Microsoft Q&A

Microsoft Sentinel

606 questions

A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.

Browse all Azure tags

606 questions with Microsoft Sentinel tags

Sort by: Updated
1 answer

Microsoft Sentinel Integration with syslog server

I have been trying to connect a solution to syslog server and then to sentinel. SOC solution --> Syslog Server --> Microsoft Sentinel I have been getting the logs in Syslog server from port 6515 from the SOC solution(Log format RFC 5424), I…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
1,806 questions
Azure HDInsight
Azure HDInsight
An Azure managed cluster service for open-source analytics.
164 questions
asked 2022-01-31T11:36:30.003+00:00
Bhagyesh Telang 1 Reputation point
answered 2023-01-30T14:43:59.6+00:00
Clive Watson 1,066 Reputation points
1 answer

IIS log ingestion using AMA Agents for multiple IIS sites

I have installed an AMA agent on an internal IIS server via Azure ARC in an attempt to ingest logs into Microsoft Sentinel. The ingestion works for a single site, but we have multiple sites on the single IIS server, and the data source only allows…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
1,806 questions
Internet Information Services
asked 2023-01-27T00:19:02.34+00:00
Anonymous
edited a comment 2023-01-30T03:31:20.3566667+00:00
KrishnaG-MSFT 7,966 Reputation points Microsoft Employee
1 answer

How to disable a playbook from running during weekends?

Hello, I have some simple playbooks which have the following flow: Run every 30mins->run the query and list results->if count is 0 sent a message in teams channel. Thing is we often get 0 during the weekends. How to disable this playbook from…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
1,804 questions
asked 2023-01-28T15:56:44.13+00:00
ppal 221 Reputation points
edited an answer 2023-01-28T19:38:59.02+00:00
Dillon Silzer 33,346 Reputation points
0 answers

Codeless Connector Platform Session authType

Good Day! I would like to ask if there is some way to handle the parameters for Session type authentication in CCP Sentinel. "instructionSteps": [ { "title":…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
asked 2022-11-30T12:44:01.547+00:00
Krzysztof Świdrak 91 Reputation points
commented 2023-01-28T15:23:01.8933333+00:00
Krzysztof Świdrak 91 Reputation points
1 answer

Include only office hours in KQL query

Hello, I'm working on a playbook to report on zero events from CAPAMAuditLog.The query below looks in the CAPAMAuditLog table and provides the count of events for the last 2 hours excluding Saturday and Sunday. I also want to include only office…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
asked 2023-01-27T07:25:33.6166667+00:00
ppal 221 Reputation points
edited a comment 2023-01-27T14:39:20.5033333+00:00
ppal 221 Reputation points
1 answer One of the answers was accepted by the question author.

Cannot enable Azure Active Directory conector in Sentinel

Folks, We h aveAzure AD P1 plan. We're doing the 30 day trial to evaluate Microsoft Sentinel, when I try to enable the data connector, for example selecting "Sign-in Logs" I get the error "Failed to apply the changes" when I click…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,604 questions
asked 2023-01-18T19:13:15.7766667+00:00
Andrés Martínez 25 Reputation points
commented 2023-01-26T21:12:47.1+00:00
JamesTran-MSFT 26,526 Reputation points Microsoft Employee
1 answer

When is the S3 connector method going to be GA?

We are planning to connect our aws environment to an Azure Sentinel. It is currently listed as in preview. Is there a way to know when it will become GA?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
asked 2023-01-26T18:15:52.8866667+00:00
Alvarez, Adam (HC/SC) 0 Reputation points
answered 2023-01-26T19:00:11.8466667+00:00
Marshaljs 26,561 Reputation points
1 answer

How to Integrate Threat Intelligence IOCs into Sentinel SIEM via Third-Party API

The current Sentinel user guide (https://learn.microsoft.com/en-us/azure/sentinel/) details how to integrate threat intelligence IOCs into Sentinel via 1) TAXII feed and 2) threat intelligence platform. I am trying to ingest IOCs into Sentinel via a…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
Microsoft Graph Security API
Microsoft Graph Security API
A Microsoft API that provides a unified interface to connect security solutions from multiple Microsoft and third-party providers.
101 questions
asked 2023-01-25T17:29:20.0466667+00:00
Tim C 0 Reputation points
answered 2023-01-26T16:32:44.27+00:00
Clive Watson 1,066 Reputation points
1 answer

Im new to Senteinel and I would like to know how to run a KQL query to list all the devices that have been connected to my senteniel instance

We had a third party provider perform the basic setup of our Sentinel instance: Can someone step me through how to run a KQL query (including the query syntax) to retrieve a list of hosts (Windows VM's external Microsoft hosts and lynux hosts that…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
asked 2022-10-24T01:17:23.24+00:00
Andrew Johnston 1 Reputation point
answered 2023-01-25T11:16:52.1+00:00
Clive Watson 1,066 Reputation points
1 answer One of the answers was accepted by the question author.

Exclude weekends from KQL query

Hello, I have a simple query below looking for the total number of events in Sentinel for CAPAM for the last 30mins. I'm setting up a playbook to report if that number reaches 0. However, since CAPAM is an IAM technology it often reaches 0 during the…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
asked 2023-01-25T07:45:17.9266667+00:00
ppal 221 Reputation points
commented 2023-01-25T11:06:30.9033333+00:00
Peter T 241 Reputation points
1 answer

Declare and reuse table in Log Analytics workbook

I am working on a large workbook that includes the same query with minor tweaks for each statistic and several large queries that look back over one to four months of data and I'm trying to improve its efficiency. Is there a way I can either: Query…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
asked 2023-01-12T22:55:34.56+00:00
Russel Christie 1 Reputation point
answered 2023-01-24T16:48:02.8066667+00:00
Clive Watson 1,066 Reputation points
2 answers

how can I run a powershell script from a logic app for automation in sentinel?

I want to run a shell script from the logic app. However, there is no connector to it.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,604 questions
asked 2022-12-13T10:08:29.793+00:00
Georges Hayek 21 Reputation points
commented 2023-01-23T21:22:26.5866667+00:00
Raj Chatterjee 0 Reputation points
0 answers

How to add the data into properties.additionalData inside Threat Intelligence Indicator ?

I have created a Threat Intelligence Indicator in Microsoft Sentinel using this REST API ["https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/threat-intelligence-indicator/create-indicator?tabs=HTTP"] and indicator was created…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,604 questions
asked 2023-01-19T07:05:40.47+00:00
Anonymous
commented 2023-01-23T10:28:50.7233333+00:00
Givary-MSFT 11,421 Reputation points Microsoft Employee
1 answer

question about security threats

How does Microsoft classify security threats to its software?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
665 questions
asked 2022-12-19T19:03:18.557+00:00
alii 1 Reputation point
edited the question 2023-01-23T07:17:25.59+00:00
Sumarigo-MSFT 30,656 Reputation points Microsoft Employee
1 answer

Suspicious logins to Azure CLI with Python request User Agent

Hi! We regulary have this kind of logins in our environment (Large, mostly Students). Both, successful and failed logins: Details from Defender for Cloud: "ApplicationId": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", …

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,604 questions
asked 2023-01-18T10:53:55.94+00:00
Bartsch, Christian 5 Reputation points
answered 2023-01-20T23:18:51.7966667+00:00
Denis Mello 0 Reputation points Microsoft Employee
2 answers One of the answers was accepted by the question author.

How do I update Sentinel NRT analytical rules?

My Sentinel Analytical NRT type rule, "NRT Creation of expensive computes in Azure" show's an Update is Available. With Scheduled rule types the Update button is visible but not with NRT. How do I update NRT analytical rules? Please and thanks.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
asked 2023-01-20T16:51:53.7433333+00:00
Mark Newton 20 Reputation points
accepted 2023-01-20T20:17:42.56+00:00
Mark Newton 20 Reputation points
1 answer

Asset Inventory analysis kql query in MS Sentinel

What can be the query to make a workbook in Ms sentinel to visualize Asset Inventory

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
asked 2023-01-18T09:44:29.7+00:00
Sujit Mahakhud 0 Reputation points
edited an answer 2023-01-18T16:47:43.0933333+00:00
David Broggy 3,976 Reputation points Microsoft MVP
1 answer One of the answers was accepted by the question author.

Ingest IIS logfiles into Log Analytics Workspace for use by Sentinel

We have some apps running on Azure with App Service Logs turned on. These logs are streamed to a storage account as IIS logfiles in W3C format. Now we would like to analyze these logs with Azure Sentinel. I'm new to Azure Sentinel but if I understood it…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
1,806 questions
Azure Web Apps
Azure Web Apps
A feature of Azure App Service used to create and deploy scalable, mission-critical web apps.
4,316 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
1,542 questions
asked 2023-01-16T15:36:38.3533333+00:00
Markus Radszuweit 25 Reputation points
commented 2023-01-18T10:39:15.9466667+00:00
Markus Radszuweit 25 Reputation points
1 answer One of the answers was accepted by the question author.

Sentinel bicep deployment : InvalidParameter - Solution product cannot start with 'OMSGallery/' as it is reserved for Microsoft first party solutions.

Hello, i am learning how to script and i wish to deploy Sentinel with bicep. I have created a script from Microsoft templates and have added variables as well as a jsonc parameters file. I use VSC with the bicep extension in order to "easily"…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
1,806 questions
asked 2023-01-17T16:00:00.0266667+00:00
Dunvael LE ROUX 20 Reputation points
edited the question 2023-01-18T09:44:38.5433333+00:00
Stanislav Zhelyazkov 14,026 Reputation points Microsoft MVP
1 answer One of the answers was accepted by the question author.

Log Analytics: Subscribe to changes in API and Table

Hi I'm developing a solution based on a. The Log Analytics Query API [https://learn.microsoft.com/en-us/rest/api/loganalytics/dataaccess/query/get?tabs=HTTP b. The SecurityIncident table…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
1,806 questions
asked 2023-01-17T14:50:31.45+00:00
Frederik Larsen 71 Reputation points
commented 2023-01-18T08:13:39.87+00:00
Stanislav Zhelyazkov 14,026 Reputation points Microsoft MVP