Data connector buttons are grayed out saying No permissions
cannot enable Microsoft Defender XDR connector in sentinel despite being logged in as owner of tenant, subscription and resource group. My licence is Microsoft 365 Business Premium which I see in documentation is an Microsoft XDR eligible licence
Why use Fortinet Connector instead of a Function App for registering an action group in the Fortinet-FortiGate playbook?
Hello, I am setting up the Fortinet-FortiGate playbook and noticed that for registering an action group in FortiGate, the playbook uses the Fortinet Connector instead of a Function App. Why was the Fortinet Connector chosen for this action instead of a…
Need help with solution to deploy sentinel in US region and China region
I want to deploy sentinel in US region and China region. is it possible to send logs using DCR rules from China to workspace build in US region or do I need to build 2 workspace separately and send logs from China to US using event Hub . Incase I…
Problem with Microsoft Sentinel Connector
Hello, for test i have deploy sentinel 2 or 3 time and after that i delete Workpace. Now i have recreted new Workspace and when i try connect connector i recevive the following error: I have just try to find if there are other diagnostics settings but…

Issues trying to connect to MITRE ATT&CK STIX 2.1 Feed from Sentinel Threat Intelligence
Hi, I am having issues while trying to connect to the MITRE ATT&CK STIX 2.1 Feed from within Sentinel's Threat Intelligence module. I have the 'Threat Intelligence - TAXII' data connector enabled (with another TAXII server…
This assessment is currently disabled due to a technical issue. Explore our other Applied Skills while we work on a fix.
Applied skills Name: Deploy containers by using Azure Kubernetes Service Issue: This assessment is currently disabled due to a technical issue. Explore our other Applied Skills while we work on a fix.

Azure Sentinel - Query help
Dear All, I need to write query to hunt for OS Credential Dumping: NTDS. T1003.003, kindly help if you got any information
Need kql to query purview sensitive, not-encrypted, externally sent data
Hi there, I'm trying to understand if I can use kql to query the following about Purview events. Here's a 'hypothetical' kql query that works logically, but I'm struggling to create a Purview policy that matches this. I've created a 'sensitive' label,…


No access to DeviceTvmSoftwareVulnerabilities table in Sentinel?
There is an XDR analytic rule in Sentinel named "Execution of software vulnerable to webp buffer overflow of CVE-2023-4863" However the kql query used by this rule requires access to the DeviceTvmSoftwareVulnerabilities table. But according to…

Inound connection identified as Outbound by Microsoft Sentinel
I have noticed that there are several outbound connections in the overview page. However, having analyzed the traffic, I realized that inbound traffic labeled as outbound traffic. Note: I have removed the destination IPs as they are…

What is the size limit of rawContent of watchlist when bundled in solution package?
We are using watchlists to upload data via csv files and using it in worksbook. As per the document, there is a size limit of 3.8MB while creating watchlist using local csv files. So, we have created csv files of size 2.5MB, using which we are able to…
Cannot read data from Cloudflare in Azure Sentinel
I already setting logpush from Cloudflare to Azure sentinel. it only show test log only

Microsoft Defender for identity auto disable user account.
Hello, Recently, we are experiencing a lot of user accounts being automatically disable by Microsoft Defender for Identity when they authenticated by Exchange Online. Somehow, Defender think the user's accounts being attacked, and just disabled users…
Connect data to Microsoft Sentinel using data connectors Salesforce
I need help integrating SaleForce and Wiz into my siem.
Microsoft public IP scanning my app services IP
We recevied an alert on defender for cloud stating vulnerability scanner detected. while checking the owner of the IP, it's MICROSOFT-CORP-MSN-AS-BLOCK and it is scanning for world press related stuffs on my azure app services. Is it some sort of intenal…
Data Connector - Api Restriction
Dear Prisma Cloud Support Team, I am experiencing an issue with the integration between Microsoft Sentinel and Prisma Cloud using the Data Connector described in your documentation (Integrating Prisma Cloud with Azure Sentinel using the Data…
How to find out which of several authenticators was used in a sign-in?
We are using MFA with Microsoft Authenticator for user sign-ins to our tenant. Many of our users have registered more than one Microsoft Authenticator instance. Sometimes this is deliberate, in order to have a backup in case the primary smartphone is…

Microsoft Sentinel for SAP - API based collector agent - SAP in AWS
I have deployed the Sentinel for SAP but the API based collector agent is showing incomplete installation. I have followed all the instructions and logs are flowing into SAP. Is the API Based collector agent needed for AWS installations.
Microsoft Sentinel: System Assigned Managed Identity can't find location
I'm trying to connect Azure Activity to Microsoft Sentinel. It requires creating a Managed Identity. When creating a System Assigned Managed Identity, a location is required but there's no location options to select. Any idea what could be causing this?…
How to send Windows logs from an on premises windows machine to Microsoft Sentinel?
Hi, I'm trying to set up Microsoft Sentinel, and I need to forward windows logs from all of our machines. I'm experimenting with the configuration on a machine running Windows 11 Pro, then plan to copy the configuration across the rest of our machines.…