Forum Widgets
Latest Discussions
Minemeld Threat Intel Integration to Sentinel
Hello guys, I have deployed a Minemeld server in Azure, I'm pulling free threat intel in there. Processing it, then using the Microsoft Security Graph extension to forward it to Microsoft. Turned the Threat Intel Connector on and now I have the Threat Intel in the LogAnalytics space. There are two issues I have, in order: 1. Currently, with threat intel of type IP, I get the IP in a field called ExternalIndicatorID. A sample value for this is: IPv4:36.119.0.0-36.119.255.255 . As you can see, we have IPv4: then a range of IPs follows. The problem is this is something that's very impractical to use from an analytics point of view. I have to write the query in such a way to ignore the "IPv4:" and then also be able to interpret range. This is impractical and the preview Threat Intel rules offered by Microsoft do not use that field. They instead use NetworkIP, NetworkDestinationIP, NetworkSourceIP ....whichever of the three they find with a value. For me however, those values are empty. Apparently this is something that must be changed with the Minemeld processor so that it does not merge IPs and generate ranges. I have not found a way to do that. Has anyone managed to do that or otherwise any other workarounds to be able to consume Minemeld IP Threat Intel in Sentinel? 2. The second thing and I'm not completely sure here as nr 1 was a much bigger priority, is the Microsoft Security Graph extension for Minemeld only able to consume URLs, Domains and IPs? No emails, hashes, etc? I have also asked on Palo Alto's board, however I'm really curious and could use a hand from someone who managed to already do this. Thank you!GabrielNeculaApr 10, 2020Copper Contributor7.8KViews0likes31CommentsPlaybook (Logic App) - trigger - When Azure Sentinel incident creation rule was triggered
Hi i am attempting to use the trigger "When Azure Sentinel incident creation rule was triggered" that's in preview. but the playbook is not triggered even if i know that i have a new incident in Sentinel what's missing from the configuration?erlendoyenAug 12, 2020Copper Contributor17KViews0likes30CommentsError when running playbook Block-AADUser-Alert
Hello, I have personal account and I am trying Microsoft Sentinel. My senario is when user account (not admin) changes his authentication method, an alert is triggered and then I run built-in playbook Block-AADUser-Alert to disable this account. I get following error when running this playbook: { "error": { "code": "Request_ResourceNotFound", "message": "Resource '[\"leloc@hoahung353.onmicrosoft.com\"]' does not exist or one of its queried reference-property objects are not present.", "innerError": { "date": "2022-05-13T03:06:46", "request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798", "client-request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798" } } } I have tried to assign all required permissions (User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All), authorized api connection,.. but it can not solve the issue. Would anyone help advise how to solve ? Is it because of personal account ? Best Regards, AnSolvedmyprofile490May 13, 2022Copper Contributor5.8KViews0likes29CommentsJoin Our Azure Sentinel Community
Visit Our Blog Now that we have announced Azure Sentinel, we'd like to invite you to speak directly to our engineering team. We believe that the best way to improve our products is by having no barrier between you and the people that create them. That's why we need your participation in our community. As part of our community you can influence our products and get early access to changes by participating in private previews, giving feedback, requesting features, reviewing product roadmaps, joining conference call discussions, or attending in-person events. To try out Azure Sentinel, log into your Azure Portal and then click here to join the preview. Join Us To join our community, click here, and then click the join button and the heart icon for Azure Sentinel, as pictured below. Stay Updated via our Blog To keep up-to-date on all our major announcements, please visit our blog at https://aka.ms/AzureSentinelBlog. Check Out our GitHub Repository We have queries, detections, playbooks, and more on our GitHub repository at https://aka.ms/AzureSentinel/GitHub and we'll be investing significant efforts developing this content. We welcome contributions and hope you benefit from the shared expertise of our entire community. Additional Security Groups Here's a list of other security-related groups you may want to join. Azure Azure Security Center Azure Security and Identity Enterprise Mobility + Security Azure Advanced Threat Protection and ATA Azure Information Protection Microsoft Cloud App Security Microsoft Graph Security API Security, Privacy & Compliance. Windows Defender Advanced Threat Protection Find us on LinkedIn We have a general discussion group on LinkedIn called the Microsoft Security Community, where I announce highlights from this site. Please join the group and feel free to connect with me. Webinars and Private Preview Calls We hold regular webinars and calls where we provide technical training, preview forthcoming features, gather feedback, and host discussions. Many of these allow you to join private previews. Meeting invitations for the calls are posted here in this group, so please check back regularly. Our latest Azure Sentinel webinar can be found at https://aka.ms/AzureSentinelWebinar. We hope to hear from you soon!SolvedRyan HeffernanFeb 22, 2019Microsoft26KViews44likes28CommentsAzure Sentinel Logic App Action Incident ID
I am looking at the Azure Sentinel action in Logic Apps (AKA Playbooks) and I notice that when I try to do something like "Add a Label" or "Write a Comment" most of the fields (Subscription ID, Resource Group, and Workspace ID) can be obtained from the Sentinel trigger but I do not see any place to get the Incident ID. Would this Logic App be triggered before the Incident is created and that is why there is no Incident ID? In any event, how would you get the Incident ID in order to use these actions? I see there is an entry to get all the Incidents but I don't see any way to accurately figure out which one to use.SolvedGaryBusheySep 23, 2019Bronze Contributor10KViews1like26CommentsAPI for Sentinel Alerts and Cases
Where can I find docs to query new alerts and cases and interact with then in Azure Sentinel.punkrokkMar 01, 2019Copper Contributor11KViews0likes22Commentsmv-expand - I cannot make it work!!
Can anyone spare anytime to give me a basic example of how to use mv-expand please, so that I can then expand on it! (See what I did there ) I just don't get it. I understand that it can be used to extract a value from an array, but in my fiddling it's not happening. I have looked at the docs but the examples just don't relate\click with me. I've been enjoying TeachJing Youtube lessons - but I haven't found one that covers this command. I'm just looking for the most minimal lines so I can build from it. Many thanks (Soz for the stupid question!)SolvedCodnChipsFeb 04, 2022Brass Contributor14KViews0likes20CommentsI am trying to create a watchlist that displays specific alerts from different business units
here is the query below. I would like to be able to determine which specific business unit server an alert was generated into Azure sentinel but I am unable to create a tag that includes a watchlist that provides the expected result. Please help Heartbeat | lookup kind=leftouter _GetWatchlist('MBSFQDN_01') on $left.Computer == $right.SearchKey | project UNIT, Computercaitlin2250Jun 26, 2021Copper Contributor5.5KViews0likes20Comments
Resources
Tags
- siem400 Topics
- KQL276 Topics
- Data Collection221 Topics
- Log Data199 Topics
- Analytics140 Topics
- azure135 Topics
- automation123 Topics
- integration121 Topics
- kusto113 Topics
- playbooks107 Topics