Forum Widgets
Latest Discussions
Unified SecOps XDR
Hi, I am reaching out to community to seek understanding regarding Unified SecOps XDR portal for Multi-tenant Multi-workspace. Our organization already has a Azure lighthouse setup. My question is if M365 lighthouse license also required for the Multi-tenant Multi-workspace in unified SecOps XDR portal?15Views0likes0CommentsUnable to retrieve logs from the SecurityIncident table.
: We are unable to retrieve logs from the SecurityIncident table. Although security alerts are visible, the SecurityIncident table remains empty. How can we get the logs to populate in the SecurityIncident table?Palash_ShuklaJul 04, 2025Copper Contributor40Views0likes1Commentcan we disable Multi Stage grouping in Sentinel/ Defender
Hi MS folks, is there a way to disable multi stage grouping in Sentinel/Defender. I understand the efficiently of this multi stage grouping feature, however, I like to see is there any way of disable it. Thanks XSplunkdnivaraxTEJul 04, 2025Copper Contributor53Views0likes1CommentZoom logs into Sentinel
Hi I am reaching out to community member because facing a hustle while integrating the Zoom with Sentinel. while following the document provided inside the Zoom data connector, deployed an App over the zoom extracted the required information, create function app on Azure and provided the account ID, client ID, Client secret everything but facing one error that the account has not audio conference plan function app is running successfully but in the invocation logs its showing this audio conference plan to make sure we have purchased the zoom audio conference plan but still its giving us the same error. If anyone has done this please please share your experience with us how did you integrate zoom with sentinel because from last two months we are struggle with it.Analyst110Jul 02, 2025Copper Contributor99Views0likes6CommentsMulti-trigger Playbooks & Renamed Triggers
Hello Sentinel enthusiasts, In some cases, deploying a playbook with multiple triggers is a much easier solution than having 9 playbooks which do the same thing. In the specific example I'm going for I have developed a playbook which requires the user to change their password within a certain amount of time. We want to have the ability to have three triggers for the playbook - incident, entity and http (for external orchestration platforms) - then we also want to have the option for it to be instant, or within a configurable number of days/hours (1day, 7days). In this situation the native way would be to have 9 playbooks in total - seems like a big amount for a simple action. I attempted to initially develop these playbooks with all three triggers in a base template which is deployed using bicep - success. But what do you know, at first, I could only see the playbook in the automation playbook list saying "Sentinel Action" but I couldn't trigger it from an actual incident or entity. Turns out this was because I had given the trigger a different display name than the default. This specific case seems a bit odd to me because the underlying data is the same, nonetheless - not a huge issue, change the display name to the default and voila. My next surprise was when I realised that the Sentinel UI will only pick up the first trigger to run a playbook. i.e. if I define an entity trigger first then an incident trigger, I cannot see it appear to trigger for an incident and vice versa. So, I set on a mission and was able to create a chromium extension which will modify the resource response - to duplicate a playbook once for every trigger it has (only in the azure portal PWA) and what do I know - everything works perfectly as if it was fully supported. It would be great if these UI bugs could be fixed as they seem pretty trivial and don't seem to require a major change, considering it is solely a frontend bug - especially if I can create an extension which resolves the issue. Obviously, this is not an ideal scenario in production. Garnering some support to have this rectified would be great and it would also be cool to hear people's opinions on this ~SebsebagiusJun 27, 2025Copper Contributor18Views0likes0CommentsSentinel and Chinese branches
Hi, is it possible to send logs from servers located in China to a Sentinel workspace in EU or to manage from a single pane of glass 2 istances, one of which is in China? i am trying to figure out the best way to accomplish it given that the great chinese firewall could block DCR communications and that using a VPN to send logs to a log forwarder via VPN is very expensive (for the government license). Is anyone aware if the multi workspace incident views is working with Lighthouse for a global tenant and a chinese one? Or the multitenant solution? Thank youemvarJun 26, 2025Copper Contributor70Views0likes2CommentsNot showing GWorkspaceActivityReports Table in Sentinel
Hello, We have integrated Google Workspace with MS Sentinel through Azure function ARM template and both the functions GWorkspaceReports-QueueTrigger and GWorkspaceReports-TimeTrigger showing fetching Google workspace events but the connector is showing disconnected and could not find any relative table in the Sentinel workspace. Please help us on this to fetch Google workspace events. Thanks, Yugandhar.yugandhar206Jun 25, 2025Copper Contributor14Views0likes0CommentsError when running playbook Block-AADUser-Alert
Hello, I have personal account and I am trying Microsoft Sentinel. My senario is when user account (not admin) changes his authentication method, an alert is triggered and then I run built-in playbook Block-AADUser-Alert to disable this account. I get following error when running this playbook: { "error": { "code": "Request_ResourceNotFound", "message": "Resource '[\"leloc@hoahung353.onmicrosoft.com\"]' does not exist or one of its queried reference-property objects are not present.", "innerError": { "date": "2022-05-13T03:06:46", "request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798", "client-request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798" } } } I have tried to assign all required permissions (User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All), authorized api connection,.. but it can not solve the issue. Would anyone help advise how to solve ? Is it because of personal account ? Best Regards, AnSolvedmyprofile490Jun 23, 2025Copper Contributor6KViews0likes30Comments
Resources
Tags
- siem422 Topics
- KQL291 Topics
- data collection232 Topics
- Log Data211 Topics
- analytics154 Topics
- azure149 Topics
- automation140 Topics
- integration127 Topics
- kusto118 Topics
- playbooks117 Topics