How can I analyze the logs coming from AKS and reduce them?
I have recently added a data connector for AKS to my Sentinel workspace and it has caused a major hike in the amount of logs ingested in the workspace (which eventually increases the costs as well) I want to know: How can I check which tables are…
How to monitor calls to Azure CLI, Powershell, Microsoft Graph... from a user?
Hi everyone, I would like to know if there is a possibility to log the events of the calls made through the API to query information. The goal is to know if they are making many calls that triggers an alert in Sentinel to see if an attacker is doing an…
Microsoft Purview Audit Log - Send Microsoft Defender XDR activities to Sentinel
Hello everyone! I would like to forward the Microsoft Defender XDR activities and Microsoft Defender for Identity activities (https://video2.skills-academy.com/en-us/purview/audit-log-activities#microsoft-defender-for-identity-activities) from the Microsoft…
Script error when trying to deploy template Playbook in MS Sentinel
Hi I am struggling with PowerShell script that is needed to deploy a template Playbook in MS Sentinel. I am new to MS Sentinel, and trying out the different functions to see if it will be of use to our organization. This is the playbook that I want to…
Is there any way to leverage the Defender XDR Advanced Hunting functions such as FileProfile() or SeenBy() in Azure Sentinel?
We're currently migrating our Defender XDR custom detection rules over to Sentinel. We've found some rules leverage the built-in Defender XDR enrichment functions such as FileProfile() and SeenBy(). I was hoping I could just copy the function over to…
What are the required fields for the analytics rule arm template?
Referring to this guide, https://github.com/Azure/Azure-Sentinel/wiki/Query-Style-Guide I can't find any official documentation on the required fields for the .yaml files? We want to implement pre-commit checks that ensure the templates entering the…
Atypical Travel - no info for "Previous Location"
Reviewing the output of an Atypical Travel alert, I find detailed information for "Current Location" (City, State, Country), but I only get Country as a result of the "Previous Location". Why is there a discrepancy in the amount of…
Cannot get Content Hub source type hunting queries via API
I'm trying to get all hhunting querties via Microsoft Sentinel Log Analytics endpoint Saved Searches - List By Workspace (here's the link to its description in Microsoft documentation:…
SecurityEvent Table Transformation DCR not working
I'm having an issue with ingestion on to a Workspace that is connected to Microsoft Sentinel. I have created a Transformation DCR / Ingestion Time Filter on the SecurityEvents table, but am still seeing events in the logs that should have been filtered…
Cannot enable UEBA feature on Microsoft Sentinel
I can't enable the UEBA feature on Microsoft Sentinel. When going through the form to enable it, on step 2 it shows the error message "Updating the Entity Providers failed." I have the Security Administrator admin role in AAD/Entra and the…
I cannot delete a watchlist for Sentinel. It says there was an error and will not let me delete even if I move fast enough to click the delete button.. How do I resolve this?
I was creating a watchlist for Sentinel and I added a file for mapping the IP addresses that will attack my VM. I was able to click on "create" but it never finished and now even though the watchlist appears in my list under Sentinel, it says…
With the Computer field in the Usage table being deprecated, which table should I use to calculate the total monthly log ingestion for a group of Computers?
Hello everyone, I have been tasked by a client of mine to get the total monthly log ingestion of a group of Computers using a Watchlist. My first thought was to use the Usage table, join that will the Watchlist, and then calculate the total log ingestion…
How to Onboard Windows 11/10 Machines as Monitored Objects in Microsoft Sentinel?
I am trying to onboard Windows 11/10 machines into Microsoft Sentinel using Azure Monitor Agent (AMA). I referred to the following documentation: Azure Monitor Agent for Windows Client, but I am still unclear on certain aspects of the process.
Azure Arc Machine Not Visible After Successful Onboarding on Ubuntu 22.04
I ran the onboarding script on Ubuntu 22.04 to connect the machine to Azure for Microsoft Sentinel. The script successfully completed and stated that the machine is connected to Azure. However, when I check the Azure Arc portal, the connected machine is…
Codeless connector for Nozomi Vantage in Microsoft Sentinel
Kindly let us know if we have any Codeless connector for Nozomi Vantage in Microsoft sentinel for integrating Nozomi logs to Microsoft Sentinel.
How to ingest Oracle Cloudguard Events into sentinel
I'm trying to connect the Oracle cloud events data into sentinel from a OCI streaming end point, but I cant find a data connector to ingest event data . There is one however to ingest audit logs. Can someone help on how to go about building this…
OCI Streaming with Azure Sentinel Error
We have configured the OCI Streaming with Azure Sentinel. We have provided the keys, ocid of user, ocid of tenancy, finger prints etc but logs are not ingesting. Full Exception : Exception while executing function /Functions.AzureFunctionOCILogs…
integrate Microsoft Sentinel with SOAR platform which is SIRP via API
I want to integrate Microsoft Sentinel with my SOAR platform which is SIRP via API. so the network prerequisites is Connectivity on port 443 at domain management.azure.com but problem is I can't allow domain at firewall so I need to know the ip addresses…
I want to integrate Microsoft Sentinel with my SOAR platform which is SIRP via API.
I want to integrate Microsoft Sentinel with my SOAR platform which is SIRP via API. so the network prerequisites is Connectivity on port 443 at domain management.azure.com but problem is I can't allow domain at firewall so I need to know the ip addresses…
How to get details of all data connectors and data source?
Is there any kql to get all the details data source and their data type with their current status. Is it possible to get those details?