Microsoft Q&A

Microsoft Sentinel

704 questions

A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.

Browse all Azure tags

704 questions with Microsoft Sentinel tags

Sort by: Updated
0 answers

Impact on Azure Sentinel for SOC service after customer migrates subscription from CSP to MCA

Hi, I want to understand the impact on SOC services in Azure Sentinel after customer is migrating from CSP to MCA subscription. in terms of, subscription , resource group , log analytical workspace, log ingestion to Sentinel since we have existing…

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,073 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-29T04:43:55.1133333+00:00
Parshuram Tularam Kushwah 0 Reputation points
commented 2023-05-30T07:07:51.75+00:00
Givary-MSFT 14,796 Reputation points Microsoft Employee
0 answers

Sentinel Source Control Through ARM Template

Hi, I've been running into some issues while trying to build an ARM template which links a Sentinel instance to Azure DevOps using Microsoft.SecurityInsights/sourcecontrols. I've got it to the stage where it now seems to need authentication to access the…

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,659 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-01-16T11:20:53.37+00:00
Aaron Dawson 5 Reputation points
edited the question 2023-05-30T05:30:18.78+00:00
Givary-MSFT 14,796 Reputation points Microsoft Employee
1 answer One of the answers was accepted by the question author.

Dynamic content from Sentinel connector in Logic App is missing, basically empty.

Hello. I'm using Sentinel Incident Connector in my Logic App to send SMS when high severity alert is created. But the dynamic content seems to be missing recently -- it worked few weeks ago. All dynamic content I get is empty. To demonstrate the…

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,102 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-29T13:43:26.1066667+00:00
Roy Yang 0 Reputation points
commented 2023-05-30T05:28:55.41+00:00
Roy Yang 0 Reputation points
2 answers

Customer is migrating Azure from CSP to MCA and they wanted to understand what configurations need to do to the subscription to ensure smooth transition

Customer is migrating Azure from CSP to MCA and they wanted to understand what configurations need to do to the subscription to ensure smooth transition. Also, want to check if there is any impact on tenant, subscription and Log analytical workspace…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-26T07:23:04.3633333+00:00
Parshuram Tularam Kushwah 0 Reputation points
answered 2023-05-29T11:08:57.7133333+00:00
Omkar Kadam 0 Reputation points
1 answer

Certificate auditing in Azure Key Vault

I've been trying to audit certificate/keys/secrets modifications on Azure Key Vault but there seem to be no logs created when a certificate is created/deleted/modified. I made sure that the vault has auditing enabled and the logs are sent to an Azure…

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
763 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-28T07:00:23.75+00:00
Liran 0 Reputation points
answered 2023-05-28T08:45:44.04+00:00
AirGordon 1,380 Reputation points Microsoft Employee
2 answers

Sentinel/LogAnalytics receives only partial syslog messages

Hi MS-Community, I am having trouble getting the Meraki Logs into Sentinel. My setup looks like the following: A fresh Debian 9 Image (recommended operating system for Linux) Executing the onboard_agent.sh Modifying rsyslog to…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2021-12-15T14:11:56.98+00:00
lmatt 1 Reputation point
commented 2023-05-26T15:41:35.4166667+00:00
Wahid, Abdul 0 Reputation points
2 answers

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App

Hi, Trying to connect an application on Sentinel Data connectors, but one of the pre requisites is "Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App". Trying to find where I can allow the…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-03-09T02:13:00.6866667+00:00
Mv 0 Reputation points
answered 2023-05-26T14:07:02.8066667+00:00
Peter McGill 0 Reputation points
1 answer One of the answers was accepted by the question author.

MDE Incidents api or advanced hunting with KQL

Hi, i am ingesting data from https://api.security.microsoft.com/api/incidents in data factory. However there is a max page for incidents of 100 but I have 440,000 so it takes long time to go through every page of 100. So I was hoping to maybe run…

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
820 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-24T15:31:51.4866667+00:00
Maria Valek 60 Reputation points
accepted 2023-05-25T14:21:12.5233333+00:00
Maria Valek 60 Reputation points
1 answer

How to create a alert if someone is disabling any function from my function app?

I have created one function app "XYZ". Inside this function app I have created 2 functions "F1" and "F2". Now I want to create an alert or notification if user is disabling any function(F1 or F2). Can someone please…

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,073 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
3,000 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-16T07:24:45.2866667+00:00
Bharvi Bhut 181 Reputation points
commented 2023-05-25T08:51:58.54+00:00
Bharvi Bhut 181 Reputation points
1 answer

Why is not not easier to send an email when a sentinel incident is created?

I think my title says it all really, but I don't understand why there isn't an option in Sentinel, like there is in M365 Defender, to send an email when a new incident is created. It's the most basic thing but you make us go make logic apps and…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-24T13:38:25.92+00:00
answered 2023-05-24T18:27:59.9+00:00
VasimTamboli 2,245 Reputation points
5 answers

Injecting Cisco Meraki logs to Azure Sentinel

Hello Everyone, I would like to inject logs from our Meraki devices into Azure Sentinel. From everything I've read, a Linux syslog server is needed to act as a log collector/forwarder to collect logs from the Meraki devices and then forward them to…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2021-04-14T19:12:48.07+00:00
Sing Kit Cheng 31 Reputation points
answered 2023-05-24T07:54:52.7133333+00:00
Richard Young, (hotmail) 1 Reputation point
1 answer One of the answers was accepted by the question author.

Workspace is created but not available as drop down in VMware ESXi

While creating VMware ESXi there is step to create "workspace". we have created a workspace successfully by assigning Region and Resource group...etc we can see the workspace listed as well. But while creating VMware ESXi - under workspace…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-22T10:20:42.64+00:00
Siddharth Bhonde 20 Reputation points
commented 2023-05-23T04:26:13.86+00:00
Siddharth Bhonde 20 Reputation points
2 answers

Cisco Asa connector the oms agent is not receiving cef logs.

Dears, I am trying to integrate the cisco asa connector to get the logs into sentinel. when I ran the troubleshooring script I am getting that the agent is not able to locate CEF logs. Moreover, I am receiving syslog. I tried to enable logs in cef…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-09T12:28:10.0266667+00:00
Georges Hayek 21 Reputation points
answered 2023-05-22T13:21:11.07+00:00
Georges Hayek 21 Reputation points
3 answers

Sentinel AMA/CEF connector works but doesn't collect local syslog even with all facility log levels set to debug

Hi there, I'd like to know if anyone has been successful in collecting LOCAL syslog data with the AMA/CEF connector. My observations: Default RedHat 8.6 VM running in Azure. DCR enabled from Sentinel with all facilities set to debug. (VM is in scope) …

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-04-29T16:50:37.3566667+00:00
David Broggy 4,461 Reputation points MVP
answered 2023-05-22T12:34:13.5466667+00:00
Peter Huxley 0 Reputation points
1 answer

getting started with Sentinel free data sources

Hi, Looking at how my org could potentially start to make use of Sentinel, and personally see the free data sources https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=commitment-tier#free-data-sources as a great place to start getting familiar…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-17T09:06:06.9433333+00:00
AdamBudzinskiAZA-0329 81 Reputation points
commented 2023-05-22T06:04:19.3933333+00:00
AdamBudzinskiAZA-0329 81 Reputation points
2 answers

I assigned sentinel contributor role to user but i am not seeing that in PIM.

I assigned sentinel contributor role to user but i am not seeing that in PIM. If u go to PIM azure resource its not loading

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,659 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
5,242 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,030 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
33 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-10T21:19:25.66+00:00
Dhinesh SA 40 Reputation points
answered 2023-05-20T00:04:21.2566667+00:00
Marilee Turscak-MSFT 24,051 Reputation points Microsoft Employee
3 answers One of the answers was accepted by the question author.

Custom data collection rule not applying transformKQL when saving

Hi As per the article https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog#avoid-data-ingestion-duplication I'm trying to update my Data Collection Rule with a transformKql query in the dataFlows section of the configuration. I'm doing…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-17T07:58:15.5766667+00:00
Brady Kenworthy 20 Reputation points
accepted 2023-05-19T05:01:15.5033333+00:00
Brady Kenworthy 20 Reputation points
2 answers One of the answers was accepted by the question author.

Can Azure Sentinel receive data from Microsoft 365 Defender from multiple organizations?

Can I use Azure Sentinel to receive data from Microsoft 365 Defender from multiple organizations, or can Azure Sentinel only receive data from Microsoft 365 Defender within its own organization? 我想要使用Azure Sentinel接收多個組織的Microsoft 365 Defender資料,可以這樣做嗎?…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-16T08:49:05.3166667+00:00
David Hsu 20 Reputation points
accepted 2023-05-19T01:24:43.69+00:00
David Hsu 20 Reputation points
2 answers

Microsoft Sentinel API Odata filtering not working

Hi When i try to use the OData 4.0 notation in the alertRules API ex: GET…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2022-07-26T20:47:38.57+00:00
Kristian Jacobsen 1 Reputation point
commented 2023-05-17T10:46:16.92+00:00
Warren Eksteen 0 Reputation points
2 answers

I would like to have the prefix of the machine name stored. Then the variable values ​​are displayed together as a graph. The right thing, what should I do?

let Thailand = "Thailand"; let Myanmar = "Myanmar"; let ThailandEvents = DeviceEvents | where ActionType contains "UsbDriveMounted" | where DeviceName contains ".xxxx.com" | where (DeviceName…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
704 questions
asked 2023-05-13T08:49:50.7966667+00:00
Koonnamchok Klongkaew 20 Reputation points
commented 2023-05-16T08:05:33.8866667+00:00
Clive Watson 2,641 Reputation points MVP