Microsoft Sentinel Log integrity and non-repudiation
I have a question about Microsoft Sentinels Log integrity and non-repudiation properties of audit logs. For Example SPLUNK uses Bucket hashing to protect it's logs. Does Sentinel via Azure have any such protection, or can anyone shed light on how the…
How to ingest logs in sentinel from azure cross-tenants resources? Such as Azure diagnostic, AAD etc.
I need to ingest logs from my organization cross-tenant resources into our primary tenant where we've centralized Sentinel as a SIEM. My Microsoft partner said i cannot use lighthouse option as my organisation is not a MSP. Can someone please in brief…
How to integrate Entitle withe Sentinel
Hi Team, I wanted to integrate Entitle with Sentinel, but I noticed that there is no built-in connector for Entitle in Sentinel by default. After speaking with the Entitle support team, they informed me that Entitle uses webhooks for integration. Could…
Which table should I use to pull log ingestion numbers for Computers?
Hello everyone, I have been tasked by a client to create a query to get the total monthly log ingestion from a group of Computers using a Watchlist. My first thought was to use the Usage table, join that with the Watchlist and then get the log ingestion…
How to depict two line graphs on a timechart which represend two different time periods one on top of the other
Hi all, I am trying to create a timechart on a Sentinel workbook on which I will be representing the comparison of count per hour per application between 2 different days. The main goal and the challenge here is, how to stack the counts for each…
How to query ThreatIntelligenceIndicator tags?
I have created some indicators on the Threat Intelligence page in Sentinel, and proceeded to tag them as shown below: Based on the Azure Monitor Logs reference for the ThreatIntelligenceIndicator table, there should be a "Tags" field…
Cisco Meraki Playbooks in Sentinel
Hi, I am trying to deploy the Cisco Meraki playbooks for blocking IP, I have some doubts. Do we need API key with write permission? We have multiple network name how can we create playbooks for all the network names? We are having error in…
Sentinel Playbook "Block-IP-Address-Meraki" erroring out
Hi, The Microsoft Sentinel playbook "Block-IP-Address-Meraki" is erroring out on execution with the error "Cannot override L3 firewall rules on a network bound to a template - the firewall rules are inherited from the template."…
Ingestion of AWS CloudWatch data to Microsoft Sentinel using S3 connector
Hello everyone, I want to integrate CloudWatch logs to S3 bucket using Lambda function and then to send those logs to Microsoft Sentinel. As per Microsoft documentation provided: Ingest CloudWatch logs to Microsoft Sentinel - create a Lambda function to…
Defender for Endpoint log retention
Hi there, In order to increase data retention for CloudAppEvents or DeviceRegistryEvents tables i know we can ingest them in Microsoft Sentinel. My question is if there is another way to store these logs? I just want to retain the logs for cold storage…
Microsoft Sentinel - Data Connector is showing as disconnected but is sending logs.
Hello everyone. I have a client that has both the 'Common Event Format via Legacy Agent' and 'Common Event Format via AMA' Data Connectors in their Microsoft Sentinel environment. Both are sending logs to the 'CommonSecurityLog' table, but oddly the…
How to Parse/Extract data that is in 'SyslogMessage' field in MS Sentinel ?
I have recently integrated and ingested Syslog data to MS Sentinel. Unfortunately there is a field named "SyslogMessage" that appears to be NOT parsed. How do I parse the data that is in "SyslogMessage" field and turn them into…
Managing Customer Sentinel through Azure Lighthouse
Hi Experts, Please help. I have registered our customer on our Azure Lighthouse. I can see their Sentinel with data in it, but when I try to check data connectors, I am getting below errors: Can't see any connector connected, but when customer Global…
How to fix error when creating Sentinel-All-In-One MS Azure deployment
When attempting to create MS Azure Sentinel-All-In-One deployment, I get an error message for the enableSolutionsAndAlerts resource. The provided script failed with the following error: Microsoft.PowerShell.Commands.HttpResponseException: Response…
Subscription field is not available in Microsoft Sentinel All-In-One in Azure
I'm getting "No Items available" when attempting to deploy Microsoft Sentinel All-In-One in Azure account? Under the Basic tab, the Subscription field is a mandatory field. It should load my Primary account, but nothing comes up.
Enabling UEBA
dears i am trying to enable UEBA in my sentinel nut i am facing an issue when validating the data source as follow : where i have all necessary permissions. can anybody help me. Thanks
Estamos com problemas em um Playbook, que realiza uma automação para o Sentinel
Estamos com problemas em um Playbook, que realiza uma automação para o Sentinel: Objetivo: Adicionar um ou mais IPs do incidente em uma named location Problema: - Em uma das etapas de GET de HTTP, o logic apps aponta o erro "required scopes are…
How to export Microsoft Sentinel logs
I'm trying to export Microsoft Sentinel logs and insights to Palo Alto XSIAM, so I need to know if there's any configuration I need to do on Microsoft Sentinel or any functionality that needs to be enabled on Sentinel for this integration to be seamless.
How do I disconnect Data connectors in sentinel?
I'm trying to remove data connectors from the microsoft sentinel tab. The data connectors that are giving me issues are ones that are still "ingesting" data, but there is no data collector rule attached to them. They are being collected through…