Sentinel as IaC with Terraform
Hi, Trying to instantiate Sentinel using Terraform. Should be straightforward, create a resource group (azurerm_resource_group), log analytics workspace (azurerm_log_analytics_workspace), onboarding Sentinel…
Due to the scoring of MDCA being discontinued, if we need to retain the TOP 10 users using UEBA, what methods can we use?
Due to the scoring of MDCA being discontinued, if we need to retain the TOP 10 users using UEBA, what methods can we use? 'Investigation priority score' feature and 'Investigation priority score increase policy' will be phased out in the coming weeks,…
Minimum hardware requirements for installation of AMA via ARC on Servers
Hello Community. Having a bit of a hard time trying to find the minimum hardware requirements for Windows and Linux Servers for the installation of AMA via ARC. I'm looking for something similar that I found with MDE like this. MDE Minimum…
![](https://techprofile.blob.core.windows.net/images/Mz1Ku4QCHU6q9vzMhRsT5w.png?8DC964)
Sentniel free data sources
Hi, quoting from https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=commitment-tier#free-data-sources "The following data sources are free with Microsoft Sentinel: Azure Activity Logs. Office 365 Audit Logs, including all…
![](https://techprofile.blob.core.windows.net/images/Tpz5hf2_AwAAAAAAAAAAAA.png?8DAC8B)
Segregating and Identifying Alerts in Sentinel Workspace
I am seeking a method to segregate alerts in a Sentinel workspace to facilitate easier identification and prioritization. For instance, if we have multiple clients' logs in a single workspace, we need a way to identify and segregate alerts based on the…
Ingesting Cisco ASA logs into Sentinel using the AMA agent
Hi there, We are looking to onboard Cisco ASA logs into Microsoft Sentinel. Currently the Cisco ASA integration guide (linked below) on Microsoft Docs is referencing using the old MMA agent to get these logs onboarded. As this agent is being deprecated…
![](https://techprofile.blob.core.windows.net/images/RE5VWkBh2kK_pR8TXjElDQ.png?8D85F4)
Sentinel _BilledSize and estimate_data_size differences
hey folks Could somebody tell me the relationship between the _BilledSize field in a log and the result of the estimate_data_size(*) KQL command? I do understand that the _BilledSize field contains the info of the size of the data I have to pay for…
DataConnector connectorUI attributes - sampleQueries
hey folks, I was working on some data connectors and seemingly some of the old features are not working anymore. I tried to use some fields which seem to be dated now. The most relevant would be the 'sampleQueries' attribute. I remember having these in…
Regarding None Accounts Adding to Security Enabled Local, Global and Universal Groups
Hello Team, Greetings!! During our monitoring activities in Sentinel, we have observed that some non-accounts have been added to security-enabled local, global, and universal groups. Could you please provide insight into why this activity is being…
Find creation date of custom analytical rule created in Sentinel
Hi all, I am aiming to find the number of new analytical rules created per month (including custom as well as from github deployed), as well as the existing total per month on Sentinel for the last 2 months and present it to a Sentinel workbook. How…
How to disconnect Azure Sentinel data connectors?
In Sentinel I cant able to find an option to disconnect the data connectors . And there are no documents available for the same. So what are the methods to disconnect a data connector inside sentinel for both native and non native products. When I…
Stop Creating Incidents in Sentinel For every Alert generated by Custom detection rule in defender for endpoint
Hi Team, I have created a custom rule in Defender with KQL query to get the details about Device & owners of Vulnerable machines. So results are having rows more than 1500, and its generating that many alerts in defender. And same events are getting…
API Version Discrepancies for 'Data Connector Definitions' in Sentinel
Hello MS Community, Would you please help explain the discrepancy regarding API references to "data connector definitions"? I noticed the API related link…
How connectivityCriteria works in Sentinel
Regarding the below sample json-code, I am trying to understand how the connectivityCriteria/IsConnectedQuery functions in Azure Sentinel. 1/Specifically, what happens when the KQL query within returns a positive result? 2/And suppose our server hasn't…
Analytic rules in Sentinel Solutions
I am going to provide analytic rules in Sentinel's Solutions. I've observed that All the solutions by other companies available on Microsoft Sentinel Github contains .yaml file for analytic rules, but Azure's wiki/documentation does not mandate that…
Preparing Sentinel Content and ARM Template Files
I am preparing Sentinel content (a dataConector) as outlined in the steps (from "\sentinel_with_ContentHub\Azure-Sentinel\Solutions\readme.md")shown in the below picture. Could you please confirm my understanding? Thank you in advance! In…
logo size for Sentinel Content Preparation
Hello, I am preparing the Sentinel content according to the following steps from github, my question is if there's requirement about the size of the logo? Thanks.
Data Connector Types in Azure Sentinel
Hello Community, We've noted that there are various types of "Microsoft.SecurityInsights/dataConnectors," such as "RestApiPoller" and "GenericUI." Our case is that our service is hosted on other clouds, and we aim to…
Custom Data Connector into Sentinel Content-Hub
Hello Microsoft Community, We are planning to build & integrate our custom data connector into the Sentinel Content-Hub to enable data analysis services for our customers who are interested in Azure Sentinel. And our data, which is unique and…
How Do I Configure JSON Items for Different Types of Data Connectors?
Hello, I'm wondering if there're any wiki pages that give explanation and how to properly configure the data connectors. Thank you! I've been exploring the variety of data connectors available in Azure, such as GenericUI, APIPolling, and others, through…