Forum Widgets
Latest Discussions
Cannot access aka.ms/lademo
Hello team, I am Nikolas. I am learning KQL for Microsoft Sentinel. As far as I know, we can access the aka.ms/lademo for demo data. However I cannot access the demo. I tried using VPN, access page from many other devices with different IP address different account. But it does not work. Can you help to confirm if this link is still accessible. I can access the resource last week, but not this week. I am looking forward to hearing from you.NikolasMSDec 11, 2024Copper Contributor40Views1like1CommentUsing the New-AzSentinelDataConnector cmdlet
I have tried using the New-AzSentinelDataConnector cmdlet to create or update a data connector. I have not fully gotten this solution working, trying to enable the Microsoft Entra ID data connector. To emphasise this point, these were the PowerShell commands I ran... $ResourceGroup = "rg-sentinel" $WorkspaceName = "ingested-data-sentinel" # Connect to Azure and return Tenant ID $Connection = Connect-AzAccount $TenantId = $Connection.Context.Tenant.Id # Create Data Connector (AAD/Entra ID) New-AzSentinelDataConnector -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -kind AzureActiveDirectory -TenantId $TenantID -Alerts Enabled The error output can be seen in the screenshot attached. Has anyone successfully deployed a data connector with this PowerShell cmdlet?JMSHW0420Dec 05, 2024Iron Contributor19Views0likes0CommentsRE: Microsoft Defender for Office 365 data connector
Hello, I have an issue enabling the Microsoft Defender for Office 365 settings in the Defender XDR connector for Microsoft Sentinel. The error is attached. It seems related to: Categories AdvancedHunting-EmailAttachmentInfo, AdvancedHunting-EmailEvents, AdvancedHunting-EmailUrlInfo, AdvancedHunting-EmailPostDeliveryEvents are not supported... I am not sure what it relates to, but could it be licensing concerns? JasonJMSHW0420Dec 05, 2024Iron Contributor42Views0likes3CommentsUnusual user agent found in table AADNonInteractiveUserSignInLogs
Hello, Investigating the registers of the table "AADNonInteractiveUserSignInLogs", I have found a user-agent "Rich Client 4.40.0.0", which investigating via web I have not found information about it, neither I have knowledge of what this user-agent is about. Has anyone seen this in a case related to Azure log-ins? Regards.Chris_321Dec 05, 2024Copper Contributor20KViews1like5CommentsMicrosoft Power BI connector for Microsoft Sentinel
Since the Microsoft Power BI connector for Microsoft Sentinel currently does not support data collection rules (DCRs), how can we transform or filter the data and monitor the logs? Is there any documentation available on this?RoseDoseDec 03, 2024Copper Contributor11Views0likes0Commentssentinel amazon web service connector script fails
Hi there, I'm trying to configure the AWS S3 (Preview) connector. It provides a powershell script and detailed instructions which I think I've followed correctly. However the powershell script fails with the following error: https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/AWS-S3 When running this script from powershell (on Windows 11, fully patched), the following errors are consistently seen, before the script quits: .\ConfigAwsConnector.ps1 Starting ConfigAwsConnector at: 06/16/2023 21:13:33 Log created: C:\users\bob\aws\Logs\AwsS3-06162113.csv To begin you will choose the AWS logs to configure. Please enter the AWS log type to configure (VPC, CloudTrail, GuardDuty, CustomLog): CloudTrail Checking AWS CLI configuration... This script creates an Assume Role with minimal permissions to grant Azure Sentinel access to your logs in a designated S3 bucket & SQS of your choice, enable CloudTrail Logs, S3 bucket, SQS Queue, and S3 notifications. Notes: You can find more information about the script inhttps://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/README.md If a resource name(like: S3, Sqs, Kms) already exists, the script will use the available one and not create a new resource Assume role definition Please enter role name. If you have already configured an assume role for Azure Sentinel, use the same role name: Sentinel Using role name: Sentinel ConvertFrom-Json : Invalid JSON primitive: ROLE. At C:\users\bob\aws\ConfigCloudTrailDataConnector.ps1:244 char:30 $roleArn = ($roleArnObject | ConvertFrom-Json ).Role.Arn CategoryInfo : NotSpecified: (:) [ConvertFrom-Json], ArgumentException FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.ConvertFromJsonCommand Write-Log : Cannot bind argument to parameter 'Message' because it is null. At C:\users\bob\aws\ConfigCloudTrailDataConnector.ps1:245 char:20 Write-Log -Message $roleArn -LogFileName $LogFileName -Severity Verbo ... CategoryInfo : InvalidData: (:) [Write-Log], ParameterBindingValidationException FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Write-Log To Reproduce Steps to reproduce the behaviour: Follow the instructions as presented here: https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/AWS-S3 See error as shown above. Thoughts? Has anyone had success with this script or did you give up and follow the "manual method"? Thanks for your help.SocInABoxNov 27, 2024Iron Contributor901Views0likes2CommentsDCR xPath - Nomenclature modification?
Hello, I have a question regarding the custom (xPath) configuration when creating a DCR for Windows Security Events via AMA Below is the xPath I was using until now to exclude the following EventIDs 4689, 5449 and 5145. It was working perfectly fine: Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145)]] Today I wanted to modify it to exclude another EventID, but got an error mentionning that "the event log you have specified is not a valid xPath": Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]] I tried to remove the "Security" channel from the xPath as below: *[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]] But this throws an error: Did the xPath nomenclature update or is there a new way to exclude specific Event IDs that I missed? Is anyone facing the same issue? Thanks in advance.A52Nov 27, 2024Copper Contributor575Views0likes10CommentsSysmon /operational is not in Event table
Hi Team, Need to create usecase base onSysmon /operational and with Event ID = 1. But Sysmon is not configured. Usecase is based on process. It is github usecase. Need to create with the help of defender table. Windows Binaries Lolbins Renamed KQL : Event | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==1 | parse EventData with * 'Image">' Image "<" * 'OriginalFileName">' OriginalFileName "<" * | where OriginalFileName has_any (procList) and not (Image has_any (procList)) | parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Description">' Description "<" * 'CommandLine">' CommandLine "<" * 'CurrentDirectory">' CurrentDirectory "<" * 'User">' User "<" * 'LogonGuid">' LogonGuid "<" * 'Hashes">' Hashes "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" * 'ParentUser">' ParentUser "<" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'') Now same usecase need to be configured with the help of defender table "DeviceProcessEvents". But don't now how to find out Image information which is in Event Table.akshay25juneNov 25, 2024Copper Contributor170Views0likes3CommentsAuto Disabled (Rule Name)
Hi Team, One of scheduled rule is auto disabled 2 days ago (31-aug) and showing like "The alert rule was disabled due to too many consecutive failures. Reason: The query was blocked as it was consuming too many resources." When I tried to re-enabled and it showing: "Failed to save analytics rule 'rule name'. Conflict:Newer instance of rule 'ID' exists for workspace 'workspace id' (Etag does not match). Data was not saved." I made some changes in KQL but still showing same message. Can someone help me to find out solution ? "akshay25juneNov 26, 2024Copper Contributor259Views0likes2CommentsWorkbook with multiple visualizations using lowest number of queries
Coming from Splunk world and didn't found answer to this in the workbook documentation. Is it possible to chains searches, like in Splunk, explained here: https://docs.splunk.com/Documentation/Splunk/9.3.1/DashStudio/dsChain Trying to explain in KQL terms: suppose there are3 very similar queries, like same base search | condition 1 same base search | condition 2 same base search | condition 3 feeding 3 vizualizations. Goal is to execute the "same base search" part only once in the workbook. Defining a new function for "same base search" still means 3 executions, I guess. Your response is appreciated. Thank you.klaszlo13Nov 25, 2024Copper Contributor150Views0likes1Comment
Resources
Tags
- siem388 Topics
- KQL271 Topics
- Data Collection212 Topics
- Log Data192 Topics
- Analytics135 Topics
- azure129 Topics
- integration118 Topics
- automation116 Topics
- Kusto112 Topics
- playbooks105 Topics