Microsoft Sentinel

Microsoft Sentinel - Add note to table or function in KQL

Hello I was wondering if there is a way to attach a note to a specific table or function in KQL so that an analyst using the table will see it when they use it in a query? I work for an MSSP providing managed Sentinel SIEM. Analyst will regularly create…

Monitor Sentinel environment.

We are entering into an arrangement with a vendor who is supposed to monitor our Sentinel environment for us. They wanted to use Azure Lighthouse to enable access to our tenant, but we want to do this in the least privileged way - we only want to give…

How to ingest NetFlow into Sentinel

Is there a Sentinel connector for Cisco NetFlow ?

How do i troubleshoot after PR's issued?

Hello, We have submitted a pull request to GitHub for our Sentinel Solution. I noticed that the pipeline checks, as shown below, include some unresolved issues that are confusing to us. Could you please let us know who we should contact to resolve these…

Microsoft Sentinel Solution for Microsoft Power Platform

I’ve been testing the Microsoft Sentinel Solution for the Power Platform, and I’m encountering an issue with the Power Platform inventory data connector. This connector uses a Azure Function App to ingest inventory and usage data from an Azure Data Lake…

Is there a way to Query all Table Schemas to count How many Columns every Table in Sentinel has using KQL

I am Trying to return a list of tables where they have more than a certain amount of columns, get schema works but it would be a painful task to run it for every table. The Table name is also not maintained when you run getSchema so I tried to union all…

Azure virtual desktop session alerts triggered by hostname changes

Our Azure virtual desktop keeps raising "pass the ticket" attack alerts when the hostname of our computers changes from <hostname> to <hostname>-<random number>. However, our security logs remain the same inside the SIEM,…

Scaling your CICD pipeline - Default parameter file is not being used

I am currently working on a CICD pipeline in combination with MS Sentinel content. I just got in touch with the repository and the process of handling parameter files. I am just asking myself why the default parameter file is not being used. All of my…

How to execute microsoft sentinel's backups and recovery

Hi, I'm starting in Microsoft Sentinel and read a lot of documents but I couldn't find anything about backup and recovery. Anybody know something about this? Please give some advices Thank you in advance Best regards,

Sentinel to azure firewall connection issues

I am having issues connecting sentinel to azure firewall. I have establish 9 other connections no problem but not to the azure firewall from sentinel data connector. I have rebuilt the firewall several times, I confirmed the diagnostic log setting and…

How to retrieve output data after the deployment

Hello there, I am wondering if there's a straightforward method to retrieve the output results after a deployment is completed. By 'straightforward,' I mean configuring a specific API-link during the deployment to which the output data, along with its…

Export Logs from Log Analytics Workspace to Blob Storage

Hi all, I have a Log Analytics Workspace that is linked to Sentinel. I have a lot of logs that I need to export from the Workspace into Blob Storage. Th logs date back 30 days and it is about 400GB, it is about 500 million logs. Please let me know what…

Azure Sentinel Log Screen KQL mode to start by default

Azure Sentinel changed about a month ago the Log page GUI. It added a default Simple Mode, which does not seem to allow to enter KQL query by typing. The KQL mode, much more practical, needs to be selected over and over in the right side of the screen.…

Sentinel _BilledSize and estimate_data_size differences

hey folks Could somebody tell me the relationship between the _BilledSize field in a log and the result of the estimate_data_size(*) KQL command? I do understand that the _BilledSize field contains the info of the size of the data I have to pay for…

ActionConditionFailed The execution of template action 'Get_user' is skipped: there are no items to repeat.

Can not enable MSD Threat Intelligence Data Connector

I have a cx that is getting the error below when attempting to enable Microsoft Defender Threat Intelligence data connector. He is using the (Preview) version. What could be causing this?

Segregating and Identifying Alerts in Sentinel Workspace

I am seeking a method to segregate alerts in a Sentinel workspace to facilitate easier identification and prioritization. For instance, if we have multiple clients' logs in a single workspace, we need a way to identify and segregate alerts based on the…

Sentniel free data sources

Hi, quoting from https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=commitment-tier#free-data-sources "The following data sources are free with Microsoft Sentinel: Azure Activity Logs. Office 365 Audit Logs, including all…

CloudWatch ASIM Parser

I have successfully connected AWS CloudWatch to Sentinel, and I am receiving events from multiple log groups. However, I am facing an issue with parsing the events, particularly with the 'Message' field that is in JSON format. Currently, the 'Message'…

Sentinel as IaC with Terraform

Hi, Trying to instantiate Sentinel using Terraform. Should be straightforward, create a resource group (azurerm_resource_group), log analytics workspace (azurerm_log_analytics_workspace), onboarding Sentinel…