Forum Widgets
Latest Discussions
Help Ingesting PingID Logs into Microsoft Sentinel
Hello, Microsoft Sentinel has a Data Connector for PingFederate, however this does not capture other PingIdentity products. Namely, PingID logs. Making this post asking if there are any ways to best implement ingesting PingID logs into Sentinel, as I am unable to find any documentation for PingIdentity or Sentinel that would assist me in coming up with a solution. Thank you for all comments and ideas.colinc10Feb 12, 2025Copper Contributor5Views0likes0CommentsKQL to extract URL from TI Feeds
Hello, I need some help to extract a specific field (URL) from URL Haus Database. Example "3430907","2025-02-07 11:02:07","http://chmod0777kk.com/main","online","2025-02-07 11:02:07","malware_download","elf","https://urlhaus.abuse.ch/url/3430907/","anonymous" Needed output http://chmod0777kk.com/main Regards, HAHA13029Feb 10, 2025Brass Contributor20Views0likes1CommentSecurityIncident access from Sentinel tenants
Hello, My company's business model follows the Sentinel MSP with visibility to Customer Sentinel via Lighthouse. All the incidents from across the Customer Sentinels are located on the Sentinel MSP (since the detection rules reside on the Sentinel MSP). Although it might not be the usual MSP model (hosting incidents in the MSP Sentinel), we want to provide visibility to our Customers regarding their Incidents (with all updates) in a dashboard. Is there a possibility we can have a solution for this?Solvedun1claudiuFeb 08, 2025Copper Contributor62Views0likes5CommentsHow do you investigate network anomaly related alerts?
Hello everyone. Using some of the built-in analytical rules such as "Anomaly was observed with IPv6-ICMP Traffic", when you go into the incident event details, its just some numbers of the expected baseline vs actual value. What do you do with this? Similar case with following rules: Anomaly found in Network Session Traffic (ASIM Network Session schema) Anomaly was observed with ESP Traffic Anomaly was observed with Outbound Traffic Anomaly was observed with Unassigned TrafficCiyaresh91Feb 06, 2025Copper Contributor904Views0likes1CommentSentinel and Amazon Web Services S3 WAF
Hello, I'm using Sentinel to fetch AWS WAF logs using the new collector Amazon Web Services S3 WAF . I setup a first collection using the ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-central-1.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinel I then add new collection using ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-west-3.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinel Adding the second collection erase the first one !! Is it a bug ?? Regards, HAHA13029Feb 05, 2025Brass Contributor38Views1like1CommentQualys Vulnerability management integration with Function app
Hello, I have deployed Qualys VM with sentinel by Azure function app. I am not getting any error, function app is working fine. I am getting blank output: Furthermore, I have not added any filter parameter in environment variables and don't have any idea what could be added here. Since the output is blank Qualys data connector is showing status disconnected. If anyone can help me out please comment below. TIA333Views0likes1CommentFetch security events with their underlying log entries
Hello, I am trying to extract all the alerts generated by sentinel including the events that triggered that alert. I have the following query: SecurityIncident | summarize arg_max(TimeGenerated, *) by IncidentName | where ClassificationComment !has "Automatically closed, as the incident is not in scope for monitoring." | where CreatedTime >= startofday(ago(1d)) and CreatedTime < startofday(now()) | sort by CreatedTime | mv-expand AlertIds | extend AlertId = tostring(AlertIds) | join (SecurityAlert | where StartTime >= startofday(ago(30d)) and StartTime < startofday(now()) | summarize arg_max(TimeGenerated, *) by SystemAlertId | project-rename AlertId = SystemAlertId) on AlertId Is this enough to achieve what I need or is there any changes that needs to be made ?RayenJan 29, 2025Copper Contributor39Views0likes1CommentUsing a Bicep template to update Configuration Settings in Microsoft Sentinel
I have started using BICEP and have successfully defined templates to create a resource group, log analytics workspace and an instance of Microsoft Sentinel. I now need guidance on updating an existing log analytics workspace instance with the Entity Behaviour and UEBA services. Is using existing property with the resource definition the best approach? Advice/Guidance is appreciated. Please see the image of the BICEP template below. JasonJMSHW0420Jan 28, 2025Iron Contributor42Views0likes1CommentInvestigation Insights Workbook IP address Search
Is there a way to roll back to a previous version of the investigation insights workbook? The new workbook from the content hub no longer allows you to enter an IP address without selecting entities and then IP addressees from the entity list. This was really useful when wanting to just search on an IP address that was suspect and related IOCs, Account sign in etc. Please provide suggestions for either rolling back the Investigation Insights workbook or other ways to achieve the same.danny_grassoJan 28, 2025Brass Contributor76Views0likes5Comments
Resources
Tags
- siem400 Topics
- KQL276 Topics
- data collection222 Topics
- Log Data199 Topics
- Analytics141 Topics
- azure136 Topics
- automation123 Topics
- integration122 Topics
- kusto113 Topics
- playbooks107 Topics