Configuration problem with Sentinel connector for Cisco Umbrella
In attempting to deploy the Microsoft Sentinel connector Cisco Umbrella (using Azure Functions) and following what appears to be an incomplete explanation at https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/cisco-umbrella which does seem…
Lighthouse Offer - I cannot add System Managed Identities to my customers Logic Apps
I have my roles delegated, I am in the correct AD groups on my tenant. However, when I got into a Logic App, and try to assign a System Assigned Managed Identity, I keep on getting the following error message: Failed to add Resource as Microsoft…
Unable to create sentinel lab solution from marketplace
Hello, Unable to create sentinel lab solution from marketplace. It keeps saying terminal provisioning failure,
Verification Failed when trying to deploy custom Sentinel template on Azure
Hello, I am having an issue deploying my custom Sentinel template in which I can't get validated because I don't have the write permissions for 'microsoft.aadiam/diagnosticSettings/write' at scope…
Incidents in Microsoft Sentinel Auto-Closing Without Automation Rules
I'm currently using Microsoft Sentinel and noticing that some incidents are automatically closing themselves, sometimes with the reason "resolved at source" or no comment at all. I've checked for any automation rules or playbooks that might be…
Azure Windows VM login related logs not getting ingested in MS SENTINEL logs
azure-sentinel-log-unavailable-for-windows-VM-1.jpgAzure Windows VM login related logs not getting ingested in MS SENTINEL logs. I have created a VM (windows 10) and trying to do successful and failed login attemps, but I am unable to see the related…
Cant Import Sentinel Alert Rules
Good morning, I am having difficulty importing sentinel rules after I deleted old ones. I deleted the old rules on friday 9/27 9am EST and am getting the error the rule with ID 'xyz' was recently deleted. You need to allow some time before re-using the…
Workspace is created but not available as drop down in VMware ESXi
While creating VMware ESXi there is step to create "workspace". we have created a workspace successfully by assigning Region and Resource group...etc we can see the workspace listed as well. But while creating VMware ESXi - under workspace…
Restricting GCP Workload Identity Authentication to Specific Azure Sentinel Data Connectors
I have to ingest gcp audit log to azure sentinel pubsub audit log connector and authentication should be done using gcp workload identity I have created the setup and it's working fine in this setup while setting up provider issuer and one of the allowed…
How to connect the Microsoft Defender XDR event logs using the API?
I'm currently working on a project to fully automate the deployment of a Microsoft Sentinel workspace. I already developed a working PowerShell script that uses the Microsoft.SecurityInsights API to install solutions from the content hub and enable the…
While setting up Microsoft Azure Sentinel, data connector not showing green for "Azure Activity" setup
Hello Team, I am trying to begin my hands on learning on Azure Sentinel, and while progressing with that I am facing an issue where I have done below and I am unable to proceed further because I am unable to see the green color for Data Connector…
Error Logs Ingestion API into Sentinel
Logs ingestion API implementation no data is being ingested in Sentinel from the 3rd party Rest client. I enabled the DCR logs today the message being returned is 'Could not validate token because: InvalidAudience'.
Send Sentinel Incidents to Teams Channel
I tried using the adaptive card solution to send Sentinel incidents to a standard Teams channel, but that did not meet our needs and had these shortcommings: Dependent on a Teams user / service account. Upon using the adaptive card response options,…
A logic app Get-VirusTotalIPReport is not working
I am trying to automate IP enrichment using the Virus Total API. I have set up a logic app and tied it to a respective analytical rule but I am getting the following error. This is a test instance and we have only few resources running on it.
What are the required fields for the analytics rule arm template?
Referring to this guide, https://github.com/Azure/Azure-Sentinel/wiki/Query-Style-Guide I can't find any official documentation on the required fields for the .yaml files? We want to implement pre-commit checks that ensure the templates entering the…
Estamos com problemas em um Playbook, que realiza uma automação para o Sentinel
Estamos com problemas em um Playbook, que realiza uma automação para o Sentinel: Objetivo: Adicionar um ou mais IPs do incidente em uma named location Problema: - Em uma das etapas de GET de HTTP, o logic apps aponta o erro "required scopes are…
Better to have separate workspace for Azure Monitor and Sentinel?
Hello. My organization has a log analytics workspace, and we currently have all of the data collected into one workspace. I'm wondering if we would gain any cost advantage by having a dedicated workspace for Azure monitor and the other for Sentinel. …
To find the number of virtual machines reporting in Azure Sentinel,
Hi We have thousand of vm's in our environment and we need report how many Virtual Machines are reporting to Sentinal . Is there any kusto query or Azure resource graph query to find out number of VM's are reporting to Sentinel. ?
W365 CloudPC Monitoring with AMA and Sentinal
Hi Team, I have a question on W365 Enterprise CloudPC monitoring customer want to send all the W365 logs to sentinel including Windows event logs, security logs. Is this possible I did not see any documentation in this regards. If it is possible how…
Sending incident from Sentinel to Teams
Hi, I'm struggling with some very simple automation where Sentinel incidents should be forwarded to Teams channelIn SOAR Essentials there are two solutions for this Post Message to Teams and Send Adaptive Card The first is simpler, it uses Microsoft…