Forum Widgets
Latest Discussions
Using a Bicep template to update Configuration Settings in Microsoft Sentinel
I have started using BICEP and have successfully defined templates to create a resource group, log analytics workspace and an instance of Microsoft Sentinel. I now need guidance on updating an existing log analytics workspace instance with the Entity Behaviour and UEBA services. Is usingexisting propertywith theresource definition the best approach? Advice/Guidance is appreciated. Please see theimage of the BICEP template below. JasonJMSHW0420Jan 20, 2025Iron Contributor12Views0likes0CommentsLog Forwarder - r-syslog TLS Encryption
Good day to all, We are working on the configuration of TLS rsyslog service encryption and decided to try with a self-signed certificate. We walked through this manual: RSyslog Documentation - rsyslog (created a CA, issued certificates, keys, etc.) but had no success. We did the configuration only on the server side (log forwarder) and not on the client. The log source is a Cortex XDR cloud platform, so we cannot configure anything on its side. From the Cortex XDR manual: "If your Syslog receiver uses a self-signed CA,Browseand upload your self-signed Syslog receiver CA." We uploaded the certificate, but it doesn't. work. Cortex XDR cannot verify the connection. Forwarding unencrypted logs works perfectly. Has anybody configured TLS rsyslog?I would kindly appreciate any advice on it.mikhailfJan 19, 2025Steel Contributor1.8KViews0likes3CommentsRE: Microsoft Defender for Office 365 data connector
Hello, I have an issue enabling the Microsoft Defender for Office 365 settings in the Defender XDR connector for Microsoft Sentinel. The error is attached. It seems related to: Categories AdvancedHunting-EmailAttachmentInfo, AdvancedHunting-EmailEvents, AdvancedHunting-EmailUrlInfo, AdvancedHunting-EmailPostDeliveryEvents are not supported... I am not sure what it relates to, but could it be licensing concerns? JasonJMSHW0420Jan 19, 2025Iron Contributor69Views0likes4CommentsHow to integrate Beyond Trust Logs With Sentinel
Hi All, How to integrate Beyond Trust Logs With Sentinel, do we have a data connector? As checked, there is not data connector for this. please let me know and also what are the logging level required at beyond trust side.Sand_Sentinel87Jan 15, 2025Copper Contributor87Views0likes3CommentsAutomating label downgrade email notifications
I've been asked to investigate scheduling a query to run once a day that searches for label downgrade activities and sends an email with a list of events to the user's manager (according to the AD attribute). The thinking is, the manager is more likely to know if the files that are being downgraded are sensitive, personal or inconsequential and can alert us if they are sensitive and we need to investigate further. I have a KQL query that provides the results, I have created an analytics rule that runs the query every 24 hours and generates an alert, but when it comes to the Playbook i'm not sure how/if I can extract the fields/attributes from the results so I can use them to generate the email(s). I want the manager to only get the results for the people in their team/department, not the results for everyone in the company, so I would expect separate emails will be sent to each manager daily, rather than the same email going to multiple managers. Is what I am trying to do feasible, and if so, am I going about it the right way? Any advice appreciated.SolvedCameron_StephensJan 13, 2025Copper Contributor191Views0likes7CommentsBug in stand-alone MS Sentinel MITRE tactics
I setup a new Analytic rule where I had selected multiple tactics/techniques combinations. When I create an incident from that rule, only one of the tactics/techniques actually show up in the stand-alone MS Sentinel UI as well as in the SecurityIncident table. It isn't even the first one I selected; it is the last one. I did double check the Analytic rule and all the tactics/techniques are selected. If I look at the incident using the MS Sentinel REST API, it does show that all the tactics/techniques are there as well as if I look in the M365 portal (I have my MS Sentinel instance linked). Heck, even the Graph Query will show them all (after expanding the incident to show the alerts as well). Has anyone noticed this recently? Is it a bug or another new "feature"?GaryBusheyJan 12, 2025Bronze Contributor44Views0likes0CommentsParsing syslog
1. i am ingesting firewall logs as syslog and trying to parse out the fields accordingly using the split command, i have a problem that the beginig of the logs is not piped and i have made the split in 2 occasions. as you can see in the attached pic theFWD|UDP|p4| fields are nit parsed out. this is the _raw syslog message: Security F180 Block: FWD|UDP|p4|192.168.x,x|67|00:15:5d:0f:c4:01|255.255.255.255|68|bootpc||LAN-2-INTERNET|4017|0.0.0.0|0.0.0.0|0|1| 2. can you show me the same using normal regex i cant see in MSFT doc how to do it the old way 🙂 3. should i do the parsing on search time of the query? doesnt it increase the search time?omripJan 12, 2025Copper Contributor17KViews0likes6CommentsHaving issues with Run-MDEAntiVirus Playbook
Hi, I'm having issues getting the Run-MDEAntiVirus playbook working. I have created it using the Github template, assigned the managed instance rights to Sentinel and the Defender ATP. When it is triggered I get the following error message. From what I can see the post command is not sending over the MDATPDeviceId. The information from the entries Get-Hosts does provide the host and the MDATPDeviceId information so I'm a little lost on what is going on. Could anyone help me please? Regards MikeMikePalmer75Jan 10, 2025Brass Contributor2KViews0likes3Comments
Resources
Tags
- siem395 Topics
- KQL273 Topics
- Data Collection218 Topics
- Log Data197 Topics
- Analytics138 Topics
- azure133 Topics
- automation121 Topics
- integration120 Topics
- kusto112 Topics
- playbooks106 Topics