Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
990 questions
0 answers
Issue with Microsoft Sentinel Connectors
Hello! Prior to May the 7th 2024, There were roughly 20 connectors that were connected and working as expected with respect to the Microsoft Sentinel and the log analytics workspace. On the mentioned date we noticed this anomaly where out of the 20 odd…
asked 2024-05-10T20:00:28.38+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 67%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Vignesh Sundar
0
Reputation points
asked 2024-05-10T20:00:28.38+00:00
Vignesh Sundar
0
Reputation points
0 answers
Sentinel Kusto Query todatetime function does not work with dynamic values.
I have a kusto query to calculate MTTR by client. When an incident is resolved, an analyst comments the resolution time in the format R: time where time is when the incident was resolved and R is to make the comment unique. Example R: Friday, May 10,…
asked 2024-05-10T11:24:54.8433333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 0%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
Julius Ekane
0
Reputation points
edited the question 2024-05-10T13:08:33.2866667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 64%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EON%3C/text%3E%3C/svg%3E)
OMMI NAVEEN KUMAR
195
Reputation points Microsoft Vendor
2 answers
How to separate logs receiving on syslog port 514 to separate table during ingestion and avoid duplication.
Hi Team, I have centralized log forwarders setup which collects logs on 514 port from different application, I want to send those logs to separate table by filtering them at ingestion time. Currently all logs are going to syslog using default DCR rule,…
asked 2024-05-03T13:16:08.3933333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 39%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
Disha Bodade
65
Reputation points
commented 2024-05-09T16:45:42.0833333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT
28,486
Reputation points Microsoft Employee
1 answer
Not allowing to connect Sentinel Data connector with Defender XDR
Hello, I was trying to connect the "Microsoft Defender XDR" connector with "Microsoft Sentinel", but I am facing the below error. I am not sure why Sentinel is not allowing to establish the XDR connector. As I am the Owner of the…
asked 2024-05-08T12:07:43.2433333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 28.000000000000004%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKB%3C/text%3E%3C/svg%3E)
Karan Bhatt
27
Reputation points
commented 2024-05-09T05:11:28.75+00:00
Karan Bhatt
27
Reputation points
1 answer
One of the answers was accepted by the question author.
How are github links created/referenced in function app
I am finding it difficult to understand how are these links generated. https://aka.ms/sentinel-ApigeeXDataConnector-azuredeploy https://aka.ms/sentinel-ApigeeXDataConnector-functionapp I am building a similar function app json for my solution, and I…
asked 2024-04-27T00:50:47.2866667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 88%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Ashwin Venkatesha
165
Reputation points
accepted 2024-05-09T04:49:56.79+00:00
Ashwin Venkatesha
165
Reputation points
1 answer
This assessment is currently disabled due to a technical issue. Explore our other Applied Skills while we work on a fix.
Applied skills Name: Deploy containers by using Azure Kubernetes Service Issue: This assessment is currently disabled due to a technical issue. Explore our other Applied Skills while we work on a fix.
asked 2024-03-24T11:56:12.4166667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 73%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
pritam bhor
25
Reputation points
commented 2024-05-09T04:18:52.16+00:00
Philipp Moser
5
Reputation points
1 answer
Remote Desktop Connection error- Windows 11
A newbie here trying to setup Azure Sentinel (SIEM) & connect it to a live virtual machine that will act as a honeypot. But facing an error with RDP, Windows 11 home edition doesn't support Remote Desktop.…
asked 2024-05-08T06:48:15.5266667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 28.999999999999996%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
sam_2k4
0
Reputation points
answered 2024-05-09T02:12:29.8933333+00:00
Karlie Weng
14,641
Reputation points Microsoft Vendor
1 answer
One of the answers was accepted by the question author.
Inquiry Regarding Multiple 4624 Event ID Logs for Single User Login
Hello Team, I am reaching out to inquire about a matter related to our Windows Security logs. Specifically, we have observed multiple instances of Event ID 4624 being logged for a single user login event in the Security Events table. As part of our…
asked 2024-05-01T18:05:09.7033333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 83%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Srisaiteja Palle
20
Reputation points
accepted 2024-05-08T16:56:42.5566667+00:00
Srisaiteja Palle
20
Reputation points
1 answer
One of the answers was accepted by the question author.
Respond to incidents across multiple tenants deploying Defender XDR from One Centralized Ms Sentinel
Hello, I have a customer having 3 tenant A,B and C. Tenant A and C each are using Microsoft Defender XDR. MS Sentinel is configured on Tenant B. He want to centralize all events and logs on Sentinel and want to configure responses if any incident is…
asked 2024-05-02T13:05:38.2+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 81%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFM%3C/text%3E%3C/svg%3E)
Farah MHAMDI
20
Reputation points
commented 2024-05-08T14:54:53.59+00:00
Farah MHAMDI
20
Reputation points
1 answer
Watchlist Azure Sentinel Update
Is there anyone who has or knows of a source of information that can provide a more comprehensive or extensive list of SocRA than what is available in this link: https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv? I…
asked 2024-05-02T07:02:53.7066667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 39%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMN%3C/text%3E%3C/svg%3E)
M Nurohmat
100
Reputation points
commented 2024-05-08T08:49:26.61+00:00
Givary-MSFT
28,486
Reputation points Microsoft Employee
1 answer
One of the answers was accepted by the question author.
How to add a function app for azure workbook and sentinel solution
Hi, I am working on contributing to an azure sentinel solution in github, My solution contains data connector and workbooks. Now, I want to add a workbook that talks to a custom endpoint. In this case, the custom endpoint is a function app http…
asked 2024-04-30T07:54:16.0666667+00:00
Ashwin Venkatesha
165
Reputation points
accepted 2024-05-07T22:24:11.4133333+00:00
Ashwin Venkatesha
165
Reputation points
1 answer
One of the answers was accepted by the question author.
KQL validation is failing locally
I ran dotnet test as per https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally [xUnit.net 00:00:00.41] Exception discovering tests from Kqlvalidations.Tests: System.BadImageFormatException: Could not load file or assembly…
asked 2024-04-26T06:17:29.5366667+00:00
Ashwin Venkatesha
165
Reputation points
accepted 2024-05-07T22:01:16.9833333+00:00
Ashwin Venkatesha
165
Reputation points
1 answer
One of the answers was accepted by the question author.
Failed to save analytics rule query.
I can create any active analytics rule query in Microsoft Sentinel. While trying to create a new one a error occurs: "Failed to save the analytics rule query. Log Analytics workspace 'xxx' could not be found." It started when the previous…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 4%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E3%3C/text%3E%3C/svg%3E)
3 answers
How to audit the creator of an Enterprise Application in Azure
Hy I'm trying to get the creator of an "Enterprise Application", as soon as someone is creating one by query below. AuditLogs | where Category =~ "ApplicationManagement" | where OperationName =~ "Add application" | mv-expand…
asked 2024-02-07T16:11:00.8033333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 75%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
Stalder Jonas
0
Reputation points
commented 2024-05-06T06:39:01.0466667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 74%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
Per B. Olsen
0
Reputation points
0 answers
Error upon setting up playbook.
I a using this guide to setup a playbook for the Alien Vault OTX. However I get the following error message when I try and save the logic - "Workflow validation failed for the workflow ''.…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
1 answer
One of the answers was accepted by the question author.
Can I create a playbook in Microsoft Sentinel that is able to disable a compromised hybrid user account whose authentication authority is an on-premises Active Directory Domain controller?
I would like to create a playbook that disables a compromised account. The account is synchronised from an on-premises Active Directory Domain Controller. Synchronisation to Microsoft Entra ID is through Microsoft Entra Connect Sync. Password hash…
asked 2024-04-27T10:12:42.72+00:00
Anthony K. Simukonda
20
Reputation points
accepted 2024-05-05T09:34:01.37+00:00
Anthony K. Simukonda
20
Reputation points
1 answer
One of the answers was accepted by the question author.
30 day challenge for security operations analyst cert module numbers inconsistent
I am doing the 30 day challenge for sc-200 Security Operations Analyst. I have done the 53 modules stated in the challenge, however, my status says 53 of 54 modules completed. I have no info how to get to the 54th module if it exists! URL:…
asked 2024-04-22T15:11:45.55+00:00
Jose Niguidula Enriquez
25
Reputation points
commented 2024-05-03T13:19:58.8166667+00:00
Jose Niguidula Enriquez
25
Reputation points
1 answer
The query behind the Sentinel Open | New | Active incident widget
Hi, We are trying to figure out what query produces the following numbers in Sentinel We've been trying to produce the same numbers using the SecurityIncident and SecurityAlert table, but the number of incidents are much less than showed here. I'm…
asked 2024-04-22T11:45:44.6766667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 62%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELP%3C/text%3E%3C/svg%3E)
Laszlo Pal
20
Reputation points
commented 2024-05-02T10:11:01.13+00:00
Laszlo Pal
20
Reputation points
1 answer
One of the answers was accepted by the question author.
Error Whille setting up SMTP Email V3 connection
Hi Team, I am configuring SMTP connection and getting below error Failed to create connection: { "error": { "code": 502, "source": "logic-apis-easteurope.azure-apim.net", "clientRequestId": "",…
asked 2024-04-05T11:33:16.4333333+00:00
Disha Bodade
65
Reputation points
accepted 2024-04-30T05:59:05.1333333+00:00
Disha Bodade
65
Reputation points
1 answer
Retention and archiving cost of non-billable tables
Hey folks I see MS updated this page a few months ago: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-retention-archive?tabs=portal-3%2Cportal-1%2Cportal-2#pricing-model This part has been added to the documentation: "Log data…
asked 2024-04-29T06:09:12.3466667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 94%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Sándor Tőkési
161
Reputation points
commented 2024-04-29T15:52:31.59+00:00
Sándor Tőkési
161
Reputation points