1,123 questions with Microsoft Sentinel tags

Sort by: Updated
Updated Created Answers
2 answers

How can I analyze the logs coming from AKS and reduce them?

I have recently added a data connector for AKS to my Sentinel workspace and it has caused a major hike in the amount of logs ingested in the workspace (which eventually increases the costs as well) I want to know: How can I check which tables are…

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,073 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-04T08:02:02.1666667+00:00
Najam ul Saqib 280 Reputation points
commented 2024-09-15T14:23:11.96+00:00
Najam ul Saqib 280 Reputation points
1 answer

How to monitor calls to Azure CLI, Powershell, Microsoft Graph... from a user?

Hi everyone, I would like to know if there is a possibility to log the events of the calls made through the API to query information. The goal is to know if they are making many calls that triggers an alert in Sentinel to see if an attacker is doing an…

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,830 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-11T18:13:31.19+00:00
Steven Joseph Paredes Baquerizo 0 Reputation points
commented 2024-09-15T08:28:19.0333333+00:00
Steven Joseph Paredes Baquerizo 0 Reputation points
1 answer

Microsoft Purview Audit Log - Send Microsoft Defender XDR activities to Sentinel

Hello everyone! I would like to forward the Microsoft Defender XDR activities and Microsoft Defender for Identity activities (https://video2.skills-academy.com/en-us/purview/audit-log-activities#microsoft-defender-for-identity-activities) from the Microsoft…

Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,135 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
192 questions
asked 2024-09-10T06:17:20.61+00:00
Tabea-6461 0 Reputation points
commented 2024-09-13T16:57:27.23+00:00
Smaran Thoomu 14,870 Reputation points Microsoft Vendor
0 answers

Script error when trying to deploy template Playbook in MS Sentinel

Hi I am struggling with PowerShell script that is needed to deploy a template Playbook in MS Sentinel. I am new to MS Sentinel, and trying out the different functions to see if it will be of use to our organization. This is the playbook that I want to…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-13T10:43:28.6233333+00:00
Alex 0 Reputation points
1 answer

Is there any way to leverage the Defender XDR Advanced Hunting functions such as FileProfile() or SeenBy() in Azure Sentinel?

We're currently migrating our Defender XDR custom detection rules over to Sentinel. We've found some rules leverage the built-in Defender XDR enrichment functions such as FileProfile() and SeenBy(). I was hoping I could just copy the function over to…

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,348 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-10T08:58:56.86+00:00
Jonathan Canlas 0 Reputation points
commented 2024-09-13T08:21:26.9933333+00:00
Givary-MSFT 32,311 Reputation points Microsoft Employee
0 answers

What are the required fields for the analytics rule arm template?

Referring to this guide, https://github.com/Azure/Azure-Sentinel/wiki/Query-Style-Guide I can't find any official documentation on the required fields for the .yaml files? We want to implement pre-commit checks that ensure the templates entering the…

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,241 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-08-19T10:55:57.9066667+00:00
Jonathan Canlas 0 Reputation points
commented 2024-09-12T19:33:05.7366667+00:00
James Hamil 24,311 Reputation points Microsoft Employee
0 answers

Atypical Travel - no info for "Previous Location"

Reviewing the output of an Atypical Travel alert, I find detailed information for "Current Location" (City, State, Country), but I only get Country as a result of the "Previous Location". Why is there a discrepancy in the amount of…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,371 questions
asked 2024-09-12T17:05:55.0966667+00:00
KyleG 0 Reputation points
1 answer

Cannot get Content Hub source type hunting queries via API

I'm trying to get all hhunting querties via Microsoft Sentinel Log Analytics endpoint Saved Searches - List By Workspace (here's the link to its description in Microsoft documentation:…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-12T11:00:07.7866667+00:00
Oleksandr Shchevkun 0 Reputation points
edited the question 2024-09-12T14:09:19.9933333+00:00
JananiRamesh-MSFT 26,546 Reputation points
2 answers

SecurityEvent Table Transformation DCR not working

I'm having an issue with ingestion on to a Workspace that is connected to Microsoft Sentinel. I have created a Transformation DCR / Ingestion Time Filter on the SecurityEvents table, but am still seeing events in the logs that should have been filtered…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-08-09T18:36:16.23+00:00
Greg Sneed 20 Reputation points
commented 2024-09-11T19:29:55.1166667+00:00
Greg Sneed 20 Reputation points
2 answers

Cannot enable UEBA feature on Microsoft Sentinel

I can't enable the UEBA feature on Microsoft Sentinel. When going through the form to enable it, on step 2 it shows the error message "Updating the Entity Providers failed." I have the Security Administrator admin role in AAD/Entra and the…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2023-10-31T03:26:30.3466667+00:00
Martin Grihangne 20 Reputation points
commented 2024-09-11T16:21:16.33+00:00
Nathan French 0 Reputation points
0 answers

I cannot delete a watchlist for Sentinel. It says there was an error and will not let me delete even if I move fast enough to click the delete button.. How do I resolve this?

I was creating a watchlist for Sentinel and I added a file for mapping the IP addresses that will attack my VM. I was able to click on "create" but it never finished and now even though the watchlist appears in my list under Sentinel, it says…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-10T23:35:18.87+00:00
Cybersplunker 0 Reputation points
commented 2024-09-11T16:17:47.4133333+00:00
Clive Watson 6,351 Reputation points MVP
1 answer

With the Computer field in the Usage table being deprecated, which table should I use to calculate the total monthly log ingestion for a group of Computers?

Hello everyone, I have been tasked by a client of mine to get the total monthly log ingestion of a group of Computers using a Watchlist. My first thought was to use the Usage table, join that will the Watchlist, and then calculate the total log ingestion…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-10T13:17:01.18+00:00
Matthew Agosta 0 Reputation points
answered 2024-09-11T16:15:22.79+00:00
Clive Watson 6,351 Reputation points MVP
0 answers

How to Onboard Windows 11/10 Machines as Monitored Objects in Microsoft Sentinel?

I am trying to onboard Windows 11/10 machines into Microsoft Sentinel using Azure Monitor Agent (AMA). I referred to the following documentation: Azure Monitor Agent for Windows Client, but I am still unclear on certain aspects of the process.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,196 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-05T08:28:16.24+00:00
Abdullah A 0 Reputation points
commented 2024-09-11T14:51:25.7266667+00:00
Abdullah A 0 Reputation points
1 answer

Azure Arc Machine Not Visible After Successful Onboarding on Ubuntu 22.04

I ran the onboarding script on Ubuntu 22.04 to connect the machine to Azure for Microsoft Sentinel. The script successfully completed and stated that the machine is connected to Azure. However, when I check the Azure Arc portal, the connected machine is…

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
402 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-05T08:21:21.7266667+00:00
Abdullah A 0 Reputation points
accepted 2024-09-11T14:43:47.1333333+00:00
Abdullah A 0 Reputation points
0 answers

Codeless connector for Nozomi Vantage in Microsoft Sentinel

Kindly let us know if we have any Codeless connector for Nozomi Vantage in Microsoft sentinel for integrating Nozomi logs to Microsoft Sentinel.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-10T08:14:42.2566667+00:00
ADM_Rashmi Vijayakumar 0 Reputation points
commented 2024-09-11T00:52:09.18+00:00
gba 0 Reputation points
0 answers

How to ingest Oracle Cloudguard Events into sentinel

I'm trying to connect the Oracle cloud events data into sentinel from a OCI streaming end point, but I cant find a data connector to ingest event data . There is one however to ingest audit logs. Can someone help on how to go about building this…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-10T01:35:02.07+00:00
gba 0 Reputation points
edited the question 2024-09-11T00:26:00.61+00:00
Ryan Hill 27,771 Reputation points Microsoft Employee
2 answers

OCI Streaming with Azure Sentinel Error

We have configured the OCI Streaming with Azure Sentinel. We have provided the keys, ocid of user, ocid of tenancy, finger prints etc but logs are not ingesting. Full Exception : Exception while executing function /Functions.AzureFunctionOCILogs…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2023-09-05T15:55:22.4933333+00:00
OCI Streaming with Azure Sentinel Error 0 Reputation points
commented 2024-09-11T00:06:54.2+00:00
gba 0 Reputation points
0 answers

integrate Microsoft Sentinel with SOAR platform which is SIRP via API

I want to integrate Microsoft Sentinel with my SOAR platform which is SIRP via API. so the network prerequisites is Connectivity on port 443 at domain management.azure.com but problem is I can't allow domain at firewall so I need to know the ip addresses…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-10T07:42:30.1066667+00:00
Pankaj Jagani 0 Reputation points
edited the question 2024-09-10T10:34:14.68+00:00
VenkateshDodda-MSFT 19,976 Reputation points Microsoft Employee
0 answers

I want to integrate Microsoft Sentinel with my SOAR platform which is SIRP via API.

I want to integrate Microsoft Sentinel with my SOAR platform which is SIRP via API. so the network prerequisites is Connectivity on port 443 at domain management.azure.com but problem is I can't allow domain at firewall so I need to know the ip addresses…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-10T07:41:25.9866667+00:00
Pankaj Jagani 0 Reputation points
edited the question 2024-09-10T10:33:40.95+00:00
VenkateshDodda-MSFT 19,976 Reputation points Microsoft Employee
1 answer

How to get details of all data connectors and data source?

Is there any kql to get all the details data source and their data type with their current status. Is it possible to get those details?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
asked 2024-09-05T04:05:08.4566667+00:00
Sayooj Santhosh 0 Reputation points
commented 2024-09-10T07:33:17.1766667+00:00
Givary-MSFT 32,311 Reputation points Microsoft Employee