AMA+DCR for Syslog & CEF logs. CEF logs in CommonSecurityLog not parsing .
Referring to this article: https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog I trying to solution the following scenario: Using a single Linux log collector to forward both Syslog and CEF events to your Microsoft Sentinel workspaces…
Shannon Entropy evaluation for domains?
Hi, I've found the Entropy calculation for processes running on a device and I've noticed the previously posted questions similar to what I'm asking a few years ago but couldn't find a definitive answer. Just wondering if there is a way of calculating…
How to agentlessly upload logs to a default table in a log analytics workspace?
I have built a system that creates a log analytics workspace and uploads logs to a custom table by following these Microsoft tutorials: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-api?tabs=dcr …
Set total retention period for one or more tables
Hi, I am trying to set the total retention time for one or more log tables using the command az monitor log-analytics workspace table update --subscription <subscription id> --resource-group sentinel --workspace-name <name> --name…
Syslog through AMA connector not showing in the content hub list.
Hi, Trying to set up a syslog ingestion into Sentinel for testing. The setup consists of AMA on a on-prem syslog server. The legacy agent is soon not supported, and the requirement of AMA on-prem is according to Microsoft guides to have the following…
![](https://techprofile.blob.core.windows.net/images/aXuH7oYyEEiHuDJT798imw.png?8D9A0B)
Azure Monitor Agent Fluent Bit CVE-2024-4323.
Hello, two questions about Azure Monitor Agent Fluent Bit exe in regards to CVE-2024-4323. AMA agent installation is using fluent-bit.exe in version 2.0.9 (location C:\Program Files\Azure Monitor Agent\Monitoring\Agent\fluent-bit.exe) I would like…
![](https://techprofile.blob.core.windows.net/images/VfQFAmOikEWfBHko2XlWTA.png?8D7F33)
I and others in my organization are members of "Microsoft Sentinel Contributor" but sometimes we cannot close Sentinel Incidents
I and others in my organization are members of "Microsoft Sentinel Contributor" We can usually close the incidents but sometimes we cannot close them. I have verified my role assignments and since I have the role of "Microsoft Sentinel…
Migrating Sentinel DNS event connector from legacy agent to AMA
Hi I am in the process of migrating the Sentinel Windows security and DNS data connectors from the legacy agent to AMA. We use the DNS audit log 519 events to resolve device names from ip addresses where the device name is not returned in a lookup query.…
How to audit the creator of an Enterprise Application in Azure
Hy I'm trying to get the creator of an "Enterprise Application", as soon as someone is creating one by query below. AuditLogs | where Category =~ "ApplicationManagement" | where OperationName =~ "Add application" | mv-expand…
Custom detection rule
We see that 90% of the SPAM geared toward students comes from fake Gmail accounts. In Advanced Hunting I created a KQL query to find any Gmail account that sent more than 40 emails from the same account I saved it as a Custom Detection Rule. …
how Azure ARM templates process placeholders please?
Could you explain how Azure ARM templates process placeholders and variables during deployment, especially comparing the '[variables]' syntax with templating mechanisms like {{variables}}? I see some of the codes (from Sentinel Solution folder @ github)…
![](https://techprofile.blob.core.windows.net/images/7EQ5-HY98kGi4i9V9wyPSg.png?8DAAFF)
How to find the creation date of each analytical rule on Sentinel
Hi all, I am aiming to find the number of new analytical rules created per month, as well as the existing total per month on Sentinel for the last 2 months and present it to a Sentinel workbook. To achieve this, I am considering REST calls against…
Sentinel Active Rules
I would like to see the datas about my active rules, for example, I would like to see the Created Date about my rules. I can see only the column "last modified". Can I see this informations using KQL? Obs: I only use the table Security…
Finding classic automation in Sentinel analytics
I have the ability to search through ARM templates for the Sentinel analytics and I'm hoping to find a way to detect the use of classic alert automation. Does anyone know what i should be searching for in the ARM template? We have not used this method,…
![](https://techprofile.blob.core.windows.net/images/SbBXW6wumkK4XgZSyURk4A.png?8D926C)
Not allowing to connect Sentinel Data connector with Defender XDR
Hello, I was trying to connect the "Microsoft Defender XDR" connector with "Microsoft Sentinel", but I am facing the below error. I am not sure why Sentinel is not allowing to establish the XDR connector. As I am the Owner of the…
![](https://techprofile.blob.core.windows.net/images/SbBXW6wumkK4XgZSyURk4A.png?8D926C)
Isolate Machine -playbook in Sentinel
Hi, we are trying to create isolate machine Sentinel incident playbook but we only get error message 404 resource not found when running it. Is it possible to use that playbook if machine accounts are synced from on-premise ad or does it need something…
The request type when fetching to S3
Hi all, I would like to connect S3 and microsoft sentinel. I have a question. ・I think you fetch files from microsoft sentinel to S3, is the request type GET? The following is the page to which we…
Moving Sentinel to a different management group
Hey folks, I know that moving Sentinel from one subscription to a different one is not supported and can break things. Could somebody tell me, whether moving a whole subscription that contains a Sentinel instance from one management group to another…
Sentinel - Sophos Endpoint Protection (using REST API) (Preview) - Fails due to trying to create a table with a hyphen!
When trying to configure and deploy the new Sophos API connector for Sentinel it fails. Looks like it's trying to create a new table called Custom-SophosEPAlerts_CL but tables cannot contain hyphens so needs changing to CustomSophosEPAlerts_CL…
![](https://techprofile.blob.core.windows.net/images/aXuH7oYyEEiHuDJT798imw.png?8D9A0B)
Threat Intelligence Sharing
Hi all, Is it possible to use threat intelligence from a third party solution with Microsoft sentinel? And if possible, how would you connect them? Custom connectors? regard,