Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,150 questions
1 answer
Verification Failed when trying to deploy custom Sentinel template on Azure
Hello, I am having an issue deploying my custom Sentinel template in which I can't get validated because I don't have the write permissions for 'microsoft.aadiam/diagnosticSettings/write' at scope…
asked 2024-10-17T22:08:47.4633333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 14.000000000000002%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAY%3C/text%3E%3C/svg%3E)
Aviv Yaaran
0
Reputation points
commented 2024-11-01T04:54:19.54+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT
32,986
Reputation points Microsoft Employee
1 answer
Do AMA Collectors Require Static IP Addresses?
When deploying multiple AMA agents, do the IP addresses need to be static for each agent, or can they be dynamic/shared?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 20%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
0 answers
How to configure a new DCR to ingest to an existing Custom Log table?
Hi All, I am currently migrating existing syslog logfeeds running over Logstash pipelines with the "microsoft-logstash-output-azure-loganalytics" output module to Logstash pipelines with the…
asked 2024-10-31T13:04:33.53+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 88%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECN%3C/text%3E%3C/svg%3E)
Callens Nico
0
Reputation points
edited the question 2024-10-31T21:28:07.83+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 76%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
VarunTha
9,105
Reputation points Microsoft Vendor
1 answer
How can I configure Microsoft Sentinel to create a new incident instead of adding to an existing one?
I'm facing an issue in Microsoft Sentinel where incidents generated by an analytics rule are automatically closing and merging with an existing "multiple-stage" incident. As shown in the attached screenshot, each new incident created by the…
asked 2024-10-29T05:26:13.2566667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 22%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
mara7
166
Reputation points
answered 2024-10-31T10:12:02.7533333+00:00
Clive Watson
6,436
Reputation points MVP
1 answer
Which table should I use to pull log ingestion numbers for Computers?
Hello everyone, I have been tasked by a client to create a query to get the total monthly log ingestion from a group of Computers using a Watchlist. My first thought was to use the Usage table, join that with the Watchlist and then get the log ingestion…
asked 2024-09-09T20:19:33.94+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 62%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Matthew Agosta
0
Reputation points
commented 2024-10-31T02:44:15.3933333+00:00
James Hamil
24,921
Reputation points Microsoft Employee
1 answer
Is there a way to Query all Table Schemas to count How many Columns every Table in Sentinel has using KQL
I am Trying to return a list of tables where they have more than a certain amount of columns, get schema works but it would be a painful task to run it for every table. The Table name is also not maintained when you run getSchema so I tried to union all…
asked 2024-07-16T11:52:21.9533333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 12%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Andrew Ryan
0
Reputation points
commented 2024-10-30T23:56:38.5866667+00:00
James Hamil
24,921
Reputation points Microsoft Employee
0 answers
How to retrieve a DCR Immutable Id from createUiDefinition
Hi Community, I am testing UX for Sentinel Solution on https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/SandboxBlade I am wondering after obtaining the Resource Group, workspace, and Data Collection Rule, I would like to further retrieve the…
asked 2024-10-29T08:17:55.2266667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 69%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
LXF
205
Reputation points
commented 2024-10-29T12:59:52.8266667+00:00
Andrew Blumhardt
9,861
Reputation points Microsoft Employee
0 answers
Change path on Linux for Azure AMA and CEF Collectors
I'm setting up Azure Monitoring Agents on Linux with CEF Collector. I would like to change the cache directories to a separate drive. Can anyone point me to where these paths are configured?
asked 2024-09-20T12:23:12.28+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 77%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Jody Spoor
0
Reputation points
commented 2024-10-29T11:53:12.26+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Pauline Mbabu
480
Reputation points Microsoft Employee
3 answers
Azure Windows VM login related logs not getting ingested in MS SENTINEL logs
azure-sentinel-log-unavailable-for-windows-VM-1.jpgAzure Windows VM login related logs not getting ingested in MS SENTINEL logs. I have created a VM (windows 10) and trying to do successful and failed login attemps, but I am unable to see the related…
asked 2024-10-12T13:22:13.5766667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 24%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Manish Aggarwal
0
Reputation points
answered 2024-10-29T07:24:52.8466667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Raja Pothuraju
7,135
Reputation points Microsoft Vendor
2 answers
Unable to create sentinel lab solution from marketplace
Hello, Unable to create sentinel lab solution from marketplace. It keeps saying terminal provisioning failure,
asked 2024-10-18T05:43:05.76+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 1%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES3%3C/text%3E%3C/svg%3E)
SantoshHaribabu-3135
41
Reputation points
commented 2024-10-29T04:52:51.16+00:00
Givary-MSFT
32,986
Reputation points Microsoft Employee
1 answer
Cant Import Sentinel Alert Rules
Good morning, I am having difficulty importing sentinel rules after I deleted old ones. I deleted the old rules on friday 9/27 9am EST and am getting the error the rule with ID 'xyz' was recently deleted. You need to allow some time before re-using the…
asked 2024-09-30T13:22:40.92+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 66%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEG%3C/text%3E%3C/svg%3E)
Eugene Golovanyuk
35
Reputation points
answered 2024-10-28T19:37:34.56+00:00
Eugene Golovanyuk
35
Reputation points
1 answer
Incidents in Microsoft Sentinel Auto-Closing Without Automation Rules
I'm currently using Microsoft Sentinel and noticing that some incidents are automatically closing themselves, sometimes with the reason "resolved at source" or no comment at all. I've checked for any automation rules or playbooks that might be…
asked 2024-10-17T14:15:27.48+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 60%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
Hyago Santana Mariano
0
Reputation points
answered 2024-10-28T18:59:02.4033333+00:00
Raja Pothuraju
7,135
Reputation points Microsoft Vendor
2 answers
Error Logs Ingestion API into Sentinel
Logs ingestion API implementation no data is being ingested in Sentinel from the 3rd party Rest client. I enabled the DCR logs today the message being returned is 'Could not validate token because: InvalidAudience'.
asked 2024-10-04T02:19:57.6166667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 34%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
Conrad, Steve
0
Reputation points
commented 2024-10-28T14:48:43.1133333+00:00
Conrad, Steve
0
Reputation points
3 answers
One of the answers was accepted by the question author.
Configuration problem with Sentinel connector for Cisco Umbrella
In attempting to deploy the Microsoft Sentinel connector Cisco Umbrella (using Azure Functions) and following what appears to be an incomplete explanation at https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/cisco-umbrella which does seem…
asked 2024-10-19T07:22:43.27+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 22%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGD%3C/text%3E%3C/svg%3E)
Geoffrey Day
20
Reputation points
commented 2024-10-25T06:19:56.6533333+00:00
Geoffrey Day
20
Reputation points
1 answer
Codeless connector for Nozomi Vantage in Microsoft Sentinel
Kindly let us know if we have any Codeless connector for Nozomi Vantage in Microsoft sentinel for integrating Nozomi logs to Microsoft Sentinel.
asked 2024-09-10T08:14:42.2566667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 73%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
ADM_Rashmi Vijayakumar
0
Reputation points
edited a comment 2024-10-23T10:51:16.5+00:00
ADM_Rashmi Vijayakumar
0
Reputation points
2 answers
IIS log ingestion using AMA Agents for multiple IIS sites
I have installed an AMA agent on an internal IIS server via Azure ARC in an attempt to ingest logs into Microsoft Sentinel. The ingestion works for a single site, but we have multiple sites on the single IIS server, and the data source only allows…
asked 2023-01-27T00:19:02.34+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 31%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA4%3C/text%3E%3C/svg%3E)
AdamBaumgartner-4096
0
Reputation points
answered 2024-10-22T22:38:31.7666667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Richard
25
Reputation points
1 answer
While setting up Microsoft Azure Sentinel, data connector not showing green for "Azure Activity" setup
Hello Team, I am trying to begin my hands on learning on Azure Sentinel, and while progressing with that I am facing an issue where I have done below and I am unable to proceed further because I am unable to see the green color for Data Connector…
asked 2024-10-11T16:44:15.28+00:00
Manish Aggarwal
0
Reputation points
edited an answer 2024-10-22T21:22:15.1033333+00:00
James Hamil
24,921
Reputation points Microsoft Employee
0 answers
Lighthouse Offer - I cannot add System Managed Identities to my customers Logic Apps
I have my roles delegated, I am in the correct AD groups on my tenant. However, when I got into a Logic App, and try to assign a System Assigned Managed Identity, I keep on getting the following error message: Failed to add Resource as Microsoft…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 49%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
2 answers
One of the answers was accepted by the question author.
Workspace is created but not available as drop down in VMware ESXi
While creating VMware ESXi there is step to create "workspace". we have created a workspace successfully by assigning Region and Resource group...etc we can see the workspace listed as well. But while creating VMware ESXi - under workspace…
asked 2023-05-22T10:20:42.64+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 78%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Siddharth Bhonde
20
Reputation points
answered 2024-10-14T18:43:31.89+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 57.00000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAW%3C/text%3E%3C/svg%3E)
Andrew Westhoff (MINDTREE LIMITED)
0
Reputation points Microsoft Vendor
1 answer
Restricting GCP Workload Identity Authentication to Specific Azure Sentinel Data Connectors
I have to ingest gcp audit log to azure sentinel pubsub audit log connector and authentication should be done using gcp workload identity I have created the setup and it's working fine in this setup while setting up provider issuer and one of the allowed…
asked 2024-10-07T10:47:26.8966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 54%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
sheetal soni
0
Reputation points
commented 2024-10-14T11:53:23.3133333+00:00
sheetal soni
0
Reputation points