Microsoft Sentinel

Microsoft Sentinel Log integrity and non-repudiation

I have a question about Microsoft Sentinels Log integrity and non-repudiation properties of audit logs. For Example SPLUNK uses Bucket hashing to protect it's logs. Does Sentinel via Azure have any such protection, or can anyone shed light on how the…

How to ingest logs in sentinel from azure cross-tenants resources? Such as Azure diagnostic, AAD etc.

I need to ingest logs from my organization cross-tenant resources into our primary tenant where we've centralized Sentinel as a SIEM. My Microsoft partner said i cannot use lighthouse option as my organisation is not a MSP. Can someone please in brief…

How to integrate Entitle withe Sentinel

Hi Team, I wanted to integrate Entitle with Sentinel, but I noticed that there is no built-in connector for Entitle in Sentinel by default. After speaking with the Entitle support team, they informed me that Entitle uses webhooks for integration. Could…

The syslog log cannot be sent to sentinel, and the AMA status is normal

Microsoft Sentinel - Data Connector is showing as disconnected but is sending logs.

Hello everyone. I have a client that has both the 'Common Event Format via Legacy Agent' and 'Common Event Format via AMA' Data Connectors in their Microsoft Sentinel environment. Both are sending logs to the 'CommonSecurityLog' table, but oddly the…

How to Parse/Extract data that is in 'SyslogMessage' field in MS Sentinel ?

I have recently integrated and ingested Syslog data to MS Sentinel. Unfortunately there is a field named "SyslogMessage" that appears to be NOT parsed. How do I parse the data that is in "SyslogMessage" field and turn them into…

Managing Customer Sentinel through Azure Lighthouse

Hi Experts, Please help. I have registered our customer on our Azure Lighthouse. I can see their Sentinel with data in it, but when I try to check data connectors, I am getting below errors: Can't see any connector connected, but when customer Global…

How to fix error when creating Sentinel-All-In-One MS Azure deployment

When attempting to create MS Azure Sentinel-All-In-One deployment, I get an error message for the enableSolutionsAndAlerts resource. The provided script failed with the following error: Microsoft.PowerShell.Commands.HttpResponseException: Response…

Subscription field is not available in Microsoft Sentinel All-In-One in Azure

I'm getting "No Items available" when attempting to deploy Microsoft Sentinel All-In-One in Azure account? Under the Basic tab, the Subscription field is a mandatory field. It should load my Primary account, but nothing comes up.

Enabling UEBA

dears i am trying to enable UEBA in my sentinel nut i am facing an issue when validating the data source as follow : where i have all necessary permissions. can anybody help me. Thanks

Estamos com problemas em um Playbook, que realiza uma automação para o Sentinel

Estamos com problemas em um Playbook, que realiza uma automação para o Sentinel: Objetivo: Adicionar um ou mais IPs do incidente em uma named location Problema: - Em uma das etapas de GET de HTTP, o logic apps aponta o erro "required scopes are…

SecurityEvent Table Transformation DCR not working

I'm having an issue with ingestion on to a Workspace that is connected to Microsoft Sentinel. I have created a Transformation DCR / Ingestion Time Filter on the SecurityEvents table, but am still seeing events in the logs that should have been filtered…

Ingestion of AWS CloudWatch data to Microsoft Sentinel using S3 connector

Hello everyone, I want to integrate CloudWatch logs to S3 bucket using Lambda function and then to send those logs to Microsoft Sentinel. As per Microsoft documentation provided: Ingest CloudWatch logs to Microsoft Sentinel - create a Lambda function to…

How to export Microsoft Sentinel logs

I'm trying to export Microsoft Sentinel logs and insights to Palo Alto XSIAM, so I need to know if there's any configuration I need to do on Microsoft Sentinel or any functionality that needs to be enabled on Sentinel for this integration to be seamless.

How do I disconnect Data connectors in sentinel?

I'm trying to remove data connectors from the microsoft sentinel tab. The data connectors that are giving me issues are ones that are still "ingesting" data, but there is no data collector rule attached to them. They are being collected through…

ama agent installation vs arc agent install?

Hi there, There are 2 procedures for installing the Azure AMA agent for use with Sentinel as a syslog collector: install the AMA agent using the python script provided by Sentinel: …

I am getting this error ?"Connectivity check failed: Status code:S3B40023, Message: An Access Denied exception occurred when attempting to download a S3 object - bucket cloudtrail-s3-xxxxxx-xxx-xx. Ensure the S3has the specified permissions in its"PERMI""

Hello All, We were working on ingesting logs in sentinel using aws s3 connector. After the connection was made successfully, I workied fine and we were able to see the logs. But today we stopped getting the logs, When i run the health command, got this…

how to use data transformation on the SecurityEvent table in Sentinel to drop events

Hi there, I'd like to use a data transformation to filter some events entering Sentinel. The test I'm doing is with the SecurityEvent table. I added this transformation: source| where EventID <> 4688 However after waiting an hour I'm still seeing…

Defender for Endpoint log retention

Hi there, In order to increase data retention for CloudAppEvents or DeviceRegistryEvents tables i know we can ingest them in Microsoft Sentinel. My question is if there is another way to store these logs? I just want to retain the logs for cold storage…

Not able to ingest a logs from Microsoft Exchange and Microsoft Defender XDR

Hey I have deployed the Microsoft Sentinel and are able to be getting some logs from signing logs. But a want a log for my cloud apps and for that. I have installed the Microsoft defender XDR connector. it is connected successfully but when I checked…