Set total retention period for one or more tables
Hi, I am trying to set the total retention time for one or more log tables using the command az monitor log-analytics workspace table update --subscription <subscription id> --resource-group sentinel --workspace-name <name> --name…
Connect Defender for Servers to Log Analytics Workspace
We've enabled Defender for Servers and I'd like to confirm how to connect it to our Log Analytics Workspace. The Microsoft Defender XDR connector is already installed, but do we need to install the Microsoft Defender for Cloud connector for this? The…
Syslog through AMA connector not showing in the content hub list.
Hi, Trying to set up a syslog ingestion into Sentinel for testing. The setup consists of AMA on a on-prem syslog server. The legacy agent is soon not supported, and the requirement of AMA on-prem is according to Microsoft guides to have the following…
![](https://techprofile.blob.core.windows.net/images/aXuH7oYyEEiHuDJT798imw.png?8D9A0B)
MS Sentinel - Data Connectors update
Question MS Sentinel in Azure - Data Conenctors In Data Conenctors I have 21 onboarded connectos, 17 connected , 0 updates When I go to "More content at content hub" I can see 17 installed and 3 updates. QS1: Why these 3 updates are not shown…
![](https://techprofile.blob.core.windows.net/images/JAQvH115oEKPOaY5Bs_xGw.png?8D84F3)
Azure Monitor Agent Fluent Bit CVE-2024-4323.
Hello, two questions about Azure Monitor Agent Fluent Bit exe in regards to CVE-2024-4323. AMA agent installation is using fluent-bit.exe in version 2.0.9 (location C:\Program Files\Azure Monitor Agent\Monitoring\Agent\fluent-bit.exe) I would like…
![](https://techprofile.blob.core.windows.net/images/VfQFAmOikEWfBHko2XlWTA.png?8D7F33)
API Version Discrepancies for 'Data Connector Definitions' in Sentinel
Hello MS Community, Would you please help explain the discrepancy regarding API references to "data connector definitions"? I noticed the API related link…
I and others in my organization are members of "Microsoft Sentinel Contributor" but sometimes we cannot close Sentinel Incidents
I and others in my organization are members of "Microsoft Sentinel Contributor" We can usually close the incidents but sometimes we cannot close them. I have verified my role assignments and since I have the role of "Microsoft Sentinel…
Migrating Sentinel DNS event connector from legacy agent to AMA
Hi I am in the process of migrating the Sentinel Windows security and DNS data connectors from the legacy agent to AMA. We use the DNS audit log 519 events to resolve device names from ip addresses where the device name is not returned in a lookup query.…
Syslog Transformation DCR not working
I need assistance troubleshooting a Syslog Transformation DCR used with Microsoft Sentinel. The Transformation DCR looks to work correctly in the Create Transformation wizard, but doesn't actually filter out the records. I have a few Syslog/CEF…
Syslog through AMA (CEF) Connector
Hi, Follwing up on my last question: https://learn.microsoft.com/en-us/answers/questions/1690671/syslog-through-ama-connector-not-showing-in-the-co I have now installed Arc, and the machine is showing up on Azure Arc. The AMA is installed and is…
How to audit the creator of an Enterprise Application in Azure
Hy I'm trying to get the creator of an "Enterprise Application", as soon as someone is creating one by query below. AuditLogs | where Category =~ "ApplicationManagement" | where OperationName =~ "Add application" | mv-expand…
Custom detection rule
We see that 90% of the SPAM geared toward students comes from fake Gmail accounts. In Advanced Hunting I created a KQL query to find any Gmail account that sent more than 40 emails from the same account I saved it as a Custom Detection Rule. …
Analytic rules in Sentinel Solutions
I am going to provide analytic rules in Sentinel's Solutions. I've observed that All the solutions by other companies available on Microsoft Sentinel Github contains .yaml file for analytic rules, but Azure's wiki/documentation does not mandate that…
How connectivityCriteria works in Sentinel
Regarding the below sample json-code, I am trying to understand how the connectivityCriteria/IsConnectedQuery functions in Azure Sentinel. 1/Specifically, what happens when the KQL query within returns a positive result? 2/And suppose our server hasn't…
DataConnector connectorUI attributes - sampleQueries
hey folks, I was working on some data connectors and seemingly some of the old features are not working anymore. I tried to use some fields which seem to be dated now. The most relevant would be the 'sampleQueries' attribute. I remember having these in…
how Azure ARM templates process placeholders please?
Could you explain how Azure ARM templates process placeholders and variables during deployment, especially comparing the '[variables]' syntax with templating mechanisms like {{variables}}? I see some of the codes (from Sentinel Solution folder @ github)…
![](https://techprofile.blob.core.windows.net/images/7EQ5-HY98kGi4i9V9wyPSg.png?8DAAFF)
How to not duplicate data when updating Sentinel data connector
We implemented the Sentinel data connector using the Azure function app. We have an issue now, when we need to make any updates to the data connector and make a deployment, the customer needs to create a new workspace to avoid data duplication. Is there…
![](https://techprofile.blob.core.windows.net/images/7EQ5-HY98kGi4i9V9wyPSg.png?8DAAFF)
How to find the creation date of each analytical rule on Sentinel
Hi all, I am aiming to find the number of new analytical rules created per month, as well as the existing total per month on Sentinel for the last 2 months and present it to a Sentinel workbook. To achieve this, I am considering REST calls against…
Sentinel Active Rules
I would like to see the datas about my active rules, for example, I would like to see the Created Date about my rules. I can see only the column "last modified". Can I see this informations using KQL? Obs: I only use the table Security…
Preparing Sentinel Content and ARM Template Files
I am preparing Sentinel content (a dataConector) as outlined in the steps (from "\sentinel_with_ContentHub\Azure-Sentinel\Solutions\readme.md")shown in the below picture. Could you please confirm my understanding? Thank you in advance! In…