Content
Impact on Azure Sentinel for SOC service after customer migrates subscription from CSP to MCA
Hi, I want to understand the impact on SOC services in Azure Sentinel after customer is migrating from CSP to MCA subscription. in terms of, subscription , resource group , log analytical workspace, log ingestion to Sentinel since we have existing…


Sentinel Source Control Through ARM Template
Hi, I've been running into some issues while trying to build an ARM template which links a Sentinel instance to Azure DevOps using Microsoft.SecurityInsights/sourcecontrols. I've got it to the stage where it now seems to need authentication to access the…


Dynamic content from Sentinel connector in Logic App is missing, basically empty.
Hello. I'm using Sentinel Incident Connector in my Logic App to send SMS when high severity alert is created. But the dynamic content seems to be missing recently -- it worked few weeks ago. All dynamic content I get is empty. To demonstrate the…
Customer is migrating Azure from CSP to MCA and they wanted to understand what configurations need to do to the subscription to ensure smooth transition
Customer is migrating Azure from CSP to MCA and they wanted to understand what configurations need to do to the subscription to ensure smooth transition. Also, want to check if there is any impact on tenant, subscription and Log analytical workspace…


Certificate auditing in Azure Key Vault
I've been trying to audit certificate/keys/secrets modifications on Azure Key Vault but there seem to be no logs created when a certificate is created/deleted/modified. I made sure that the vault has auditing enabled and the logs are sent to an Azure…
Sentinel/LogAnalytics receives only partial syslog messages
Hi MS-Community, I am having trouble getting the Meraki Logs into Sentinel. My setup looks like the following: A fresh Debian 9 Image (recommended operating system for Linux) Executing the onboard_agent.sh Modifying rsyslog to…


Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App
Hi, Trying to connect an application on Sentinel Data connectors, but one of the pre requisites is "Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App". Trying to find where I can allow the…


MDE Incidents api or advanced hunting with KQL
Hi, i am ingesting data from https://api.security.microsoft.com/api/incidents in data factory. However there is a max page for incidents of 100 but I have 440,000 so it takes long time to go through every page of 100. So I was hoping to maybe run…


How to create a alert if someone is disabling any function from my function app?
I have created one function app "XYZ". Inside this function app I have created 2 functions "F1" and "F2". Now I want to create an alert or notification if user is disabling any function(F1 or F2). Can someone please…


Why is not not easier to send an email when a sentinel incident is created?
I think my title says it all really, but I don't understand why there isn't an option in Sentinel, like there is in M365 Defender, to send an email when a new incident is created. It's the most basic thing but you make us go make logic apps and…


Injecting Cisco Meraki logs to Azure Sentinel
Hello Everyone, I would like to inject logs from our Meraki devices into Azure Sentinel. From everything I've read, a Linux syslog server is needed to act as a log collector/forwarder to collect logs from the Meraki devices and then forward them to…


Workspace is created but not available as drop down in VMware ESXi
While creating VMware ESXi there is step to create "workspace". we have created a workspace successfully by assigning Region and Resource group...etc we can see the workspace listed as well. But while creating VMware ESXi - under workspace…


Cisco Asa connector the oms agent is not receiving cef logs.
Dears, I am trying to integrate the cisco asa connector to get the logs into sentinel. when I ran the troubleshooring script I am getting that the agent is not able to locate CEF logs. Moreover, I am receiving syslog. I tried to enable logs in cef…


Sentinel AMA/CEF connector works but doesn't collect local syslog even with all facility log levels set to debug
Hi there, I'd like to know if anyone has been successful in collecting LOCAL syslog data with the AMA/CEF connector. My observations: Default RedHat 8.6 VM running in Azure. DCR enabled from Sentinel with all facilities set to debug. (VM is in scope) …


getting started with Sentinel free data sources
Hi, Looking at how my org could potentially start to make use of Sentinel, and personally see the free data sources https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=commitment-tier#free-data-sources as a great place to start getting familiar…


I assigned sentinel contributor role to user but i am not seeing that in PIM.
I assigned sentinel contributor role to user but i am not seeing that in PIM. If u go to PIM azure resource its not loading


Custom data collection rule not applying transformKQL when saving
Hi As per the article https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog#avoid-data-ingestion-duplication I'm trying to update my Data Collection Rule with a transformKql query in the dataFlows section of the configuration. I'm doing…


Can Azure Sentinel receive data from Microsoft 365 Defender from multiple organizations?
Can I use Azure Sentinel to receive data from Microsoft 365 Defender from multiple organizations, or can Azure Sentinel only receive data from Microsoft 365 Defender within its own organization? 我想要使用Azure Sentinel接收多個組織的Microsoft 365 Defender資料,可以這樣做嗎?…
Microsoft Sentinel API Odata filtering not working
Hi When i try to use the OData 4.0 notation in the alertRules API ex: GET…


I would like to have the prefix of the machine name stored. Then the variable values are displayed together as a graph. The right thing, what should I do?
let Thailand = "Thailand"; let Myanmar = "Myanmar"; let ThailandEvents = DeviceEvents | where ActionType contains "UsbDriveMounted" | where DeviceName contains ".xxxx.com" | where (DeviceName…

