Forum Widgets
Latest Discussions
Extend sentinel/LAW table schema
Hi, we are working on migrating from a SIEM solution to sentinel and for users to migrate easily, we want to have some custom fields to LAW/Sentinel tables (eg) a filed named brand_CF needs to be added to common security log, syslog, etc tables … we can do vi a UI, but just wondering if it can be done via api/terraform , as we want to put it in code than UI… did anyone created custom columns via API? Further not all tables visible via UI under tables in LAW..ManiAnnaApr 24, 2025Copper Contributor8Views0likes1CommentBulk Closure of old Incidents via PowerShell
Hi All, I am trying to close all MS Sentinel incidents via PowerShell using below script. Get-AzSentinelIncident -WorkspaceName "XXXXXX_XXXXXX" -All | Where-Object {$_.status -eq "New"} | ForEach-Object {update-AzSentinelIncident -WorkspaceName "XXXXXXXXXXXXXXXX" -CaseNumber $_.CaseNumber -Status Closed -CloseReason FalsePositive -ClosedReasonText "Bulk Closure " -Confirm:$false} This works fine for incidents, triggered in last 48 hr. For older incident (older than 48 hr) it is giving below error. Update-AzSentinelIncident: Unable to update Incident 7833 with error message Response status code does not indicate success: 500 (Internal Server Error). Please help me over here, as I need to close over 8k old incidents. Rod Trentpecific147Apr 24, 2025Copper Contributor2.3KViews0likes6CommentsSentinel Log Volume vs Defender Log Volume
Dear community, we're currently building up our first SOC service and wondering about the costs (not realy, we know that SIEM is expencive, but we don't understand the log volumes). We started with sentinel and enabled the XDR connector with all log sources (Device information, Defender for Identity etc). If we take a look into the LAW and log volumes for those tables, we've an ingest as shown in the following exibit: BUT, in comparison, we did a cost analysis with the real defender information (from Defender portal). We come to an estimated log volume from approx. 45GB (and usually billable around 25GB, because the customer has E5 licenses, which should include the AADNonInteractiveUserSignInLogs table (5MB/user/day for free) We're asking ourself why we got this differences in comparison to the last few days, shown in the exibit (attention: we started with a daily ingest cap, so the daily ingest would be around 90 - 100GB/day). Where is our mistake/lag of knowledge? Here are the KQL, sent wihtin the Defender portal to get the volumes from there AlertInfo | union AlertEvidence | summarize RecordCount = count(), AlertTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) EmailEvents | union EmailUrlInfo | union EmailAttachmentInfo | union EmailPostDeliveryEvents | union UrlClickEvents | summarize RecordCount = count(), MDOTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) IdentityLogonEvents | union IdentityQueryEvents | union IdentityDirectoryEvents | summarize RecordCount = count(), IDTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) DeviceInfo | union DeviceNetworkInfo | union DeviceProcessEvents | union DeviceNetworkEvents | union DeviceFileEvents | union DeviceRegistryEvents | union DeviceLogonEvents | union DeviceImageLoadEvents | union DeviceEvents | union DeviceFileCertificateInfo | summarize RecordCount = count(), MDETotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) CloudAppEvents | summarize RecordCount = count(), CAppsTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) Thanks a lot! Best & have nice a nice easter :-)M0nk3yOoApr 23, 2025Copper Contributor44Views0likes2CommentsExtract Email Address from Incident Entity
I'm trying to put together a logic app that will reset a users password and also send them as email notifying them why their password was reset. The logic app triggers off a sentinel incident. The users email address I need to send to is from the Entities properties of the Sentinel incident. How can I extract the users email address? Its in the "MailAddress" property of each Entity. I believe Im going to have to parse it out of the JSON result but need some guidance if that is the case. Appreciate any help.Richard_ScarApr 20, 2025Copper Contributor108Views0likes4CommentsPlaybook when incident trigger is not working
Hi I want to create a playbook to automatically revoke session user when incident with specifics title or gravity is created. But after some test the playbook is'nt run autimacally, it work when I run it manually. I did'nt find what I do wrong. See the image and the code bellow. Thanks in advance! { "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "triggers": { "Microsoft_Sentinel_incident": { "type": "ApiConnectionWebhook", "inputs": { "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, "body": { "callback_url": "@{listCallbackUrl()}" }, "path": "/incident-creation" } } }, "actions": { "Get_incident": { "type": "ApiConnection", "inputs": { "host": { "connection": { "name": "@parameters('$connections')['azuresentinel-1']['connectionId']" } }, "method": "post", "body": { "incidentArmId": "@triggerBody()?['object']?['id']" }, "path": "/Incidents" }, "runAfter": {} }, "Send_e-mail_(V2)": { "type": "ApiConnection", "inputs": { "host": { "connection": { "name": "@parameters('$connections')['office365']['connectionId']" } }, "method": "post", "body": { "To": "email address removed for privacy reasons", "Subject": "Ceci est un test", "Body": "</p> <p class="\"editor-paragraph\"">@{body('Get_incident')?['id']}</p> <p class="\"editor-paragraph\"">@{body('Get_incident')?['properties']?['description']}</p> <p class="\"editor-paragraph\"">@{body('Get_incident')?['properties']?['incidentNumber']}</p> <p>", "Importance": "Normal" }, "path": "/v2/Mail" }, "runAfter": { "Get_incident": [ "Succeeded" ] } } }, "outputs": {}, "parameters": { "$connections": { "type": "Object", "defaultValue": {} } } }, "parameters": { "$connections": { "type": "Object", "value": { "azuresentinel": { "id": "/subscriptions/xxxx/providers/Microsoft.Web/locations/xxxxx/managedApis/xxxxxxx", "connectionId": "/subscriptions/xxxxxxx/resourceGroups/xxxxxx/providers/Microsoft.Web/connections/azuresentinel-Revoke-RiskySessions1", "connectionName": "azuresentinel-Revoke-RiskySessions1", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } } }, "azuresentinel-1": { "id": "/subscriptions/xxxxxx/providers/Microsoft.Web/locations/xxxx/managedApis/xxx", "connectionId": "/subscriptions/xxxxxxx/resourceGroups/xxxxx/providers/Microsoft.Web/connections/xxxx", "connectionName": "xxxxxx", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } } }, "office365": { "id": "/subscriptions/xxxxxx/providers/Microsoft.Web/locations/xxxxx/managedApis/office365", "connectionId": "/subscriptions/xxxxx/resourceGroups/xxxxxx/providers/Microsoft.Web/connections/o365-Test_Send-email-incident-to-xxxx", "connectionName": "o365-Test_Send-email-incident-to-xxxxx" } } } } }Amadou_OuryDApr 19, 2025Copper Contributor1.4KViews0likes0CommentsCCP ProofPoint and Zscaler
Hi, I have ProofPoint and Zscaler Data Connector which appear to show as Deprecated. Logs are still flowing via native Azure Function uninterrupted. Per PP - CCP is suggested approach to replace Zscaler - No replacement method but I assume this will also require CCP Has anyone created CCP for these and successfully deployed these solutions?logger2115Apr 18, 2025Brass Contributor18Views0likes0CommentsInsecure Protocol Workbook
Greetings, maybe most orgs have already eliminated insecure protocols and this workbook is no longer functional? I have it added and it appears to be collecting but when I go to open the template it is completely empty. Is the Insecure Protocol aka IP still supported and if so is there any newer documentation than the blog from 2000 around it? I am hoping to identify ntlm by user and device as the domain controllers are all logging this and the MDI agents on them are forwarding this data to Defender for Identity and Sentinel.sjEntraApr 16, 2025Copper Contributor52Views0likes1CommentSentinel incident playbook - get alert entities
Hi! My main task is to get all alerts (alerts, not incidents) from sentinel (analytics rules and Defender XDR) to external case management. For different reasons we need to do this on alert level. Alert trigger by design works perfectly, but this does not trigger on Defender alerts on Sentinel, only analytic rules. When using Sentinel incident trigger, then i'm not able to extract entities related to alerts, only incident releated entities. Final output is sent with HTTP post to our external system using logic app. Any ideas how to get in logic app all alerts with their entities?qltsApr 15, 2025Copper Contributor135Views1like5CommentsRetrieving MailAddress from Entity for Logic App
I'm trying to put together a logic app that will reset a users password and also send them an email notifying them why their password was reset. The logic app triggers off a sentinel incident. The users email address I need to send to is from the Entities properties of the Sentinel incident. How can I extract the users email address? Its in the "MailAddress" property of each Entity. I believe Im going to have to parse it out of the JSON result but need some guidance if that is the case. Appreciate any help.Richard_ScarApr 10, 2025Copper Contributor18Views0likes0CommentsLog Analytics Workspace - ThreatIntelIndicators
Morning! I have been working on migrating some of our tenant analytic rules to use the new TI ThreatIntelIndicators table. However, I noticed the following: When querying against the new table, I get these values in a tenant log workspace When I do the same query in another tenant logs workspace, I get this result back If I expand the query to grab last 7 days, I get results back but they are wildly different from what I see from one tenant to another. I can find big and small discrepancies in the logs I see. I still can't find the connector on the connectors page (When I filter them out by data type). I can see the one that is being used for the soon to be decommissioned table. As far as I understand, the connector is not going to be changed per se, just how we access the logs from any given log analytics workspace. I'm expecting to see the same values across my log workspaces since it comes from the same connector, and provided by MS, or is this ingestion of TI logs tenant scope and each one has different settings? I couldn't find something that tells me this in the docs. Or is this part of the rollout problems we are expecting to see? Thanks!52Views0likes0Comments
Resources
Tags
- siem413 Topics
- KQL286 Topics
- data collection228 Topics
- Log Data206 Topics
- analytics150 Topics
- azure143 Topics
- automation135 Topics
- integration123 Topics
- kusto117 Topics
- playbooks115 Topics