Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,129 questions
4 answers
Caller is missing required playbook triggering permissions on playbook resource
I have created a custom playbook but I get the error: Failed to trigger playbook Caller is missing required playbook triggering permissions on playbook resource…
asked 2023-02-07T06:01:54.6333333+00:00
Robert D. Crane
46
Reputation points MVP
commented 2024-09-28T10:48:23.69+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 63%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
rm001
0
Reputation points
0 answers
Sentinel unexpected error
Hi! I have an issue with Microsoft Sentinel. Every now and then I get this "unexpected error". When this happens all connectors show as not connected, I can't run any queries nor see any logs. I still receive incidents based on some analytic…
asked 2024-09-26T06:28:42.5+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 16%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESE%3C/text%3E%3C/svg%3E)
Sebastian Enström
0
Reputation points
commented 2024-09-27T08:57:36.4066667+00:00
Clive Watson
6,351
Reputation points MVP
1 answer
One of the answers was accepted by the question author.
How to check if workspace is replicated?
Dear support, We are testing out the workspace-replication feature (https://video2.skills-academy.com/en-us/azure/azure-monitor/logs/workspace-replication) for log analytic workspaces. When creating a replication workspace and sending the request as mentioned…
asked 2024-09-24T13:35:20.9733333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 71%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHT%3C/text%3E%3C/svg%3E)
Hoeneveld, T.A. (Tim)
30
Reputation points
commented 2024-09-27T07:53:36.58+00:00
Hoeneveld, T.A. (Tim)
30
Reputation points
1 answer
One of the answers was accepted by the question author.
Sending incident from Sentinel to Teams
Hi, I'm struggling with some very simple automation where Sentinel incidents should be forwarded to Teams channelIn SOAR Essentials there are two solutions for this Post Message to Teams and Send Adaptive Card The first is simpler, it uses Microsoft…
Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
10,039 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,113 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,129 questions
asked 2024-02-16T12:10:24.01+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 62%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELP%3C/text%3E%3C/svg%3E)
Laszlo Pal
35
Reputation points
edited a comment 2024-09-26T21:48:26.48+00:00
Lee Seeman
16
Reputation points
1 answer
Which table should I use to pull log ingestion numbers for Computers?
Hello everyone, I have been tasked by a client to create a query to get the total monthly log ingestion from a group of Computers using a Watchlist. My first thought was to use the Usage table, join that with the Watchlist and then get the log ingestion…
asked 2024-09-09T20:19:33.94+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 62%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Matthew Agosta
0
Reputation points
commented 2024-09-26T20:37:33.3766667+00:00
James Hamil
24,571
Reputation points Microsoft Employee
0 answers
Atypical Travel - no info for "Previous Location"
Reviewing the output of an Atypical Travel alert, I find detailed information for "Current Location" (City, State, Country), but I only get Country as a result of the "Previous Location". Why is there a discrepancy in the amount of…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 44%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
1 answer
Error giving permission to Logic Apps from Microsoft Sentinel
I'm having trouble setting up email and SMS alerts with Sentinel due to issues with Logic Apps permissions. I've tried assigning contributor access to the relevant Logic App, but when I give permission through Manage Playbook Permission, I get the…
asked 2024-09-20T20:37:16.02+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 19%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELS%3C/text%3E%3C/svg%3E)
Lakshan Sameera
0
Reputation points
answered 2024-09-24T19:25:58.5933333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Pauline Mbabu
330
Reputation points Microsoft Employee
0 answers
Update to Python 3.11 got SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))
Hi, After we updated our Sentinel data connector(implemented in Azure Function) to use python3.11 from 3.10, we got SSL Error from urllib3 when making API calls: SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify…
asked 2024-09-24T17:10:13.2266667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 64%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXB%3C/text%3E%3C/svg%3E)
Xiuyang Bobby Sun
65
Reputation points
commented 2024-09-24T17:42:00.14+00:00
Xiuyang Bobby Sun
65
Reputation points
0 answers
Clarification on "Multiple failed user log - Office365 Shell WCSS-Client"
Hello ! Our team has been receiving alerts regarding "Multiple failed user log on attempts to an app involving one user" linked to "Office365 Shell WCSS-Client". Our user in question has not made any actions on their workstation, yet…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 56.00000000000001%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
0 answers
Sentinel watchlists import issue when the field starts or ends with double quotes
Hi team, I wanted to report a bug that was present in Microsoft Sentinel for a long time and it was not addressed by Microsoft yet. The bug is present in the Sentinel watchlists. When you create a new watchlist with any random fields and then you edit…
asked 2024-07-22T23:59:38.0133333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 53%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
AK
1
Reputation point
commented 2024-09-23T19:31:35.5733333+00:00
Pauline Mbabu
330
Reputation points Microsoft Employee
0 answers
Postgre SQL DB logs
I am trying to connect PostgreSQL DB Events to Microsoft Sentinel using the PostgreSQL Events built in data connector. All the configurations are done properly, heartbeat is there from the machine where this PostgreSQL is installed, but no logs. We are…
asked 2024-07-25T05:14:21.27+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 93%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPA%3C/text%3E%3C/svg%3E)
Praveen Ayyasamy
40
Reputation points
commented 2024-09-23T15:56:04.41+00:00
Pauline Mbabu
330
Reputation points Microsoft Employee
1 answer
Azure Monitor Agent Fluent Bit CVE-2024-4323.
Hello, two questions about Azure Monitor Agent Fluent Bit exe in regards to CVE-2024-4323. AMA agent installation is using fluent-bit.exe in version 2.0.9 (location C:\Program Files\Azure Monitor Agent\Monitoring\Agent\fluent-bit.exe) I would like…
asked 2024-06-17T09:51:44.58+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 82%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBT%3C/text%3E%3C/svg%3E)
B T
5
Reputation points
answered 2024-09-23T14:36:18.12+00:00
Pauline Mbabu
330
Reputation points Microsoft Employee
1 answer
One of the answers was accepted by the question author.
How to monitor calls to Azure CLI, Powershell, Microsoft Graph... from a user?
Hi everyone, I would like to know if there is a possibility to log the events of the calls made through the API to query information. The goal is to know if they are making many calls that triggers an alert in Sentinel to see if an attacker is doing an…
asked 2024-09-11T18:13:31.19+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 61%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
Steven Joseph Paredes Baquerizo
20
Reputation points
accepted 2024-09-23T13:22:30.53+00:00
Steven Joseph Paredes Baquerizo
20
Reputation points
1 answer
Codeless connector for Nozomi Vantage in Microsoft Sentinel
Kindly let us know if we have any Codeless connector for Nozomi Vantage in Microsoft sentinel for integrating Nozomi logs to Microsoft Sentinel.
asked 2024-09-10T08:14:42.2566667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 73%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
ADM_Rashmi Vijayakumar
0
Reputation points
answered 2024-09-23T04:27:10.3333333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT
32,501
Reputation points Microsoft Employee
1 answer
With the Computer field in the Usage table being deprecated, which table should I use to calculate the total monthly log ingestion for a group of Computers?
Hello everyone, I have been tasked by a client of mine to get the total monthly log ingestion of a group of Computers using a Watchlist. My first thought was to use the Usage table, join that will the Watchlist, and then calculate the total log ingestion…
asked 2024-09-10T13:17:01.18+00:00
Matthew Agosta
0
Reputation points
commented 2024-09-23T03:57:28.6433333+00:00
Givary-MSFT
32,501
Reputation points Microsoft Employee
0 answers
Cisco Meraki Playbooks in Sentinel
Hi, I am trying to deploy the Cisco Meraki playbooks for blocking IP, I have some doubts. Do we need API key with write permission? We have multiple network name how can we create playbooks for all the network names? We are having error in…
asked 2024-09-06T20:07:49.46+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 9%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
Venkatesh Raichur
0
Reputation points
commented 2024-09-22T05:45:34.7033333+00:00
Andrew Blumhardt
9,856
Reputation points Microsoft Employee
2 answers
Is there any way to leverage the Defender XDR Advanced Hunting functions such as FileProfile() or SeenBy() in Azure Sentinel?
We're currently migrating our Defender XDR custom detection rules over to Sentinel. We've found some rules leverage the built-in Defender XDR enrichment functions such as FileProfile() and SeenBy(). I was hoping I could just copy the function over to…
asked 2024-09-10T08:58:56.86+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 46%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
Jonathan Canlas
0
Reputation points
answered 2024-09-22T05:41:51.9333333+00:00
Andrew Blumhardt
9,856
Reputation points Microsoft Employee
0 answers
Change path on Linux for Azure AMA and CEF Collectors
I'm setting up Azure Monitoring Agents on Linux with CEF Collector. I would like to change the cache directories to a separate drive. Can anyone point me to where these paths are configured?
asked 2024-09-20T12:23:12.28+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 77%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Jody Spoor
0
Reputation points
edited the question 2024-09-20T15:32:06.84+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 76%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
VarunTha
7,975
Reputation points Microsoft Vendor
2 answers
How can I analyze the logs coming from AKS and reduce them?
I have recently added a data connector for AKS to my Sentinel workspace and it has caused a major hike in the amount of logs ingested in the workspace (which eventually increases the costs as well) I want to know: How can I check which tables are…
asked 2024-09-04T08:02:02.1666667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 25%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENU%3C/text%3E%3C/svg%3E)
Najam ul Saqib
280
Reputation points
commented 2024-09-20T11:39:43.3233333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 86%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Akshay kumar Mandha
390
Reputation points Microsoft Vendor
2 answers
I and others in my organization are members of "Microsoft Sentinel Contributor" but sometimes we cannot close Sentinel Incidents
I and others in my organization are members of "Microsoft Sentinel Contributor" We can usually close the incidents but sometimes we cannot close them. I have verified my role assignments and since I have the role of "Microsoft Sentinel…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)