Forum Widgets
Latest Discussions
Sentinel Data Connector for Azure Virtual Desktop
Hello, I have a customer planning to deploy Azure Virtual Desktop (AVD). They are currently using Microsoft Sentinel for their SecOps. However, there is no AVD Data Connector available. The customer is not interested in building a custom data connector. Does anyone know if there are plans to add a data connector for AVD in the near future? Thanks.19Views0likes1CommentHow to remove string quotes and other things from the parsed syslog message
Hello Sentinel Community, We are ingesting Azure database for Postgresql logs into the log analytical workspace and tried to retrieve the values from the Postgresql log Message coulumn. However, we are getting the values in double quotes and comma from the retrieved values. Below is the sample Pstgresql Message log: Message: 2025-01-22 09:53:35 UTC-6790c01f.259e-FATAL: no pg_hba.conf entry for host "10.150.48.4", user "email address removed for privacy reasons", database "prodxxxx0424", no encryption We used below KQL query and parse kind (mentione below) to get the values of host, user, and database but we got the values like below with double quotes and comma. How to get the values without double quotes. AzureDiagnostics | where Category == "PostgreSQLLogs" | where errorLevel_s == "FATAL" | where Message contains "no pg_hba.conf entry" | parse kind=relaxed Message with * "host" Source_IP "user" UserName "database" DatabaseName Received Values: Thanks, Yugandhar.yugandhar206Jan 24, 2025Copper Contributor16Views0likes2CommentsSentinel Integration with Teams: This bot is disabled
Hello, I've integrated Sentinel to sent an Adaptive card (automation playbook template) to Teams every time an incident is triggered. After receiving the event in Teams, if I try to click on "Submit Response" I got the following message in teams 'This bot is disabled. Contact your IT admin for more information. See attached Screenshot Any idea ?? Regards, HAHA13029Jan 22, 2025Brass Contributor14Views0likes1CommentIssue in Uninstallation of AMA for Arc Enabled Windows server
Dear Community, As a troubleshooting, I want to uninstall the AMA agent from Azure arc enabled server, I tried "Uninstall" from Azure arc machine - Extension - Uninstall but it went into "Deleting" state for 2 days. Then i tried uninstallation using the Powershell but again it went to "deleting" state. I tried removing and adding the Machine to and from DCR and Azure Arc again and then tried again still it shows deleting state only. So, i tried uninstallation direct from server using command azcmagent extension remove --name AzureMonitorWindowsAgent the got the below error, From my test machine i copied the "HandlerManifest.json" file and put in the same folder where error is showing above, Json file has this content as shown below Now after this i tried "azcmagent extension remove --name AzureMonitorWindowsAgent" command again and got the error, Please help in uninstalling this AMA agent. Thanks, MaheshSolvedJohnWickXVJan 22, 2025Copper Contributor183Views0likes2CommentsUsing a Bicep template to update Configuration Settings in Microsoft Sentinel
I have started using BICEP and have successfully defined templates to create a resource group, log analytics workspace and an instance of Microsoft Sentinel. I now need guidance on updating an existing log analytics workspace instance with the Entity Behaviour and UEBA services. Is using existing property with the resource definition the best approach? Advice/Guidance is appreciated. Please see the image of the BICEP template below. JasonJMSHW0420Jan 20, 2025Iron Contributor19Views0likes0CommentsLog Forwarder - r-syslog TLS Encryption
Good day to all, We are working on the configuration of TLS rsyslog service encryption and decided to try with a self-signed certificate. We walked through this manual: RSyslog Documentation - rsyslog (created a CA, issued certificates, keys, etc.) but had no success. We did the configuration only on the server side (log forwarder) and not on the client. The log source is a Cortex XDR cloud platform, so we cannot configure anything on its side. From the Cortex XDR manual: "If your Syslog receiver uses a self-signed CA, Browse and upload your self-signed Syslog receiver CA." We uploaded the certificate, but it doesn't. work. Cortex XDR cannot verify the connection. Forwarding unencrypted logs works perfectly. Has anybody configured TLS rsyslog? I would kindly appreciate any advice on it.mikhailfJan 19, 2025Steel Contributor1.8KViews0likes3CommentsRE: Microsoft Defender for Office 365 data connector
Hello, I have an issue enabling the Microsoft Defender for Office 365 settings in the Defender XDR connector for Microsoft Sentinel. The error is attached. It seems related to: Categories AdvancedHunting-EmailAttachmentInfo, AdvancedHunting-EmailEvents, AdvancedHunting-EmailUrlInfo, AdvancedHunting-EmailPostDeliveryEvents are not supported... I am not sure what it relates to, but could it be licensing concerns? JasonJMSHW0420Jan 19, 2025Iron Contributor77Views0likes4CommentsHow to integrate Beyond Trust Logs With Sentinel
Hi All, How to integrate Beyond Trust Logs With Sentinel, do we have a data connector? As checked, there is not data connector for this. please let me know and also what are the logging level required at beyond trust side.Sand_Sentinel87Jan 15, 2025Copper Contributor95Views0likes3Comments
Resources
Tags
- siem397 Topics
- KQL274 Topics
- Data Collection218 Topics
- Log Data198 Topics
- Analytics139 Topics
- azure134 Topics
- automation122 Topics
- integration120 Topics
- kusto113 Topics
- playbooks107 Topics