Forum Widgets
Latest Discussions
Bug in stand-alone MS Sentinel MITRE tactics
I setup a new Analytic rule where I had selected multiple tactics/techniques combinations. When I create an incident from that rule, only one of the tactics/techniques actually show up in the stand-alone MS Sentinel UI as well as in the SecurityIncident table. It isn't even the first one I selected; it is the last one. I did double check the Analytic rule and all the tactics/techniques are selected. If I look at the incident using the MS Sentinel REST API, it does show that all the tactics/techniques are there as well as if I look in the M365 portal (I have my MS Sentinel instance linked). Heck, even the Graph Query will show them all (after expanding the incident to show the alerts as well). Has anyone noticed this recently? Is it a bug or another new "feature"?GaryBusheyJan 12, 2025Bronze Contributor3Views0likes0CommentsHaving issues with Run-MDEAntiVirus Playbook
Hi, I'm having issues getting the Run-MDEAntiVirus playbook working. I have created it using the Github template, assigned the managed instance rights to Sentinel and the Defender ATP. When it is triggered I get the following error message. From what I can see the post command is not sending over the MDATPDeviceId. The information from the entries Get-Hosts does provide the host and the MDATPDeviceId information so I'm a little lost on what is going on. Could anyone help me please? Regards MikeMikePalmer75Jan 10, 2025Brass Contributor2KViews0likes3CommentsAutomating label downgrade email notifications
I've been asked to investigate scheduling a query to run once a day that searches for label downgrade activities and sends an email with a list of events to the user's manager (according to the AD attribute). The thinking is, the manager is more likely to know if the files that are being downgraded are sensitive, personal or inconsequential and can alert us if they are sensitive and we need to investigate further. I have a KQL query that provides the results, I have created an analytics rule that runs the query every 24 hours and generates an alert, but when it comes to the Playbook i'm not sure how/if I can extract the fields/attributes from the results so I can use them to generate the email(s). I want the manager to only get the results for the people in their team/department, not the results for everyone in the company, so I would expect separate emails will be sent to each manager daily, rather than the same email going to multiple managers. Is what I am trying to do feasible, and if so, am I going about it the right way? Any advice appreciated.SolvedCameron_StephensJan 10, 2025Copper Contributor180Views0likes6CommentsThe issue with displaying the original query in the newly created scheduled query rule
Hello everyone. I recently started learning Azure Sentinel, and I wanted to create my first custom rule. The rule works as I wanted, but I encountered an issue with displaying the original query. When an incident is created and I go to the "Incident Timeline" and click "Link to LA," my query is shown in an obfuscated form, as shown in the screenshot. Could you please help me figure out how to make the original query visible? Thank you!TvobyJan 08, 2025Copper Contributor51Views0likes1CommentIs there a way to use or convert YARA rule to Sentinel KQL query for detections
I have noticed that most malware detections are released in YARA language and Sentinel does not have baked in support for YARA rule. Keen to understand how others are dealing with this situation.deepak198486Jan 06, 2025Copper Contributor7.9KViews1like4CommentsCan we deploy Bicep through Sentinel repo
Hi there, Im new here,but 😅.... With the problem statement being "Deploying and managing sentinel infrastructure through git repository. I had looked into Sentinel Repository feature which is still in Preview. With added limitations of not being able to deploy watchlists or custom log analytical functions ( custom parsers ). There is also a limitation of deploying only ARM content My guess would be that the product folks at msft are working on this 😋 My hypothesized (just started the rnd, as of writing this) options would be to Fully go above and beyond with Bicep; Create bicep deployment files for both the rules as well as their dependencies like LAW functions, watchlists and the whole nine yards. Need to write pipelines for the deployment. The CI/CD would also need extra work to implement Hit that sweet spot; Deploy the currently supported resources using sentinel repo and write a pipeline to deploy the watchlists using Bicep. But not sure if this will be relevant to solutions to clients. When the whole shtick is that we are updating now so we dont have to later. Go back to the dark ages: Stick to the currently supported sentinel content through ARM & repo. And deploy the watchlists and dependencies using GUI 🙃 I will soon confirm the first two methods, but may take some time. As you know, I may or may not be new to sentinel...or devops.. But wanted to kick off the conversation, to see how close to being utterly wrong I am. 😎 Thanks, mal_secmal_secJan 02, 2025Copper Contributor27Views1like0CommentsHow to integrate Beyond Trust Logs With Sentinel
Hi All, How to integrate Beyond Trust Logs With Sentinel, do we have a data connector? As checked, there is not data connector for this. please let me know and also what are the logging level required at beyond trust side.Sand_Sentinel87Dec 31, 2024Copper Contributor59Views0likes2CommentsARM template for deploying a workbook template to Microsoft Sentinel
Hello, I am attempting to deploy an ARM Template (execution using PowerShell) for any Analytic Rule to a Microsoft Sentinel instance. I have been following this link: https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-automate#next-steps. I am struggling with ensuring the Workbook is deployed to the Microsoft Sentinel workbook gallery and NOTthe Azure Monitor one. The link includes a sample ARM template where you can add <templateData> (JSON code), which represents the workbook you wish to deploy. I get it working to deploy to the Azure Monitor workbook gallery but not for it to be present in the Microsoft Sentinel one. JasonSolvedJMSHW0420Dec 29, 2024Iron Contributor215Views0likes15CommentsGITHUB - AI Sentinel attack simulation
The recent support for Model Context Protocol (MCP) with Claude Desktop has opened the door for some really useful testing capability with Sentinel and emerging threats. I'm happy to share with the community a GitHub project that demonstrates the use of MCP against current exploits to generate simulated attack data that can be used with testing migrated ASIM alert rules. MCP allows for up-to-date exploits to be queried... ... and with AI prompting, simulated attack events can be created against our Sentinel test environments. Which results in a simulated attack based on the exploit being referenced. This is really useful for testing the migration of our Sentinel alert rules to ASIM! The full code and details about the project are available here: https://laurierhodes.info/node/175Laurie_RhodesDec 21, 2024Brass Contributor78Views1like1CommentWhy maximum supported DataFlow count is 10 in DCR?
Is there any technical reason why a DCR can support maximum 10 dataflows? There are already 10 ASim tables. If we want to combine standard tables with ASim tables in one DCR, that is currently not possible. It makes the process complicated. Also is that the same reason why designated ASim table count is currently 10? :)yusufozturkDec 21, 2024Copper Contributor13Views0likes0Comments
Resources
Tags
- siem392 Topics
- KQL272 Topics
- Data Collection216 Topics
- Log Data195 Topics
- Analytics137 Topics
- azure132 Topics
- integration120 Topics
- automation120 Topics
- kusto112 Topics
- playbooks105 Topics