Forum Widgets
Latest Discussions
Juniper SRX 340 logs not read by rsyslog
I have configured Juniper SRX 340 Junos logs to be forwarded to a centralized syslog server before reaching Microsoft Sentinel. I can see the Juniper logs on the syslog server while doing a TCPDUMP but, the same logs are not ready by rsyslog. The same syslog server is also receiving the logs from Cisco ASA. The rsyslog is able to read the ASA logs with no issues and further forward them to Sentinel through AMA agent. I don't have any filters applied in rsyslog.conf file and I'm capturing everything (*.*) all syslog facility and severity to a log file but, still the Juniper logs are not recognized by rsyslog. Please help on resolving this issuerahulb25Jan 25, 2025Copper Contributor32Views0likes0CommentsBug in stand-alone MS Sentinel MITRE tactics
I setup a new Analytic rule where I had selected multiple tactics/techniques combinations. When I create an incident from that rule, only one of the tactics/techniques actually show up in the stand-alone MS Sentinel UI as well as in the SecurityIncident table. It isn't even the first one I selected; it is the last one. I did double check the Analytic rule and all the tactics/techniques are selected. If I look at the incident using the MS Sentinel REST API, it does show that all the tactics/techniques are there as well as if I look in the M365 portal (I have my MS Sentinel instance linked). Heck, even the Graph Query will show them all (after expanding the incident to show the alerts as well). Has anyone noticed this recently? Is it a bug or another new "feature"?GaryBusheyJan 12, 2025Bronze Contributor59Views0likes0CommentsCan we deploy Bicep through Sentinel repo
Hi there, Im new here, but 😅.... With the problem statement being "Deploying and managing sentinel infrastructure through git repository. I had looked into Sentinel Repository feature which is still in Preview. With added limitations of not being able to deploy watchlists or custom log analytical functions ( custom parsers ). There is also a limitation of deploying only ARM content My guess would be that the product folks at msft are working on this 😋 My hypothesized (just started the rnd, as of writing this) options would be to Fully go above and beyond with Bicep; Create bicep deployment files for both the rules as well as their dependencies like LAW functions, watchlists and the whole nine yards. Need to write pipelines for the deployment. The CI/CD would also need extra work to implement Hit that sweet spot; Deploy the currently supported resources using sentinel repo and write a pipeline to deploy the watchlists using Bicep. But not sure if this will be relevant to solutions to clients. When the whole shtick is that we are updating now so we dont have to later. Go back to the dark ages: Stick to the currently supported sentinel content through ARM & repo. And deploy the watchlists and dependencies using GUI 🙃 I will soon confirm the first two methods, but may take some time. As you know, I may or may not be new to sentinel...or devops.. But wanted to kick off the conversation, to see how close to being utterly wrong I am. 😎 Thanks, mal_secmal_secJan 02, 2025Copper Contributor45Views1like0CommentsWhy maximum supported DataFlow count is 10 in DCR?
Is there any technical reason why a DCR can support maximum 10 dataflows? There are already 10 ASim tables. If we want to combine standard tables with ASim tables in one DCR, that is currently not possible. It makes the process complicated. Also is that the same reason why designated ASim table count is currently 10? :)yusufozturkDec 21, 2024Copper Contributor16Views0likes0CommentsUsing Playbook_ARM_Template_Generator
Hi, Trying to use the Playbook_ARM_Template_generator where a user assigned managed identity is used for connections. The generator doesn't seem to strip this out and then complains on deployment. Anyone had any success with this? Many thanks, Timtipper1510Dec 19, 2024Brass Contributor15Views0likes0CommentsSentinel IP for WEST EUROPE
Hi. I have this issue, where I have Sentinel and need the data connector setup for accessing Github. If my github Org do have IP Allow list enabled this do not work. So I need to find the IP's that the Connector talks out from Azure / Sentinel with when hitting the github service so I can whitelist those. If I take the IP scopes for Sentinel they are quite extensive and it cannot be that I need to whitelist every single Azure monitor/sentinel IP just to get those that Sentinel uses to talk to an API, but how can I find the needed IP's Or is there another way to get Audit logs from Github when there is IP restrictions enabled on the Github organization (in a github cloud enterprice setup)zazhDec 18, 2024Copper Contributor24Views0likes0CommentsIs it possible to set up this playbook for a specific rule incident alarm?
I was wondering if a specific playbook setting is possible for the rules below RuleName : New Azure Sentinel incident - Authentication Attempt from New Country Read UserPrincipalName, set_IPAddress value when alarm occurs Automatically send mail to each user by identifying the user-specific mail address with UserPrincipalName and changing the recipient, ip value according to the specified mail formghleeDec 18, 2024Copper Contributor16Views0likes0CommentsMicrosoft Power BI connector for Microsoft Sentinel
Since the Microsoft Power BI connector for Microsoft Sentinel currently does not support data collection rules (DCRs), how can we transform or filter the data and monitor the logs? Is there any documentation available on this?RoseDoseDec 03, 2024Copper Contributor25Views0likes0CommentsRestApiPoller Paging Question
Hi, RestApiPoller Paging question from setting up a new Codeless Connector against one API. I'm currently polling this API with an Azure function and would like to cut it over to CCP. The API supports iterating through pages via querying it with pageNumber and pageSize parameters. For example, I can query pageNumber=1, pageNumber=2 and so forth. The API returns a pageCount value as part of a successful response. There is no next page or next link in the response. I can't see anything in the NextPageToken section of the API on how to handle this. Any suggestions? API is called by sending a POST with the following in the body. { "interval": "", "pageNumber": 0, "pageSize": 0 } Successful response received is: { "data": [ ], "pageSize": 0, "pageNumber": 0, "total": 0, "pageCount": 0 }sneakypandaNov 10, 2024Copper Contributor17Views0likes0CommentsWorkspace Manager - Importing analytics to parent for children
Greetings, I have a Central workspace manager Sentinel (no data is ingested). However we have some Sentinel workspaces that have data connectors and data being ingested and are monitored by a SOC. We would like to be able to save analytics to this central workspace and deploy the analytics to the child workspaces. However we cannot save the rule in the central workspace as the table does not exist. For example I have an Okta analytic in a child workspace, where the query will query the Okta_CL table and some of the fields. I have exported it from the child and wish to import to the parent workspace so I can distribute to other children using Workspace manager. However I get an error because the Okta_CL table does not exist and does not have the fields. Does anyone have any ideas of how we can work around this to "force" the analytic to be present in the parent tenant? The children tenant CANNOT be linked in workspace manager. EDIT - Example error below. Status Message: Error in EntityMappings: The given column 'column_name' does not exist. (Code:BadRequest) Regards
Resources
Tags
- siem400 Topics
- KQL276 Topics
- Data Collection221 Topics
- Log Data199 Topics
- Analytics140 Topics
- azure135 Topics
- automation123 Topics
- integration121 Topics
- kusto113 Topics
- playbooks107 Topics