Content
Microsoft Sentinel Integration with syslog server
I have been trying to connect a solution to syslog server and then to sentinel. SOC solution --> Syslog Server --> Microsoft Sentinel I have been getting the logs in Syslog server from port 6515 from the SOC solution(Log format RFC 5424), I…


IIS log ingestion using AMA Agents for multiple IIS sites
I have installed an AMA agent on an internal IIS server via Azure ARC in an attempt to ingest logs into Microsoft Sentinel. The ingestion works for a single site, but we have multiple sites on the single IIS server, and the data source only allows…


How to disable a playbook from running during weekends?
Hello, I have some simple playbooks which have the following flow: Run every 30mins->run the query and list results->if count is 0 sent a message in teams channel. Thing is we often get 0 during the weekends. How to disable this playbook from…


Codeless Connector Platform Session authType
Good Day! I would like to ask if there is some way to handle the parameters for Session type authentication in CCP Sentinel. "instructionSteps": [ { "title":…


Include only office hours in KQL query
Hello, I'm working on a playbook to report on zero events from CAPAMAuditLog.The query below looks in the CAPAMAuditLog table and provides the count of events for the last 2 hours excluding Saturday and Sunday. I also want to include only office…
Cannot enable Azure Active Directory conector in Sentinel
Folks, We h aveAzure AD P1 plan. We're doing the 30 day trial to evaluate Microsoft Sentinel, when I try to enable the data connector, for example selecting "Sign-in Logs" I get the error "Failed to apply the changes" when I click…


When is the S3 connector method going to be GA?
We are planning to connect our aws environment to an Azure Sentinel. It is currently listed as in preview. Is there a way to know when it will become GA?


How to Integrate Threat Intelligence IOCs into Sentinel SIEM via Third-Party API
The current Sentinel user guide (https://learn.microsoft.com/en-us/azure/sentinel/) details how to integrate threat intelligence IOCs into Sentinel via 1) TAXII feed and 2) threat intelligence platform. I am trying to ingest IOCs into Sentinel via a…


Im new to Senteinel and I would like to know how to run a KQL query to list all the devices that have been connected to my senteniel instance
We had a third party provider perform the basic setup of our Sentinel instance: Can someone step me through how to run a KQL query (including the query syntax) to retrieve a list of hosts (Windows VM's external Microsoft hosts and lynux hosts that…


Exclude weekends from KQL query
Hello, I have a simple query below looking for the total number of events in Sentinel for CAPAM for the last 30mins. I'm setting up a playbook to report if that number reaches 0. However, since CAPAM is an IAM technology it often reaches 0 during the…
Declare and reuse table in Log Analytics workbook
I am working on a large workbook that includes the same query with minor tweaks for each statistic and several large queries that look back over one to four months of data and I'm trying to improve its efficiency. Is there a way I can either: Query…


how can I run a powershell script from a logic app for automation in sentinel?
I want to run a shell script from the logic app. However, there is no connector to it.


How to add the data into properties.additionalData inside Threat Intelligence Indicator ?
I have created a Threat Intelligence Indicator in Microsoft Sentinel using this REST API ["https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/threat-intelligence-indicator/create-indicator?tabs=HTTP"] and indicator was created…


question about security threats
How does Microsoft classify security threats to its software?


Suspicious logins to Azure CLI with Python request User Agent
Hi! We regulary have this kind of logins in our environment (Large, mostly Students). Both, successful and failed logins: Details from Defender for Cloud: "ApplicationId": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", …


How do I update Sentinel NRT analytical rules?
My Sentinel Analytical NRT type rule, "NRT Creation of expensive computes in Azure" show's an Update is Available. With Scheduled rule types the Update button is visible but not with NRT. How do I update NRT analytical rules? Please and thanks.


Asset Inventory analysis kql query in MS Sentinel
What can be the query to make a workbook in Ms sentinel to visualize Asset Inventory


Ingest IIS logfiles into Log Analytics Workspace for use by Sentinel
We have some apps running on Azure with App Service Logs turned on. These logs are streamed to a storage account as IIS logfiles in W3C format. Now we would like to analyze these logs with Azure Sentinel. I'm new to Azure Sentinel but if I understood it…


Sentinel bicep deployment : InvalidParameter - Solution product cannot start with 'OMSGallery/' as it is reserved for Microsoft first party solutions.
Hello, i am learning how to script and i wish to deploy Sentinel with bicep. I have created a script from Microsoft templates and have added variables as well as a jsonc parameters file. I use VSC with the bicep extension in order to "easily"…


Log Analytics: Subscribe to changes in API and Table
Hi I'm developing a solution based on a. The Log Analytics Query API [https://learn.microsoft.com/en-us/rest/api/loganalytics/dataaccess/query/get?tabs=HTTP b. The SecurityIncident table…

