Better to have separate workspace for Azure Monitor and Sentinel?
Hello. My organization has a log analytics workspace, and we currently have all of the data collected into one workspace. I'm wondering if we would gain any cost advantage by having a dedicated workspace for Azure monitor and the other for Sentinel. …
To find the number of virtual machines reporting in Azure Sentinel,
Hi We have thousand of vm's in our environment and we need report how many Virtual Machines are reporting to Sentinal . Is there any kusto query or Azure resource graph query to find out number of VM's are reporting to Sentinel. ?
Send Sentinel Incidents to Teams Channel
I tried using the adaptive card solution to send Sentinel incidents to a standard Teams channel, but that did not meet our needs and had these shortcommings: Dependent on a Teams user / service account. Upon using the adaptive card response options,…
W365 CloudPC Monitoring with AMA and Sentinal
Hi Team, I have a question on W365 Enterprise CloudPC monitoring customer want to send all the W365 logs to sentinel including Windows event logs, security logs. Is this possible I did not see any documentation in this regards. If it is possible how…
Sending incident from Sentinel to Teams
Hi, I'm struggling with some very simple automation where Sentinel incidents should be forwarded to Teams channelIn SOAR Essentials there are two solutions for this Post Message to Teams and Send Adaptive Card The first is simpler, it uses Microsoft…
Restricting GCP Workload Identity Authentication to Specific Azure Sentinel Data Connectors
I have to ingest gcp audit log to azure sentinel pubsub audit log connector and authentication should be done using gcp workload identity I have created the setup and it's working fine in this setup while setting up provider issuer and one of the allowed…
Why data connector display disconnected after setup
I setup a data connector with Content source :Azure Activity however it shows disconnected,how to make it connected?
Error Logs Ingestion API into Sentinel
Logs ingestion API implementation no data is being ingested in Sentinel from the 3rd party Rest client. I enabled the DCR logs today the message being returned is 'Could not validate token because: InvalidAudience'.
Can we use MS Training lab of Sentinel in the free trial for Azure Sentinel once it expires
Do we incur any charges in the MS Training lab of Sentinel in the free trial for Azure Sentinel once it expires after 30 days.
How to check if workspace is replicated?
Dear support, We are testing out the workspace-replication feature (https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-replication) for log analytic workspaces. When creating a replication workspace and sending the request as mentioned…
Syslog Transformation DCR not working
I need assistance troubleshooting a Syslog Transformation DCR used with Microsoft Sentinel. The Transformation DCR looks to work correctly in the Create Transformation wizard, but doesn't actually filter out the records. I have a few Syslog/CEF…
Pagination in MS Sentinel Threat Indicators API
I am using the below endpoint to list Azure Sentinel Threat Indicators. I have about 350~ in the MS Sentinel instance, and when I query the endpoint it gives me the first 100 and also a nextLink value. I query the next set using the nextlink value and…
Atypical Travel - no info for "Previous Location"
Reviewing the output of an Atypical Travel alert, I find detailed information for "Current Location" (City, State, Country), but I only get Country as a result of the "Previous Location". Why is there a discrepancy in the amount of…
Cant Import Sentinel Alert Rules
Good morning, I am having difficulty importing sentinel rules after I deleted old ones. I deleted the old rules on friday 9/27 9am EST and am getting the error the rule with ID 'xyz' was recently deleted. You need to allow some time before re-using the…
Azure AD Audit logs - Not showing teh User who made the changes
Was investigating on AD group membership changes. Checked the AD audit logs and found that events related to group membership changes, but doesn't show the account which made the changes. It says that the changes was intiated by an application called…
Caller is missing required playbook triggering permissions on playbook resource
I have created a custom playbook but I get the error: Failed to trigger playbook Caller is missing required playbook triggering permissions on playbook resource…
Sentinel unexpected error
Hi! I have an issue with Microsoft Sentinel. Every now and then I get this "unexpected error". When this happens all connectors show as not connected, I can't run any queries nor see any logs. I still receive incidents based on some analytic…
Which table should I use to pull log ingestion numbers for Computers?
Hello everyone, I have been tasked by a client to create a query to get the total monthly log ingestion from a group of Computers using a Watchlist. My first thought was to use the Usage table, join that with the Watchlist and then get the log ingestion…
Error giving permission to Logic Apps from Microsoft Sentinel
I'm having trouble setting up email and SMS alerts with Sentinel due to issues with Logic Apps permissions. I've tried assigning contributor access to the relevant Logic App, but when I give permission through Manage Playbook Permission, I get the…
Update to Python 3.11 got SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))
Hi, After we updated our Sentinel data connector(implemented in Azure Function) to use python3.11 from 3.10, we got SSL Error from urllib3 when making API calls: SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify…