Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,023 questions
2 answers
Set total retention period for one or more tables
Hi, I am trying to set the total retention time for one or more log tables using the command az monitor log-analytics workspace table update --subscription <subscription id> --resource-group sentinel --workspace-name <name> --name…
asked 2024-06-18T18:39:12.59+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 30%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Nikhil Padma
0
Reputation points
answered 2024-06-19T00:42:28.02+00:00
Nikhil Padma
0
Reputation points
1 answer
Connect Defender for Servers to Log Analytics Workspace
We've enabled Defender for Servers and I'd like to confirm how to connect it to our Log Analytics Workspace. The Microsoft Defender XDR connector is already installed, but do we need to install the Microsoft Defender for Cloud connector for this? The…
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,046 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,023 questions
asked 2024-06-18T21:30:59.22+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 87%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
Richard Long
301
Reputation points
edited an answer 2024-06-18T23:39:30.0866667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 14.000000000000002%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVC%3C/text%3E%3C/svg%3E)
Vlad Costa
615
Reputation points
2 answers
Syslog through AMA connector not showing in the content hub list.
Hi, Trying to set up a syslog ingestion into Sentinel for testing. The setup consists of AMA on a on-prem syslog server. The legacy agent is soon not supported, and the requirement of AMA on-prem is according to Microsoft guides to have the following…
asked 2024-06-03T09:40:15.5033333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 9%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBE%3C/text%3E%3C/svg%3E)
Bl()e
5
Reputation points
edited a comment 2024-06-18T12:34:48.98+00:00
Andrew Blumhardt
9,676
Reputation points Microsoft Employee
1 answer
MS Sentinel - Data Connectors update
Question MS Sentinel in Azure - Data Conenctors In Data Conenctors I have 21 onboarded connectos, 17 connected , 0 updates When I go to "More content at content hub" I can see 17 installed and 3 updates. QS1: Why these 3 updates are not shown…
asked 2024-06-18T01:44:18.1766667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 35%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELR%3C/text%3E%3C/svg%3E)
Lutz Rahe
0
Reputation points
answered 2024-06-18T10:44:49.2466667+00:00
Clive Watson
5,951
Reputation points MVP
0 answers
Azure Monitor Agent Fluent Bit CVE-2024-4323.
Hello, two questions about Azure Monitor Agent Fluent Bit exe in regards to CVE-2024-4323. AMA agent installation is using fluent-bit.exe in version 2.0.9 (location C:\Program Files\Azure Monitor Agent\Monitoring\Agent\fluent-bit.exe) I would like…
asked 2024-06-17T09:51:44.58+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 82%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBT%3C/text%3E%3C/svg%3E)
B T
0
Reputation points
edited the question 2024-06-18T03:55:38.18+00:00
PRADEEPCHEEKATLA-MSFT
82,356
Reputation points Microsoft Employee
0 answers
API Version Discrepancies for 'Data Connector Definitions' in Sentinel
Hello MS Community, Would you please help explain the discrepancy regarding API references to "data connector definitions"? I noticed the API related link…
asked 2024-06-14T08:30:15.17+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 69%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
LXF
120
Reputation points
commented 2024-06-17T20:54:17.91+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT
35,621
Reputation points Microsoft Employee
1 answer
I and others in my organization are members of "Microsoft Sentinel Contributor" but sometimes we cannot close Sentinel Incidents
I and others in my organization are members of "Microsoft Sentinel Contributor" We can usually close the incidents but sometimes we cannot close them. I have verified my role assignments and since I have the role of "Microsoft Sentinel…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
1 answer
One of the answers was accepted by the question author.
Migrating Sentinel DNS event connector from legacy agent to AMA
Hi I am in the process of migrating the Sentinel Windows security and DNS data connectors from the legacy agent to AMA. We use the DNS audit log 519 events to resolve device names from ip addresses where the device name is not returned in a lookup query.…
asked 2024-06-05T10:08:43.27+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 31%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELA%3C/text%3E%3C/svg%3E)
Louise Atyeo
20
Reputation points
accepted 2024-06-17T13:04:29.7+00:00
Louise Atyeo
20
Reputation points
0 answers
Syslog Transformation DCR not working
I need assistance troubleshooting a Syslog Transformation DCR used with Microsoft Sentinel. The Transformation DCR looks to work correctly in the Create Transformation wizard, but doesn't actually filter out the records. I have a few Syslog/CEF…
asked 2024-05-29T16:03:21.6833333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 54%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Greg Sneed
0
Reputation points
commented 2024-06-17T12:38:47.9666667+00:00
Greg Sneed
0
Reputation points
0 answers
Syslog through AMA (CEF) Connector
Hi, Follwing up on my last question: https://learn.microsoft.com/en-us/answers/questions/1690671/syslog-through-ama-connector-not-showing-in-the-co I have now installed Arc, and the machine is showing up on Azure Arc. The AMA is installed and is…
asked 2024-06-11T10:30:54.9766667+00:00
Bl()e
5
Reputation points
commented 2024-06-14T10:14:19.01+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 70%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGB%3C/text%3E%3C/svg%3E)
Graham Bloice
0
Reputation points
3 answers
How to audit the creator of an Enterprise Application in Azure
Hy I'm trying to get the creator of an "Enterprise Application", as soon as someone is creating one by query below. AuditLogs | where Category =~ "ApplicationManagement" | where OperationName =~ "Add application" | mv-expand…
asked 2024-02-07T16:11:00.8033333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 75%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
Stalder Jonas
0
Reputation points
commented 2024-06-12T19:26:17.6533333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 30%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOL%3C/text%3E%3C/svg%3E)
Olivier López Chaverri
0
Reputation points
1 answer
One of the answers was accepted by the question author.
Custom detection rule
We see that 90% of the SPAM geared toward students comes from fake Gmail accounts. In Advanced Hunting I created a KQL query to find any Gmail account that sent more than 40 emails from the same account I saved it as a Custom Detection Rule. …
asked 2024-06-07T21:32:24.7433333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 30%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
Runge, Larry
20
Reputation points
commented 2024-06-12T13:42:53.4233333+00:00
Runge, Larry
20
Reputation points
1 answer
One of the answers was accepted by the question author.
Analytic rules in Sentinel Solutions
I am going to provide analytic rules in Sentinel's Solutions. I've observed that All the solutions by other companies available on Microsoft Sentinel Github contains .yaml file for analytic rules, but Azure's wiki/documentation does not mandate that…
2 answers
One of the answers was accepted by the question author.
How connectivityCriteria works in Sentinel
Regarding the below sample json-code, I am trying to understand how the connectivityCriteria/IsConnectedQuery functions in Azure Sentinel. 1/Specifically, what happens when the KQL query within returns a positive result? 2/And suppose our server hasn't…
0 answers
DataConnector connectorUI attributes - sampleQueries
hey folks, I was working on some data connectors and seemingly some of the old features are not working anymore. I tried to use some fields which seem to be dated now. The most relevant would be the 'sampleQueries' attribute. I remember having these in…
asked 2024-06-10T08:25:05.6566667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 94%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Sándor Tőkési
181
Reputation points
commented 2024-06-11T14:53:19.3366667+00:00
Sándor Tőkési
181
Reputation points
0 answers
how Azure ARM templates process placeholders please?
Could you explain how Azure ARM templates process placeholders and variables during deployment, especially comparing the '[variables]' syntax with templating mechanisms like {{variables}}? I see some of the codes (from Sentinel Solution folder @ github)…
asked 2024-06-11T02:47:43.6333333+00:00
LXF
120
Reputation points
commented 2024-06-11T10:06:35.52+00:00
Akshay-MSFT
17,006
Reputation points Microsoft Employee
1 answer
How to not duplicate data when updating Sentinel data connector
We implemented the Sentinel data connector using the Azure function app. We have an issue now, when we need to make any updates to the data connector and make a deployment, the customer needs to create a new workspace to avoid data duplication. Is there…
asked 2024-06-03T21:59:13.5533333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 64%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXB%3C/text%3E%3C/svg%3E)
Xiuyang Bobby Sun
25
Reputation points
commented 2024-06-11T06:48:55.2+00:00
Akshay-MSFT
17,006
Reputation points Microsoft Employee
1 answer
One of the answers was accepted by the question author.
How to find the creation date of each analytical rule on Sentinel
Hi all, I am aiming to find the number of new analytical rules created per month, as well as the existing total per month on Sentinel for the last 2 months and present it to a Sentinel workbook. To achieve this, I am considering REST calls against…
asked 2024-06-07T10:28:09.6+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 48%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EES%3C/text%3E%3C/svg%3E)
Evangelos Spatharas (CP,UK)
20
Reputation points
commented 2024-06-10T16:17:58.84+00:00
Evangelos Spatharas (CP,UK)
20
Reputation points
1 answer
Sentinel Active Rules
I would like to see the datas about my active rules, for example, I would like to see the Created Date about my rules. I can see only the column "last modified". Can I see this informations using KQL? Obs: I only use the table Security…
asked 2024-06-05T17:39:53.08+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 60%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
Hyago Santana Mariano
0
Reputation points
commented 2024-06-10T03:33:35.8333333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT
29,351
Reputation points Microsoft Employee
1 answer
One of the answers was accepted by the question author.
Preparing Sentinel Content and ARM Template Files
I am preparing Sentinel content (a dataConector) as outlined in the steps (from "\sentinel_with_ContentHub\Azure-Sentinel\Solutions\readme.md")shown in the below picture. Could you please confirm my understanding? Thank you in advance! In…