How to get all the data from column in conditional statement using KQL in Workbook
I am using kql query name_of_log_table | where abc has "103.90.06.102" | where pqr == "def" | project ip to get specific ip address from log table from the column name abc but now i want to get all the data from that…
Logs not visible in Azure function app monitor
We have a schedule cron time expression of 15 minutes of timer trigger function app. At each trigger we ingest some amount of data into sentinel from total 2,75,00,000 records. While ingesting this data we are unable to see some of the logs in azure…
MSTICPY config https://stackoverflow.com/questions/60160686/syntaxerror-in-jupypter-notebook-for-msticpy-queryproviderfile Error
Getting an error while setting up the MSTICPy Configuration. On running the code below I am getting an error ValueError: File not found: 'None'. from msticpy.config import MpConfigEdit import os mp_conf = "msticpyconfig.yaml" check if…
Drill down in azure sentinel workbook
In Splunk, we have the drill-down option in the dashboard so is that possible in azure sentinel workbook? consider I have one chart(tile or piechart) so when I click on that I want to open another tab with specific kql, visualization and dynamic…
MMC has detected an error in a snap-in" message
In windows 10 , whenever an application is tried to start , it displays the error "MMC has detected an error in a snap-in" message The application tried are Microsoft Management Console Local Security Policy rsop.msc
Azure Monitor - Security Logs to Log Analytics
Hi, The solution requirement is to store Audit Logs (Security logs) from the Azure Monitor in Azure Log Analytics. After installing an agent for Azure Monitor and checking the collected logs, it is understood that Security logs are not…
Azure Sentinel + LightHouse minimize costs
Hello, Currently I am using Lighthouse to integrate Tenant A with Tenant B. Tenant A has a log analytics workspace and a Microsoft Sentinel, and is being used has a central SIEM for all log sources. We have used Lighthouse to have access to the Tenant…
Archive Az Activity and Usage for 120 days
Need some suggestions I have been able to set the archive through the powershell code as mentioned in "https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Archive-Log-Tool/ArchiveLogsTool-PowerShell/Configure-Long-Term-Retention.ps1" . …
Is it possible to upload a file through a workbook?
I have a workbook that depends on data that is uploaded to a blob container, the container is already updated by a logic app which works fine. But is there a way that a user could also upload a csv directly to a blob via a workbook?
Send subscription activity logs to Sentinel?
Hello, I'd like to find out how to send activity logs for multiple subscriptions to Azure Sentinel. I found in the docs https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-activity that the data source can be enabled within a few…
Connecting Amazon S3 to Azure Sentinel
We have stored Cloud watch Logs to Amazon S3 buckets using Kinesis Firehose. Now the requirement is to analyze those logs in S3 through Azure sentinel. Followed this document "Connect Microsoft Sentinel to Amazon Web Services to ingest AWS…
BehaviorAnalytics stopped collecting FailedLogon events
Hi there. Starting from April 2022 we experience the situation when the query to the BehaviorAnalytics table doesn't select any records with the ActivityType containing 'FailedLogOn'. And there are no records like that if you select the records without…
Regarding OAuth type authentication in CCP connector in Sentinel
We are willing to create a CCP data connector for the data source in which OAuth type authentication is required. Is there any way to do it and if yes then can you please share the way how to do it or else share any alternative of this if possible.
Azure Sentinel - Azure Active Directroy Data connector does not display sign-in logs
Hi. In february 2022 I set up Microsoft Senitel with Azure Active Directory and everything worked fine. All logs from the connector synced. In march it suddenly stopped working, now I only get AuditLogs. The only changes I have made is the change…
Sentinel Log Ingestion Threshold
I want to build the functionality to alert me when my org's Sentinel log ingestion is at or near the daily threshold. We're capped at 200 GB/day, so ideally I'd like to receive one alert when we're at 180 GB, another alert when we're at 190 GB, and then…
Playbook for IP blocking using FortiGate Firewall
Hi All Could someone please help me with how to achieve automatically IP blocking by using the sentinel SOAR capability. In our environment, we are using FortiGate Firewall. Could you please give the list of requirement from FortiGate Firewall and…
How to forward multiple NSG ( different subsciption) logs to LogAnalystics workspace
Scenario: Currently, log Log Analytics workspace and azure sentinel are the same subscriptions. The requirement is all NSG logs ( different subscriptions and different locations) need to forward into existing Log Analytics workspace. Kindly suggest…
application logs are not visible in azure sentinel
While testing the azure sentinel application we are getting proper logs when we run azure function app manually(Test/Run). But when azure sentinel triggers function app at specific interval some logs are not visible after some time triggered at…
Steps to Create a playbook to transfer log analytics data to a blob storage
Is there any playbook available for transferring log analytics data to a Blob storage ? If not then What are pre-requisites to set it up. I want to send data to Blob every 31th day. Can this playbook be triggered automatedly ?
Azure Information Protection Audit logs no longer supported on Sentinel/LAW
I recently tried to add the data connector in Sentinel for Azure Information Protection and I got notified that this is no longer possible. Link to info: …