure Sentinel changed about a month ago the Log page GUI. It added a default Simple Mode, which does not seem to allow to enter KQL query by typing. The KQL mode, much more practical, needs to be selected over and over in the right side of the screen.…

Sentinel _BilledSize and estimate_data_size differences

hey folks Could somebody tell me the relationship between the _BilledSize field in a log and the result of the estimate_data_size(*) KQL command? I do understand that the _BilledSize field contains the info of the size of the data I have to pay for…

ActionConditionFailed The execution of template action 'Get_user' is skipped: there are no items to repeat.

Can not enable MSD Threat Intelligence Data Connector

I have a cx that is getting the error below when attempting to enable Microsoft Defender Threat Intelligence data connector. He is using the (Preview) version. What could be causing this?

Segregating and Identifying Alerts in Sentinel Workspace

I am seeking a method to segregate alerts in a Sentinel workspace to facilitate easier identification and prioritization. For instance, if we have multiple clients' logs in a single workspace, we need a way to identify and segregate alerts based on the…

Sentniel free data sources

Hi, quoting from https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=commitment-tier#free-data-sources "The following data sources are free with Microsoft Sentinel: Azure Activity Logs. Office 365 Audit Logs, including all…

CloudWatch ASIM Parser

I have successfully connected AWS CloudWatch to Sentinel, and I am receiving events from multiple log groups. However, I am facing an issue with parsing the events, particularly with the 'Message' field that is in JSON format. Currently, the 'Message'…

Sentinel as IaC with Terraform

Hi, Trying to instantiate Sentinel using Terraform. Should be straightforward, create a resource group (azurerm_resource_group), log analytics workspace (azurerm_log_analytics_workspace), onboarding Sentinel…

Due to the scoring of MDCA being discontinued, if we need to retain the TOP 10 users using UEBA, what methods can we use?

Due to the scoring of MDCA being discontinued, if we need to retain the TOP 10 users using UEBA, what methods can we use? 'Investigation priority score' feature and 'Investigation priority score increase policy' will be phased out in the coming weeks,…

Minimum hardware requirements for installation of AMA via ARC on Servers

Hello Community. Having a bit of a hard time trying to find the minimum hardware requirements for Windows and Linux Servers for the installation of AMA via ARC. I'm looking for something similar that I found with MDE like this. MDE Minimum…

Ingesting Cisco ASA logs into Sentinel using the AMA agent

Hi there, We are looking to onboard Cisco ASA logs into Microsoft Sentinel. Currently the Cisco ASA integration guide (linked below) on Microsoft Docs is referencing using the old MMA agent to get these logs onboarded. As this agent is being deprecated…

DataConnector connectorUI attributes - sampleQueries

hey folks, I was working on some data connectors and seemingly some of the old features are not working anymore. I tried to use some fields which seem to be dated now. The most relevant would be the 'sampleQueries' attribute. I remember having these in…

Regarding None Accounts Adding to Security Enabled Local, Global and Universal Groups

Hello Team, Greetings!! During our monitoring activities in Sentinel, we have observed that some non-accounts have been added to security-enabled local, global, and universal groups. Could you please provide insight into why this activity is being…