Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
982 questions
2 answers
How "Microsoft Sentinel " integrate with alibaba cloud
""uses Microsoft Sentinel for SIEM solution and logs need to be available for it. Probably will require some type of custom integration. How "Microsoft Sentinel " integrate with alibaba cloud
asked 2022-03-28T13:00:45.487+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 94%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPE%3C/text%3E%3C/svg%3E)
Patrick Ejida
1
Reputation point
answered 2022-03-29T23:16:32.427+00:00
JamesTran-MSFT
36,376
Reputation points Microsoft Employee
1 answer
One of the answers was accepted by the question author.
Data Connector to enable bidirectional sync between Microsoft Sentinel and Jira Service Management
Hi Team, Are there plans to make available a data connector to enable bidirectional sync between Microsoft Sentinel and Jira Service Management? It would be great to have the following features available for this connector: Auto-creation of tickets…
asked 2022-03-24T09:57:43.69+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 46%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Anand R Menon
286
Reputation points
commented 2022-03-29T09:18:52.16+00:00
Anand R Menon
286
Reputation points
2 answers
One of the answers was accepted by the question author.
Is there any way to filter out specified security event ID from Sentinel
We ingest security log to sentinel. Is there any way to filter out event ID 4662 from Sentinel ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 90%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
1 answer
Storage location of Microsoft Sentinel Incidents
Hi Team, We have a test Microsoft Sentinel environment where we have a data retention period of 30 days. When I check the 'SecurityIncident', 'SecurityAlert' etc. tables, as expected, there is no data present before the 30 day-period. But on the…
asked 2022-03-18T09:33:58.27+00:00
Anand R Menon
286
Reputation points
commented 2022-03-26T06:56:40.567+00:00
Anand R Menon
286
Reputation points
1 answer
One of the answers was accepted by the question author.
Logs through AMA agents
I have setup AMA agents with DCR , we are receiving logs . For windows through AMA receiving through "Windows Security Events via AMA" connector and it is showing DCR's created. My question is , why is it sending linux logs through Syslog…
asked 2022-03-21T11:33:48.097+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 96%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Soumya Banerjee
126
Reputation points
accepted 2022-03-25T08:04:09.407+00:00
Soumya Banerjee
126
Reputation points
1 answer
Will problem occur to make our own Data Connector certified by microsoft that contains multiple timertrigger functions?
Will there be any problem to make our own DataConnector certified by Microsoft and publicly available on Azure platform if we use a three timer trigger functions inside DataConnector? If yes, then what is the preferred solution to overcome that issue? …
asked 2022-03-24T13:44:16.987+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 67%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Rushit Ajudiya
146
Reputation points
answered 2022-03-25T07:32:29.427+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT
28,061
Reputation points Microsoft Employee
1 answer
Having Trouble with creation of an Azure Sentinel Stealthwatch Log Analytics Query
I'm working on a project to create a Stealthwatch (Cisco) Log Analytics query from a canned workbook query available from the Azure Sentinel portal (Data Connectors > Cisco Stealthwatch). I've added the function to my LA query section and it will run…
asked 2022-03-23T20:50:59.06+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 80%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Craig Bush
1
Reputation point
answered 2022-03-24T03:05:17.597+00:00
Andrew Blumhardt
9,496
Reputation points Microsoft Employee
1 answer
Sentinel security event collection and dual homing
Hi I am trying to figure out how (where) to set collection for Windows Security events for Microsoft Sentinel. The environment consists of 2 workspaces, one for performance data, and one for Sentinel. They are in different subscriptions. The goal is…
asked 2022-03-15T18:04:48.8+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 72%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Chris
6
Reputation points
commented 2022-03-16T15:48:19.107+00:00
JamesTran-MSFT
36,376
Reputation points Microsoft Employee
2 answers
One of the answers was accepted by the question author.
Azure Sentinel - Query help
Dear All, I need to write query to hunt for OS Credential Dumping: NTDS. T1003.003, kindly help if you got any information
asked 2022-02-15T14:33:19.247+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 15%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKP%3C/text%3E%3C/svg%3E)
karthik palani
1,016
Reputation points
answered 2022-03-14T21:36:40.067+00:00
Chiheb Chebbi
1
Reputation point MVP
3 answers
Newbie Question - Sentinel Deployment: Cost & Effort Required
I'm considering deploying Sentinel for our Azure & Non-Azure environment. We're a small, nonprofit Windows shop. Where is the best place to get an idea of the cost and effort involved?
asked 2022-02-08T14:49:49.463+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 23%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Alex Alborzfard
1
Reputation point
answered 2022-03-14T21:06:18.54+00:00
Chiheb Chebbi
1
Reputation point MVP
1 answer
Atypical Travel / Unfamiliar sign-in properties
Hi I get a few atypical travel / unfamiliar sign-in properties incidents from time to time, where privileged users sign in from the same IP (52.98.175.181, Amsterdam, Noord-Holland) owned by Microsoft. I dismiss these as false-positives, but I'm…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 81%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EX%3C/text%3E%3C/svg%3E)
1 answer
One of the answers was accepted by the question author.
Can we update existing records of custom log table in log analytics workspace?
Hello, We configured Azure Sentinel and ingested data into a custom log table in log analytics workspace. Now we want to update existing records in the log table. We have tried to use the replace_string() function of KQL to update some data in record…
asked 2022-03-11T13:27:12.52+00:00
Rushit Ajudiya
146
Reputation points
accepted 2022-03-14T04:11:20.867+00:00
Rushit Ajudiya
146
Reputation points
2 answers
One of the answers was accepted by the question author.
Microsoft Sentinel get playbooks by trigger kind
Hi, I'm trying to pull all my playbooks using the workflows API - https://learn.microsoft.com/en-us/rest/api/logic/workflows/list-by-resource-group How can I know which workflow is using the trigger kind "Microsoft Sentinel Alert" and…
asked 2022-02-24T10:07:35.467+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 56.00000000000001%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYR%3C/text%3E%3C/svg%3E)
Yair Rascovsky
21
Reputation points
commented 2022-03-10T07:56:46.24+00:00
Yair Rascovsky
21
Reputation points
1 answer
External Data / Watchlist enrichment help
I've tried a lot of different solutions and can't quite seem to get it. I want to enrich an alert I have created where we get notified that a user has logged in outside of my organisations country of operations. The AAD logs provide that location,…
asked 2022-03-03T11:34:07.117+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 55.00000000000001%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIM%3C/text%3E%3C/svg%3E)
I'mLenny
51
Reputation points
commented 2022-03-09T23:13:48.633+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT
33,951
Reputation points Microsoft Employee
1 answer
Continuous Threat Monitoring for GitHub from content hub for microsoft sentinel not working in africa
hi guys i get errors when i deploy this official connector, any advice? or where do i ask the people to fix it?
asked 2022-02-28T08:40:15.863+00:00
Tiaan Opperman
6
Reputation points
commented 2022-03-07T18:03:15.447+00:00
JamesTran-MSFT
36,376
Reputation points Microsoft Employee
1 answer
One of the answers was accepted by the question author.
Defender For IOT - Migration Strategy (OT Solution)
Hi all, I have been requested to migrate the OT solution (Defender for IOT Stack) to a alternative Subscription. I have noted that you cannot move the Workspace to a alternative subscription. (Resource) Is there a existing Strategy on moving the Stack,…
asked 2022-03-01T11:13:17.863+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 53%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
Hernus Bornman
21
Reputation points
accepted 2022-03-07T07:27:49.417+00:00
Hernus Bornman
21
Reputation points
1 answer
One of the answers was accepted by the question author.
Microsoft Defender for Endpoint Alerts in Microsoft Sentinel
Hi, Currently I have enabled Microsoft Defender for Endpoint Alerts to flow to Sentinel by enabling it in the corresponding Sentinel Connector. Is it possible to configure such that Defender incidents appear in Sentinel with all the correlated alerts…
asked 2022-01-31T12:26:56.66+00:00
Anand R Menon
286
Reputation points
commented 2022-03-05T05:41:51.667+00:00
Anand R Menon
286
Reputation points
1 answer
One of the answers was accepted by the question author.
Sending syslog from windows syslog server running kiwi
We currently having a windows syslog server running Kiwi syslog. Rather than creating a new VM, I would like to use this server to forward the logs to Azure Sentinel. Is this possble? It looks like the agent Azure provides only runs on Linux machines. …
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 18%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EY%3C/text%3E%3C/svg%3E)
1 answer
log via syslog server agent to Azure Sentinel (list of IPs?) & dual agent to two Log Analytics workspace
Hi, I am currently looking at setting up something like this: Security devices > syslog server > Microsoft Sentinel In order to tie down/restrict somewhat the access this syslog server has, is there a list of known IPs for Microsoft Sentinel?…
asked 2022-03-04T11:15:48.127+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 52%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
Johnny C.Y. Tang
41
Reputation points
answered 2022-03-04T11:48:13.23+00:00
Andrew Blumhardt
9,496
Reputation points Microsoft Employee
1 answer
One of the answers was accepted by the question author.
Sentinel log analytics backup issue
I followed the official guide(https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/move-your-microsoft-sentinel-logs-to-long-term-storage-with-ease/ba-p/1407153) to move the Microsoft Sentinel Logs to blob. But the volume of data per…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 35%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELY%3C/text%3E%3C/svg%3E)