In Logic apps how to pass a single backslash (\) as string in another action?
Hello there, I am making an logic app which has one http request action. Inside that http body I want to pass a variable which has a string with backslash But when I tried every single backslash was transformed into two backslash Can…
Blocked download - Azure-512p-maskable.png
Only since 29th June have we observed several Sentinel Incidents across multiple users when they attempt to login, 'Block download on Unmanaged Device' where the blocked download appears to be an Azure image file, 'Azure-512p-maskable.png'. …
How to use a Logic app or Fuction app to apply a powershell script to connect into a Fortigate firewall and apply a IP address to a blocked list.
I am using Azure Sentinel with the Fortigate firewall connector to receive CEF logs and filter whenever our firewall detects a failed "SSL-VPN-Login". I created an Antilytic rule that runs the KQL query, //Query Failed VPN Logins …
VMware ESXi (Preview) connector for Sentinel not connected
I having problems getting the VMware ESXi (Preview) connector to get connected from Sentinel. From VMware side it seems to be working because I can see the logs getting into the Syslog Linux(Ubuntu)Agent. But From Sentinel the connector shows not…
Is there any way to insert custom data into Incident table(SecurityIncident) of Microsoft Sentinel ?
Can we ingest the data record directly into the Incident table in Microsoft Sentinel? Reference for Microsoft Sentinel Table:
Sentinel _LogOperation Alerts and Workbooks
Does anyone has a meaningful alert or workbook related to Sentinel _LogOperation table? Looking at the table content, there is lots of noise.
MS Sentinel is unable to show outbound traffic malicious incidents for AWS Data Connector
Hi community, We are unable to detect outbound malicious traffic coming from AWS. AWSVPCFLOW does not have the malicious IP details. We are using AWS S3 Connector that is available in Sentinel for AWS connectivity. We are sending detailed flow logs…
Sentinel connectors using functions
Hi all, within functions that are used as connectors for Sentinel, I see lines of code like 'write-host "Successfully did such and such"... where can I see this output from the code? I'm expecting something similar to the output from a…
How to generate incidents for each record entry in Custom Log Table of Log Analytics Workspace ?
We are trying to create an Incident for every single row of data that is being ingested in a custom log table using an Analytic rule, but it generates just a single incident for all the entries in the custom log table. Is there a way to have an Incident…
Clearn GitHub Authorization from Sentinel
I'm building out a Sentinel Service an as part of this, I am leveraging GitHub for my Content control. What I'm trying to do is walk through the "Add Repository" process from scratch however, once I've added the Credentials, they're cached. How…
KQL - suggest logic for NetIQ use cases
Hello, Can someone suggest a KQL logic for the following use cases: • Brute force attack against user credentials • Potential Password Spray Attack • User login from different countries within 3 hours • Sign-ins from IPs that attempt…
My ask question disappeared from my profile
My ask question disappeared from my profile and l can't make question or answer it and lneed to increase my points in my profile and my friends follow me and answer my questions
how to improve poweshell logging in sentinel
any thoughts on how to improve powershell logging in Sentinel, beside enabling advanced powershell auditing and using defender for endpoints? I just read this (old) article on blue team practices with powershell and I wonder how much of this is now…
Unable to choose log analytics workspace for policies/sentinel connector
I have a problem regarding Azure Policies / Sentinel. I am unable to link any log analytics workspace to policies for enabling for example diagnostic logs or sentinel connector for resources. The error i got: The resource type 'workspaces' could not…
Azure Sentinel free ingestion data : is ingestion also free in Log Analytics ?
Hello, simple but yet tricky question : some data are free to ingest in Sentinel such as Office Activity or Alerts. Does "free" means "really free" or does it mean "free in Sentinel but billable in Log analytics" ? …
Log Analytics - Windows security logs
Hello I have configured Azure Log Analytics workspace and two Windows 10 machines have Monitoring Agent installed. The agent is successfully deployed but I cant see any Windows security event logs such as EventID 4624 and 4625. Not sure if there is…
KQL - extract values from SyslogMessage - How to?
Hello, I want to extract some information from a SyslogMessage in KQL. Let's assume i have the following Syslog Message: "002E0102","A":"002E","O":"NetIQ Access Manager\nidp" I managed to…
Arc Private Link Scope and AMPLS
Has anyone had any luck getting logs sent over AMPLS to Sentinel with the Security Events via AMA connector? I have tested and validated DNS entries on my Arc servers, but I despite the DCR being up and AMPLS being fully configured I am still not…
App center -> Application Insights export getting auto disabled
For mobile app has app centre analytics integrated and export was enabled to azure Application Insights. Often this setting getting disabled automatically result in data lost on application insights. How to determine the root cause?
KQL - what does @ stand for in regex extraction
Hello, I want to extract some data from a SyslogMessage and i'm doing fine with the following Syslog | where SyslogMessage contains '<EPOevent>' or ProcessName contains 'EPOEvents' | extend EPO_Thread_ID =…