Cannot view Sentinel alert for some incidents but the alert can be found in Defender for Endpoint portal using Graph
I have enabled automatic incident creation for Defender for Endpoint in Sentinel but when I try to view some alerts associated with the created incidents, nothing is displayed. Despite this, I can locate the relevant alert in the Security (Defender for…
Fetch events' data of sentinel incident
I want to fetch event's data (under evidence) of sentinel incident but I haven't found API for it. Any other API that indirectly provides the data of events specifically the data of entities?
how to parse timestamp appending on syslog raw message
how to parse timestamp appending on syslog raw message. Please see example below. 2024-03-12T17:51:51.755Z FW01 RT_FLOW - RT_FLOW_SESSION_CLOSE [xxxxxx reason="TCP FIN" source-address="xx.xx.xx.xx" source-port="xxxxx"…
Create AAD Data Connector with Management API
I'm trying to create the Azure Active Directory (now called Microsoft Entra ID) data connector on Sentinel using the Azure Resource Management API in the GccHigh (US Gov cloud environment). I'm getting an "Invalid License" error which doesn't…
Getting Error while saving Analytics rule as "the provided 'productFilter' was not recognized as a valid product"
Team, I am trying to Create Analytics Rule, Also created a Automation Rule with default options and created one playbook to run n action of that automation rule. But while Saving the Analytics Rule, Sentinel through below error. Failed to save analytics…
Does anybody know if or when new Cisco Meraki connector that supports AMA for Sentinel will be published?
I would like to find out if Microsoft or Cisco are planning to release updated connector for Sentinel for Cisco Meraki to support AMA agent? Any idea when? Thanks
CloudWatch ASIM Parser
I have successfully connected AWS CloudWatch to Sentinel, and I am receiving events from multiple log groups. However, I am facing an issue with parsing the events, particularly with the 'Message' field that is in JSON format. Currently, the 'Message'…
Azure VM not reporting to LAW | Event Id 4001 Operations Manager
Hi folks, I have an Azure hosted machine which is unable to connect to Azure OMS to export Logs to Azure LAW. However, I am getting connectivity related errors in MMA config manager, Event Id 4001 in Event Logs etc. Though, I have validated the…
SC-200 study guide changes
Hello, I am trying to study for the SC-200, however it states as of today, 4th March, there are significant changes to the exam. After reviewing the change log on the study guide page, a lot of the content that states is being removed /deleted, is still…
Playbook ARM template generator broken
Hey, I have been using the playbook ARM template generator for years and the past week it does not work at all. It tries to log into local host to present the portal but it does not work correctly. I have tried it on 3 machines and several browsers. …
Kusto Query Language Count Assets
Good night, everyone. Can you help me? I am a beginner in the use of Kusto Query Language (KQL) in Microsoft Sentinel and I am Very confused. How can I count alerts by the aflicted asset type (personal computer, servers ...)? I am not finding this column…
Where does Sentinel store the information that are displayed in the Incident View?
Hello, I am currently wondering where Sentinel stores the information that is displayed in the Incident View. My Log Analytics has a data retention of 90 days, each table has 90 days retention without an archive period. In Sentinel I can view incidents…
Sentinel Integration - syslog
Do we need to reactivate our defender for IoT sensors as online sensor when we wish to send syslog CEF UDP514 for sentinel integration? Note: At present we have offline activated sensors.
Automated email sending when running a KQL query
Hello, First of all, I'm quite new in Sentinel/KQL related stuff. I have this very basic KQL query to find sign-ins from countries not included in the "LocationDetails" argument. I'd like to automate this query and, if any results found, send…
how to fix "Votre compte est configuré de telle sorte que vous ne pouvez pas utiliser ce PC. essayez un autre PC"
Bonjour, nous rencontrons ce problème sur beaucoup de postes de travail depuis que nous travaillons sur AzureAD. Message "votre compte est configuré de telle sorte que vous ne pouvez pas utiliser ce PC. essayez un autre PC". GPO locales…
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App
Hi, Trying to connect an application on Sentinel Data connectors, but one of the pre requisites is "Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App". Trying to find where I can allow the…
Using Logic Apps to automate enrichment of Sentinel incidents
I am exploring automation options for enriching Sentinel incidents and would like to use my threat intel pane in Sentinel via Defender intel feeds. Is there a way to use Logic Apps to accomplish this instead of relying on multiple separate threat intel…
Remove Automation rules from analytics rules in Sentinel
Hello, This is a Microsoft Sentinel question If an automation rule has been created and added as an automated response in an Analytic rule, is there any way to remove it from the list of automated responses
Sentinel widgets and private endpoint
Do the widgets and Insights works Incidents panel in Sentinel when the Log Analytics Workspace uses private endpoints? "externaldata operator"…
Sentinel Training - Detect threats with Microsoft Sentinel analytics
Hello, I'm trying to run through some of the free online training on learn.microsoft.com for Sentinel. I'm working on this exercise "Detect threats with Microsoft Sentinel analytics". I have created a free account and deployed the ARM…