Forum Widgets
Latest Discussions
KQL to extract URL from TI Feeds
Hello, I need some help to extract a specific field (URL) from URL Haus Database. Example "3430907","2025-02-07 11:02:07","http://chmod0777kk.com/main","online","2025-02-07 11:02:07","malware_download","elf","https://urlhaus.abuse.ch/url/3430907/","anonymous" Needed output http://chmod0777kk.com/main Regards, HAHA13029Feb 08, 2025Brass Contributor20Views0likes1CommentSentinel and Amazon Web Services S3 WAF
Hello, I'm using Sentinel to fetch AWS WAF logs using the new collector Amazon Web Services S3 WAF . I setup a first collection using the ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-central-1.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinel I then add new collection using ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-west-3.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinel Adding the second collection erase the first one !! Is it a bug ?? Regards, HAHA13029Jan 31, 2025Brass Contributor38Views1like1CommentFetch security events with their underlying log entries
Hello, I am trying to extract all the alerts generated by sentinel including the events that triggered that alert. I have the following query: SecurityIncident | summarize arg_max(TimeGenerated, *) by IncidentName | where ClassificationComment !has "Automatically closed, as the incident is not in scope for monitoring." | where CreatedTime >= startofday(ago(1d)) and CreatedTime < startofday(now()) | sort by CreatedTime | mv-expand AlertIds | extend AlertId = tostring(AlertIds) | join (SecurityAlert | where StartTime >= startofday(ago(30d)) and StartTime < startofday(now()) | summarize arg_max(TimeGenerated, *) by SystemAlertId | project-rename AlertId = SystemAlertId) on AlertId Is this enough to achieve what I need or is there any changes that needs to be made ?RayenJan 27, 2025Copper Contributor38Views0likes1CommentJuniper SRX 340 logs not read by rsyslog
I have configured Juniper SRX 340 Junos logs to be forwarded to a centralized syslog server before reaching Microsoft Sentinel. I can see the Juniper logs on the syslog server while doing a TCPDUMP but, the same logs are not ready by rsyslog. The same syslog server is also receiving the logs from Cisco ASA. The rsyslog is able to read the ASA logs with no issues and further forward them to Sentinel through AMA agent. I don't have any filters applied in rsyslog.conf file and I'm capturing everything (*.*) all syslog facility and severity to a log file but, still the Juniper logs are not recognized by rsyslog. Please help on resolving this issuerahulb25Jan 25, 2025Copper Contributor32Views0likes0CommentsSentinel Data Connector for Azure Virtual Desktop
Hello, I have a customer planning to deploy Azure Virtual Desktop (AVD). They are currently using Microsoft Sentinel for their SecOps. However, there is no AVD Data Connector available. The customer is not interested in building a custom data connector. Does anyone know if there are plans to add a data connector for AVD in the near future? Thanks.33Views0likes1CommentHow to remove string quotes and other things from the parsed syslog message
Hello Sentinel Community, We are ingesting Azure database for Postgresql logs into the log analytical workspace and tried to retrieve the values from the Postgresql log Message coulumn. However, we are getting the values in double quotes and comma from the retrieved values. Below is the sample Pstgresql Message log: Message: 2025-01-22 09:53:35 UTC-6790c01f.259e-FATAL: no pg_hba.conf entry for host "10.150.48.4", user "email address removed for privacy reasons", database "prodxxxx0424", no encryption We used below KQL query and parse kind (mentione below) to get the values of host, user, and database but we got the values like below with double quotes and comma. How to get the values without double quotes. AzureDiagnostics | where Category == "PostgreSQLLogs" | where errorLevel_s == "FATAL" | where Message contains "no pg_hba.conf entry" | parse kind=relaxed Message with * "host" Source_IP "user" UserName "database" DatabaseName Received Values: Thanks, Yugandhar.yugandhar206Jan 23, 2025Copper Contributor34Views0likes2CommentsSentinel Integration with Teams: This bot is disabled
Hello, I've integrated Sentinel to sent an Adaptive card (automation playbook template) to Teams every time an incident is triggered. After receiving the event in Teams, if I try to click on "Submit Response" I got the following message in teams 'This bot is disabled. Contact your IT admin for more information. See attached Screenshot Any idea ?? Regards, HAHA13029Jan 22, 2025Brass Contributor25Views0likes1CommentUsing a Bicep template to update Configuration Settings in Microsoft Sentinel
I have started using BICEP and have successfully defined templates to create a resource group, log analytics workspace and an instance of Microsoft Sentinel. I now need guidance on updating an existing log analytics workspace instance with the Entity Behaviour and UEBA services. Is using existing property with the resource definition the best approach? Advice/Guidance is appreciated. Please see the image of the BICEP template below. JasonJMSHW0420Jan 20, 2025Iron Contributor42Views0likes1CommentBug in stand-alone MS Sentinel MITRE tactics
I setup a new Analytic rule where I had selected multiple tactics/techniques combinations. When I create an incident from that rule, only one of the tactics/techniques actually show up in the stand-alone MS Sentinel UI as well as in the SecurityIncident table. It isn't even the first one I selected; it is the last one. I did double check the Analytic rule and all the tactics/techniques are selected. If I look at the incident using the MS Sentinel REST API, it does show that all the tactics/techniques are there as well as if I look in the M365 portal (I have my MS Sentinel instance linked). Heck, even the Graph Query will show them all (after expanding the incident to show the alerts as well). Has anyone noticed this recently? Is it a bug or another new "feature"?GaryBusheyJan 12, 2025Bronze Contributor59Views0likes0CommentsCan we deploy Bicep through Sentinel repo
Hi there, Im new here, but 😅.... With the problem statement being "Deploying and managing sentinel infrastructure through git repository. I had looked into Sentinel Repository feature which is still in Preview. With added limitations of not being able to deploy watchlists or custom log analytical functions ( custom parsers ). There is also a limitation of deploying only ARM content My guess would be that the product folks at msft are working on this 😋 My hypothesized (just started the rnd, as of writing this) options would be to Fully go above and beyond with Bicep; Create bicep deployment files for both the rules as well as their dependencies like LAW functions, watchlists and the whole nine yards. Need to write pipelines for the deployment. The CI/CD would also need extra work to implement Hit that sweet spot; Deploy the currently supported resources using sentinel repo and write a pipeline to deploy the watchlists using Bicep. But not sure if this will be relevant to solutions to clients. When the whole shtick is that we are updating now so we dont have to later. Go back to the dark ages: Stick to the currently supported sentinel content through ARM & repo. And deploy the watchlists and dependencies using GUI 🙃 I will soon confirm the first two methods, but may take some time. As you know, I may or may not be new to sentinel...or devops.. But wanted to kick off the conversation, to see how close to being utterly wrong I am. 😎 Thanks, mal_secmal_secJan 02, 2025Copper Contributor45Views1like0Comments
Resources
Tags
- siem400 Topics
- KQL276 Topics
- Data Collection221 Topics
- Log Data199 Topics
- Analytics140 Topics
- azure135 Topics
- automation123 Topics
- integration121 Topics
- kusto113 Topics
- playbooks107 Topics