Segregating and Identifying Alerts in Sentinel Workspace
I am seeking a method to segregate alerts in a Sentinel workspace to facilitate easier identification and prioritization. For instance, if we have multiple clients' logs in a single workspace, we need a way to identify and segregate alerts based on the…
![](https://techprofile.blob.core.windows.net/images/aXuH7oYyEEiHuDJT798imw.png?8D9A0B)
Regarding None Accounts Adding to Security Enabled Local, Global and Universal Groups
Hello Team, Greetings!! During our monitoring activities in Sentinel, we have observed that some non-accounts have been added to security-enabled local, global, and universal groups. Could you please provide insight into why this activity is being…
Find creation date of custom analytical rule created in Sentinel
Hi all, I am aiming to find the number of new analytical rules created per month (including custom as well as from github deployed), as well as the existing total per month on Sentinel for the last 2 months and present it to a Sentinel workbook. How…
How to disconnect Azure Sentinel data connectors?
In Sentinel I cant able to find an option to disconnect the data connectors . And there are no documents available for the same. So what are the methods to disconnect a data connector inside sentinel for both native and non native products. When I…
Stop Creating Incidents in Sentinel For every Alert generated by Custom detection rule in defender for endpoint
Hi Team, I have created a custom rule in Defender with KQL query to get the details about Device & owners of Vulnerable machines. So results are having rows more than 1500, and its generating that many alerts in defender. And same events are getting…
API Version Discrepancies for 'Data Connector Definitions' in Sentinel
Hello MS Community, Would you please help explain the discrepancy regarding API references to "data connector definitions"? I noticed the API related link…
How connectivityCriteria works in Sentinel
Regarding the below sample json-code, I am trying to understand how the connectivityCriteria/IsConnectedQuery functions in Azure Sentinel. 1/Specifically, what happens when the KQL query within returns a positive result? 2/And suppose our server hasn't…
how Azure ARM templates process placeholders please?
Could you explain how Azure ARM templates process placeholders and variables during deployment, especially comparing the '[variables]' syntax with templating mechanisms like {{variables}}? I see some of the codes (from Sentinel Solution folder @ github)…
Analytic rules in Sentinel Solutions
I am going to provide analytic rules in Sentinel's Solutions. I've observed that All the solutions by other companies available on Microsoft Sentinel Github contains .yaml file for analytic rules, but Azure's wiki/documentation does not mandate that…
Preparing Sentinel Content and ARM Template Files
I am preparing Sentinel content (a dataConector) as outlined in the steps (from "\sentinel_with_ContentHub\Azure-Sentinel\Solutions\readme.md")shown in the below picture. Could you please confirm my understanding? Thank you in advance! In…
logo size for Sentinel Content Preparation
Hello, I am preparing the Sentinel content according to the following steps from github, my question is if there's requirement about the size of the logo? Thanks.
Data Connector Types in Azure Sentinel
Hello Community, We've noted that there are various types of "Microsoft.SecurityInsights/dataConnectors," such as "RestApiPoller" and "GenericUI." Our case is that our service is hosted on other clouds, and we aim to…
Custom Data Connector into Sentinel Content-Hub
Hello Microsoft Community, We are planning to build & integrate our custom data connector into the Sentinel Content-Hub to enable data analysis services for our customers who are interested in Azure Sentinel. And our data, which is unique and…
How Do I Configure JSON Items for Different Types of Data Connectors?
Hello, I'm wondering if there're any wiki pages that give explanation and how to properly configure the data connectors. Thank you! I've been exploring the variety of data connectors available in Azure, such as GenericUI, APIPolling, and others, through…
Azure Activity Log Data Connector Configuration
Hi, Recently, I onboarded Azure activity by following the instructions on the data connector page and completed the configuration successfully. This process involved creating a policy to send the logs to the log analytics workspace. During the setup, I…
![](https://techprofile.blob.core.windows.net/images/3b270b575c094eeca63e9bc66c861c5a.png)
Failed to save analytics rule query.
I can create any active analytics rule query in Microsoft Sentinel. While trying to create a new one a error occurs: "Failed to save the analytics rule query. Log Analytics workspace 'xxx' could not be found." It started when the previous…
Sentinel - Teams Playbook
Hi, I'm working on setting up a simple playbook to receive notifications for new incidents created in Sentinel, with an option to assign the incident. I've created an adaptive card (see below) and set up the playbook based on the instructions in a blog…
![](https://techprofile.blob.core.windows.net/images/3b270b575c094eeca63e9bc66c861c5a.png)
Microsoft sentinel - Data connector shows disconnected after installing
We recently activated Sentinel to give it a trial run. I set up a separate workspace for Sentinel and installed some data connectors. However, the WAF is still showing as disconnected even after installing and configuring it. We've only got WAF, not…
![](https://techprofile.blob.core.windows.net/images/3b270b575c094eeca63e9bc66c861c5a.png)
Trying to add Microsoft Sentinel to a Log Analytics Workspace in Azure but keep getting error "The gateway did not receive a response from 'Microsoft.SecurityInsights' within the specified time period"
I am trying to add Microsoft Sentinel to a Log Analytics Workspace connected to a Virtual Machine in the Azure portal but keep getting the error "The gateway did not receive a response from 'Microsoft.SecurityInsights' within the specified time…
Syslog Transformation DCR not working
I need assistance troubleshooting a Syslog Transformation DCR used with Microsoft Sentinel. The Transformation DCR looks to work correctly in the Create Transformation wizard, but doesn't actually filter out the records. I have a few Syslog/CEF…