Is it possible to manipulate Azure Sentinel Watchlists through Powershell/API
Hi team: Is it possible to administrate Azure Sentinel Watchlists through Powershell, like Rules with Az.SecurityInsights? Aim is to keep Watchlist references in outer VCS for simpler manipulation, and sync it with Powershell to remote. Thanks,
Entities not correctly displaying in custom alerts in Azure Sentinel
I have created an alert in Azure Sentinel that will alert me when a user account has recorded an event that has originated outside of my country of of work. When an incident is created I am able to display the UPN under the "Entites" section…
clone project code from azure git with idea
I clones code from azure-git with microsoft auth-info , when i choose the project and click the clone button , the idea console shows the error notes below. anyone who has same deal with same case , please show the way to solve it . thanks! Invocation…
Import Summary Field from Azure Activity logs into Sentinel
Hi. I want to import the Message field under Summary in Azure Activity logs under Monitor. In the provided screenshot I want to export the 2. field into Sentinel to find out who was granted the permissions.
Sentinel Playbook "Block-IP-Address-Meraki" erroring out
Hi, The Microsoft Sentinel playbook "Block-IP-Address-Meraki" is erroring out on execution with the error "Cannot override L3 firewall rules on a network bound to a template - the firewall rules are inherited from the template."…
Sentinel Connector custom parsers not found
The configuration steps for the connectors "Apache HTTP Server" and "VMware ESXi" mentions "This data connector depends on a parser based on a Kusto Function to work as expected" But these custom parsers are not…
API Sentinel Alert List pagination
Hi, In many of the API GET list, there's an option using $top for limiting the size in response and giving nextLink param. In GET List of alerts - I can't control the size using $top, but in doc I still receiving nextLink. why is $top not supported…
Updating threat indicator in Microsoft Graph HTTP Error 404 on IndicatorId from Microsoft Sentinel
Trying to update ThreatIndicator in Sentinel via the Graph API to Active=False but getting HTTP Error 404. When querying via: ThreatIntelligenceIndicator | where Active == true | limit 5 | project IndicatorId, Active Taking the IndicatorId…
Microsoft and SOC Alert
Dear All, I need an advise , to check logs or incident inside Microsoft cloud, you need to log to many different console also most of them not reflect for example Azure AD Identify Protection and Azure sentinel Console need to open to check…
Sign-ins from IPs that attempt sign-ins to disabled accounts
Dear Team, could you advise me what i have to do with this kind of alerts Sign-ins from IPs that attempt sign-ins to disabled accounts
Sentinel Alert on below average log activity
Is it possible run a query in sentinel that averages out the last 7 days of daily total log events for our monitored servers and then trigger an alert if the last 24hours shows shows events is a certain percentage below the 7 day average? I have…
carbon black and sentinel
How do I receive carbon black logs into sentinel without AWS S3 bucket . Is it possible ? I want to send data from carbon black to adx for longer retention. We will separately send alerts from carbon black to another soar platform. But just for long…
How to segregrate data inside Sentinel ?
We have logstash sending all different logs to one custom table( created in output conf file in logstash) in Sentinel Note: We are not considering to create filters in logstash end and then define output file in logstash to send to different…
Azure API Access Token with Longer Life
Is there a way to get an Azure Active Directory token with a longer lifetime? Is that something that can be requested as a parameter or header when submitting the x-www-form-urlencoded request? I ask as I have a FreshService workflow that updates a…
Sentinel Pay-as-you-go
Hi, is there only a Pay-as-you option for Sentinel workspace when you have P1? Thanks,
Creating KQL Query to Detect and Alert on Offline Log Sources
G'Day, We're trying to alert when one or more log sources go offline in Sentinel, then project or summarize the offline log source(s) into an offense for review. I'm using the Heartbeat table here as an example because most people will have it. The…
Azure Sentinel Num Of Open Incidents
I'd like to know if there is a way to write a query that returns: Total number of Incidents created. Total number of "Closed" and "Open" Incidents. So far I have tried: SecurityIncident | distinct ProviderIncidentId |…
How to Parse/Extract data that is in 'SyslogMessage' field in MS Sentinel ?
I have recently integrated and ingested Syslog data to MS Sentinel. Unfortunately there is a field named "SyslogMessage" that appears to be NOT parsed. How do I parse the data that is in "SyslogMessage" field and turn them into…
Watchlist use force query time in log analytics
Hello, Have I missed something with watchlist use? Time is set by default when using a watchlist, even for non existing watchlist:
Azure Sentinel Incidents - Change the default lookback time for all users
Hi - I want to change the default time view for all of my users in Azure Sentinel (not just myself). I can change it manually, but when I come back to the page it defaults back to 24 hours. I'd like to change the behavior to default to 7 days…