Recent Discussions
Using the New-AzSentinelDataConnector cmdlet
I have tried using the New-AzSentinelDataConnector cmdlet to create or update a data connector. I have not fully gotten this solution working, trying to enable the Microsoft Entra ID data connector. To emphasise this point, these were the PowerShell commands I ran... $ResourceGroup = "rg-sentinel" $WorkspaceName = "ingested-data-sentinel" # Connect to Azure and return Tenant ID $Connection = Connect-AzAccount $TenantId = $Connection.Context.Tenant.Id # Create Data Connector (AAD/Entra ID) New-AzSentinelDataConnector -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -kind AzureActiveDirectory -TenantId $TenantID -Alerts Enabled The error output can be seen in the screenshot attached. Has anyone successfully deployed a data connector with this PowerShell cmdlet?14Views0likes0CommentsRE: Microsoft Defender for Office 365 data connector
Hello, I have an issue enabling the Microsoft Defender for Office 365 settings in the Defender XDR connector for Microsoft Sentinel. The error is attached. It seems related to: Categories AdvancedHunting-EmailAttachmentInfo, AdvancedHunting-EmailEvents, AdvancedHunting-EmailUrlInfo, AdvancedHunting-EmailPostDeliveryEvents are not supported... I am not sure what it relates to, but could it be licensing concerns? Jason36Views0likes3CommentsUnusual user agent found in table AADNonInteractiveUserSignInLogs
Hello, Investigating the registers of the table "AADNonInteractiveUserSignInLogs", I have found a user-agent "Rich Client 4.40.0.0", which investigating via web I have not found information about it, neither I have knowledge of what this user-agent is about. Has anyone seen this in a case related to Azure log-ins? Regards.20KViews1like5CommentsMicrosoft Power BI connector for Microsoft Sentinel
Since the Microsoft Power BI connector for Microsoft Sentinel currently does not support data collection rules (DCRs), how can we transform or filter the data and monitor the logs? Is there any documentation available on this?10Views0likes0CommentsDCR xPath - Nomenclature modification?
Hello, I have a question regarding the custom (xPath) configuration when creating a DCR for Windows Security Events via AMA Below is the xPath I was using until now to exclude the following EventIDs 4689, 5449 and 5145. It was working perfectly fine: Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145)]] Today I wanted to modify it to exclude another EventID, but got an error mentionning that "the event log you have specified is not a valid xPath": Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]] I tried to remove the "Security" channel from the xPath as below: *[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]] But this throws an error: Did the xPath nomenclature update or is there a new way to exclude specific Event IDs that I missed? Is anyone facing the same issue? Thanks in advance.553Views0likes10CommentsSysmon /operational is not in Event table
Hi Team, Need to create usecase base onSysmon /operational and with Event ID = 1. But Sysmon is not configured. Usecase is based on process. It is github usecase. Need to create with the help of defender table. Windows Binaries Lolbins Renamed KQL : Event | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==1 | parse EventData with * 'Image">' Image "<" * 'OriginalFileName">' OriginalFileName "<" * | where OriginalFileName has_any (procList) and not (Image has_any (procList)) | parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Description">' Description "<" * 'CommandLine">' CommandLine "<" * 'CurrentDirectory">' CurrentDirectory "<" * 'User">' User "<" * 'LogonGuid">' LogonGuid "<" * 'Hashes">' Hashes "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" * 'ParentUser">' ParentUser "<" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'') Now same usecase need to be configured with the help of defender table "DeviceProcessEvents". But don't now how to find out Image information which is in Event Table.170Views0likes3CommentsAuto Disabled (Rule Name)
Hi Team, One of scheduled rule is auto disabled 2 days ago (31-aug) and showing like "The alert rule was disabled due to too many consecutive failures. Reason: The query was blocked as it was consuming too many resources." When I tried to re-enabled and it showing: "Failed to save analytics rule 'rule name'. Conflict:Newer instance of rule 'ID' exists for workspace 'workspace id' (Etag does not match). Data was not saved." I made some changes in KQL but still showing same message. Can someone help me to find out solution ? "255Views0likes2CommentsWorkbook with multiple visualizations using lowest number of queries
Coming from Splunk world and didn't found answer to this in the workbook documentation. Is it possible to chains searches, like in Splunk, explained here: https://docs.splunk.com/Documentation/Splunk/9.3.1/DashStudio/dsChain Trying to explain in KQL terms: suppose there are3 very similar queries, like same base search | condition 1 same base search | condition 2 same base search | condition 3 feeding 3 vizualizations. Goal is to execute the "same base search" part only once in the workbook. Defining a new function for "same base search" still means 3 executions, I guess. Your response is appreciated. Thank you.149Views0likes1CommentHelp to write KQL for some of the use case
Hi Team, Please help me to write a KQL for below scenario. Log sources are (Palo alto, checkpoint, F5, Citrix, Akamai, Vectra, oracle, Linux) Use case - Source sending more events than usual Description - This correlation search identifies source hosts sending more data than usual. The search runs against data from the last 7 days, and compare only the same hour of the last 7 days (this helps avoiding alerts in the beginning of business hours). The threshold is the sum of average events plus the standard deviation of the source times 3. Usecase - Unexpected Host Reporting events Description - Discovers hosts that are reporting events but are not on the expected reporting host on Sentinel. This rule is used to monitor hosts not expected. Usecase - New User Account Created on multiple Hosts Description - Alerts when numerous new accounts are created for a username account on multiple hosts. Note : All above usecase are deployed in Splunk and need to migrate into sentinel.422Views0likes1CommentIssue while deploying Sentienl Rules
I know that when deleting a Sentinel rule, you need to wait a specific amount of time before it can be redeployed. However, in this tenant, we've been waiting for almost a month and are still getting the same deployment error ('was recently deleted. You need to allow some time before re-using the same ID. Please try again later. Click here for details'). I still want to use the same ID ect. Does anyone have any idea or similar issue why it's still not possible after waiting for about a month?247Views1like1CommentHelp us plan our upcoming "Mastering API Integration with Sentinel and USOP" public webinar
Hello on behalf of the Microsoft SIEM & XDR Engineering organization! On December 5th, 2024, we will host a public webinar on how to effectively integrate APIs with Microsoft Sentinel and the Unified Security Platform. This session will cover when to use APIs, how to set them up, and potential challenges. We will present live demos to guide you through the process.To ensure this webinar is as engaging and relevant as possible for you, we’d love your input to help us create its agenda! Help us plan this webinar Do you have any use cases you think we should feature? Or have you encountered any blockers that you'd like us to address?We’re eager to find out what content matches your needs the most! Please answer this survey to help us with your input. It will remain open until October 31st, 2024. Take the survey here:https://forms.office.com/r/hrWtm34WFu Join the webinar on December 5th! In addition to helping us plan it, we hope to count on your participation. Register atRegister for this webinar athttps://aka.ms/MasteringAPISentinelUSOPWebinar. Thank you for your contributions! Naomi Chistis and Jeremey Tan - Microsoft SIEM & XDR Team296Views1like1CommentIntegrating Jira with Sentinel via HTTP connector
Hello Community, I am having issues integrating Jira with Sentinel. I am connecting Sentinel incidents with Jira via the HTTP connector. The Jira V3 connector was not working due to an error regarding the reporter field, which I have no control over. My question is, why is the HTTP Connector not posting the incident when I manually run the playbook with an incident? It shows the run was successful, but the incident is not posted in the Jira queue.209Views0likes1CommentSplunk eventstats equivalent in kql?
is there an equivalent eventstats command in kql similar to splunk? If not, is there a way to achieve same result in kql? eventstats command generates summary statistics from fields in your events and saves those statistics into a new field. The eventstats command places the generated statistics in new field that is added to the original raw events.27Views0likes1CommentLocal IPs ( 10.60.0.0/24 ) in ClientIP field in OfficeActivity logs?
Started seeing this more often recently and it started to cause some uptick in alerts across multiple customers (we are an MSP). It seems to me like a backend workflow is failing to write true source IPs to OfficeActivity logs, resulting in some10.60.0.0/24 IPs being recorded as the ClientIP. Could this be some backend IP belonging to a Microsoft services? This can't be related to the customer since we see the same thing across up to 37 tenants/customers. This includes FileDownloaded operations which is what caused alerts and brought the issue to our attention. To make sure this also wasn't some kind of correlation to device, I checked the logs further and it's happening where IsManagedDevice == false and even anonymous file access. Is anyone else seeing this and can anyone from Microsoft confirm whether this is a mistake or bug somewhere upstream? Sample KQL: // Query 1 OfficeActivity | where TimeGenerated >=ago(30d) | where ipv4_is_private( ClientIP ) | where IsManagedDevice == false | summarize min(TimeGenerated), max(TimeGenerated), Operations=make_set(Operation), NumberUsers=dcount(UserId), make_set(UserId), UserAgents=make_set(UserAgent) by ClientIP // Query 2 OfficeActivity | where TimeGenerated >=ago(60d) | where isnotempty( ClientIP ) and ipv4_is_private( ClientIP ) | summarize count() by bin(TimeGenerated, 1d)4.1KViews2likes8CommentsLogic app to close adminstrative tasks
I am trying to create a logic app that closes adminstrative tasks in sentinel after checking Userprincipalname and IPaddress. It will also check if the userprincipalname exists in a watchlist at the same time. But this didn't seem to work, can i get any help here?216Views0likes1CommentRestApiPoller Paging Question
Hi, RestApiPoller Paging question from setting up a new Codeless Connector against one API. I'm currently polling this API with an Azure function and would like to cut it over to CCP. The API supports iterating through pages via querying it with pageNumber and pageSize parameters. For example, I can query pageNumber=1, pageNumber=2 and so forth. The API returns a pageCount value as part of a successful response. There is no next page or next link in the response. I can't see anything in the NextPageToken section of the API on how to handle this. Any suggestions? API is called by sending a POST with the following in the body. { "interval": "", "pageNumber": 0, "pageSize": 0 } Successful response received is: { "data": [ ], "pageSize": 0, "pageNumber": 0, "total": 0, "pageCount": 0 }13Views0likes0CommentsAutomating label downgrade email notifications
I've been asked to investigate scheduling a query to run once a day that searches for label downgrade activities and sends an email with a list of events to the user's manager (according to the AD attribute). The thinking is, the manager is more likely to know if the files that are being downgraded are sensitive, personal or inconsequential and can alert us if they are sensitive and we need to investigate further. I have a KQL query that provides the results, I have created an analytics rule that runs the query every 24 hours and generates an alert, but when it comes to the Playbook i'm not sure how/if I can extract the fields/attributes from the results so I can use them to generate the email(s). I want the manager to only get the results for the people in their team/department, not the results for everyone in the company, so I would expect separate emails will be sent to each manager daily, rather than the same email going to multiple managers. Is what I am trying to do feasible, and if so, am I going about it the right way? Any advice appreciated.Solved162Views0likes5Comments
Events
Recent Blogs
- 4 MIN READCustomers using the unified security operations platform can now manage multiple tenants. In this article we'll answer some questions you may have to help you to get started.Dec 04, 202416KViews1like2Comments
- Checkout this new Microsoft Sentinel solution for ServiceNow bi-directional syncNov 28, 202446KViews3likes33Comments