Syslog Transformation DCR not working
I need assistance troubleshooting a Syslog Transformation DCR used with Microsoft Sentinel. The Transformation DCR looks to work correctly in the Create Transformation wizard, but doesn't actually filter out the records. I have a few Syslog/CEF…
Syslog through AMA (CEF) Connector
Hi, Follwing up on my last question: https://learn.microsoft.com/en-us/answers/questions/1690671/syslog-through-ama-connector-not-showing-in-the-co I have now installed Arc, and the machine is showing up on Azure Arc. The AMA is installed and is…
API Version Discrepancies for 'Data Connector Definitions' in Sentinel
Hello MS Community, Would you please help explain the discrepancy regarding API references to "data connector definitions"? I noticed the API related link…
How to audit the creator of an Enterprise Application in Azure
Hy I'm trying to get the creator of an "Enterprise Application", as soon as someone is creating one by query below. AuditLogs | where Category =~ "ApplicationManagement" | where OperationName =~ "Add application" | mv-expand…
Custom detection rule
We see that 90% of the SPAM geared toward students comes from fake Gmail accounts. In Advanced Hunting I created a KQL query to find any Gmail account that sent more than 40 emails from the same account I saved it as a Custom Detection Rule. …
Migrating Sentinel DNS event connector from legacy agent to AMA
Hi I am in the process of migrating the Sentinel Windows security and DNS data connectors from the legacy agent to AMA. We use the DNS audit log 519 events to resolve device names from ip addresses where the device name is not returned in a lookup query.…
Analytic rules in Sentinel Solutions
I am going to provide analytic rules in Sentinel's Solutions. I've observed that All the solutions by other companies available on Microsoft Sentinel Github contains .yaml file for analytic rules, but Azure's wiki/documentation does not mandate that…
How connectivityCriteria works in Sentinel
Regarding the below sample json-code, I am trying to understand how the connectivityCriteria/IsConnectedQuery functions in Azure Sentinel. 1/Specifically, what happens when the KQL query within returns a positive result? 2/And suppose our server hasn't…
DataConnector connectorUI attributes - sampleQueries
hey folks, I was working on some data connectors and seemingly some of the old features are not working anymore. I tried to use some fields which seem to be dated now. The most relevant would be the 'sampleQueries' attribute. I remember having these in…
how Azure ARM templates process placeholders please?
Could you explain how Azure ARM templates process placeholders and variables during deployment, especially comparing the '[variables]' syntax with templating mechanisms like {{variables}}? I see some of the codes (from Sentinel Solution folder @ github)…
I and others in my organization are members of "Microsoft Sentinel Contributor" but sometimes we cannot close Sentinel Incidents
I and others in my organization are members of "Microsoft Sentinel Contributor" We can usually close the incidents but sometimes we cannot close them. I have verified my role assignments and since I have the role of "Microsoft Sentinel…
How to not duplicate data when updating Sentinel data connector
We implemented the Sentinel data connector using the Azure function app. We have an issue now, when we need to make any updates to the data connector and make a deployment, the customer needs to create a new workspace to avoid data duplication. Is there…
How to find the creation date of each analytical rule on Sentinel
Hi all, I am aiming to find the number of new analytical rules created per month, as well as the existing total per month on Sentinel for the last 2 months and present it to a Sentinel workbook. To achieve this, I am considering REST calls against…
Sentinel Active Rules
I would like to see the datas about my active rules, for example, I would like to see the Created Date about my rules. I can see only the column "last modified". Can I see this informations using KQL? Obs: I only use the table Security…
Preparing Sentinel Content and ARM Template Files
I am preparing Sentinel content (a dataConector) as outlined in the steps (from "\sentinel_with_ContentHub\Azure-Sentinel\Solutions\readme.md")shown in the below picture. Could you please confirm my understanding? Thank you in advance! In…
Finding classic automation in Sentinel analytics
I have the ability to search through ARM templates for the Sentinel analytics and I'm hoping to find a way to detect the use of classic alert automation. Does anyone know what i should be searching for in the ARM template? We have not used this method,…
Not allowing to connect Sentinel Data connector with Defender XDR
Hello, I was trying to connect the "Microsoft Defender XDR" connector with "Microsoft Sentinel", but I am facing the below error. I am not sure why Sentinel is not allowing to establish the XDR connector. As I am the Owner of the…
Syslog through AMA connector not showing in the content hub list.
Hi, Trying to set up a syslog ingestion into Sentinel for testing. The setup consists of AMA on a on-prem syslog server. The legacy agent is soon not supported, and the requirement of AMA on-prem is according to Microsoft guides to have the following…
Isolate Machine -playbook in Sentinel
Hi, we are trying to create isolate machine Sentinel incident playbook but we only get error message 404 resource not found when running it. Is it possible to use that playbook if machine accounts are synced from on-premise ad or does it need something…
Data Connector Types in Azure Sentinel
Hello Community, We've noted that there are various types of "Microsoft.SecurityInsights/dataConnectors," such as "RestApiPoller" and "GenericUI." Our case is that our service is hosted on other clouds, and we aim to…