Microsoft Sentinel | Microsoft Community Hub

Forum Widgets

Latest Discussions

Extend sentinel/LAW table schema
Hi, we are working on migrating from a SIEM solution to sentinel and for users to migrate easily, we want to have some custom fields to LAW/Sentinel tables (eg) a filed named brand_CF needs to be added to common security log, syslog, etc tables … we can do vi a UI, but just wondering if it can be done via api/terraform , as we want to put it in code than UI… did anyone created custom columns via API? Further not all tables visible via UI under tables in LAW..
Solved
ManiAnna
Copper Contributor
Apr 21, 2025
apis
automation
migration
siem
74Views
0likes
2Comments
Playbook when incident trigger is not working
Hi I want to create a playbook to automatically revoke session user when incident with specifics title or gravity is created. But after some test the playbook is'nt run autimacally, it work when I run it manually. I did'nt find what I do wrong. See the image and the code bellow. Thanks in advance! { "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "triggers": { "Microsoft_Sentinel_incident": { "type": "ApiConnectionWebhook", "inputs": { "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, "body": { "callback_url": "@{listCallbackUrl()}" }, "path": "/incident-creation" } } }, "actions": { "Get_incident": { "type": "ApiConnection", "inputs": { "host": { "connection": { "name": "@parameters('$connections')['azuresentinel-1']['connectionId']" } }, "method": "post", "body": { "incidentArmId": "@triggerBody()?['object']?['id']" }, "path": "/Incidents" }, "runAfter": {} }, "Send_e-mail_(V2)": { "type": "ApiConnection", "inputs": { "host": { "connection": { "name": "@parameters('$connections')['office365']['connectionId']" } }, "method": "post", "body": { "To": "email address removed for privacy reasons", "Subject": "Ceci est un test", "Body": "</p> <p class="\"editor-paragraph\"">@{body('Get_incident')?['id']}</p> <p class="\"editor-paragraph\"">@{body('Get_incident')?['properties']?['description']}</p> <p class="\"editor-paragraph\"">@{body('Get_incident')?['properties']?['incidentNumber']}</p> <p>", "Importance": "Normal" }, "path": "/v2/Mail" }, "runAfter": { "Get_incident": [ "Succeeded" ] } } }, "outputs": {}, "parameters": { "$connections": { "type": "Object", "defaultValue": {} } } }, "parameters": { "$connections": { "type": "Object", "value": { "azuresentinel": { "id": "/subscriptions/xxxx/providers/Microsoft.Web/locations/xxxxx/managedApis/xxxxxxx", "connectionId": "/subscriptions/xxxxxxx/resourceGroups/xxxxxx/providers/Microsoft.Web/connections/azuresentinel-Revoke-RiskySessions1", "connectionName": "azuresentinel-Revoke-RiskySessions1", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } } }, "azuresentinel-1": { "id": "/subscriptions/xxxxxx/providers/Microsoft.Web/locations/xxxx/managedApis/xxx", "connectionId": "/subscriptions/xxxxxxx/resourceGroups/xxxxx/providers/Microsoft.Web/connections/xxxx", "connectionName": "xxxxxx", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } } }, "office365": { "id": "/subscriptions/xxxxxx/providers/Microsoft.Web/locations/xxxxx/managedApis/office365", "connectionId": "/subscriptions/xxxxx/resourceGroups/xxxxxx/providers/Microsoft.Web/connections/o365-Test_Send-email-incident-to-xxxx", "connectionName": "o365-Test_Send-email-incident-to-xxxxx" } } } } }
Solved
Amadou_OuryD
Copper Contributor
Apr 19, 2025
apis
automation
azure
detection
investigation
2.1KViews
0likes
2Comments
Sentinel Log Volume vs Defender Log Volume
Dear community, we're currently building up our first SOC service and wondering about the costs (not realy, we know that SIEM is expencive, but we don't understand the log volumes). We started with sentinel and enabled the XDR connector with all log sources (Device information, Defender for Identity etc). If we take a look into the LAW and log volumes for those tables, we've an ingest as shown in the following exibit: BUT, in comparison, we did a cost analysis with the real defender information (from Defender portal). We come to an estimated log volume from approx. 45GB (and usually billable around 25GB, because the customer has E5 licenses, which should include the AADNonInteractiveUserSignInLogs table (5MB/user/day for free) We're asking ourself why we got this differences in comparison to the last few days, shown in the exibit (attention: we started with a daily ingest cap, so the daily ingest would be around 90 - 100GB/day). Where is our mistake/lag of knowledge? Here are the KQL, sent wihtin the Defender portal to get the volumes from there AlertInfo | union AlertEvidence | summarize RecordCount = count(), AlertTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) EmailEvents | union EmailUrlInfo | union EmailAttachmentInfo | union EmailPostDeliveryEvents | union UrlClickEvents | summarize RecordCount = count(), MDOTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) IdentityLogonEvents | union IdentityQueryEvents | union IdentityDirectoryEvents | summarize RecordCount = count(), IDTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) DeviceInfo | union DeviceNetworkInfo | union DeviceProcessEvents | union DeviceNetworkEvents | union DeviceFileEvents | union DeviceRegistryEvents | union DeviceLogonEvents | union DeviceImageLoadEvents | union DeviceEvents | union DeviceFileCertificateInfo | summarize RecordCount = count(), MDETotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) CloudAppEvents | summarize RecordCount = count(), CAppsTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) Thanks a lot! Best & have nice a nice easter :-)
Solved
M0nk3yOo
Copper Contributor
Apr 17, 2025
cost management
siem
193Views
0likes
2Comments
Logic app - Escaped Characters and Formatting Problems in KQL Run query and list results V2 action
I’m building a Logic App to detect sign-ins from suspicious IP addresses. The logic includes: Retrieving IPs from incident entities in Microsoft Sentinel. Enriching each IP using an external API. Filtering malicious IPs based on their score and risk level. Storing those IPs in an array variable (MaliciousIPs). Creating a dynamic KQL query to check if any of the malicious IPs were used in sign-ins, using the in~ operator. Problem: When I use a Select and Join action to build the list of IPs (e.g., "ip1", "ip2"), the Logic App automatically escapes the quotes. As a result, the KQL query is built like this: IPAddress in~ ([{"body":"{\"\":\"\\\"X.X.X.X\\\"\"}"}]) Instead of the expected format: IPAddress in~ ("X.X.X.X", "another.ip") This causes a parsing error when the Run Query and List Results V2 action is executed against Log Analytics. ------------------------ Here's the For Each action loop who contain the following issue: Dynamic compose to formulate the KQL query in a concat, since it's containing the dynamic value above : concat('SigninLogs | where TimeGenerated > ago(3d) | where UserPrincipalName == \"',variables('CurrentUPN'),'\" | where IPAddress in~ (',outputs('Join_MaliciousIPs_KQL'),') | project TimeGenerated, IPAddress, DeviceDetail, AppDisplayName, Status') The Current UPN is working as expected, using the same format in a Initialize/Set variable above (Array/String(for IP's)). The rest of the loop : Note: Even if i have a "failed to retrieve" error on the picture don't bother with that, it's just about the dynamic value about the Subscription, I've entered it manually, it's working fine. What I’ve tried: Using concat('\"', item()?['ip'], '\"') inside Select (causes extra escaping). Removing quotes and relying on Logic App formatting (resulted in object wrapping). Flattening the array using a secondary Select to extract only values. Using Compose to debug outputs. Despite these attempts, the query string is always malformed due to extra escaping or nested JSON structure. I would like to know if someone has encountered or have the solution to this annoying problem ? Best regards
Solved
Deleted
Apr 02, 2025
automation
azure
integration
KQL
kusto
94Views
0likes
1Comment
Affected rows stateful anomaly on database vs. Response rows stateful anomaly on database
Is there a difference between the two scheduled rules, "Affected rows stateful anomaly on database" and "Response rows stateful anomaly on database"? I can see that they have different descriptions: - Affected rows stateful anomaly on database - To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows. - Response rows stateful anomaly on database - To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows. This tells me the alerts query should be different. However, when I compare the two they are exactly the same.
Solved
lfg524
Copper Contributor
Feb 21, 2025
alerts
analytics
92Views
0likes
2Comments
KQL to match URL FW LOGS and Threatfox URL feeds
Hi all, I try to match RequestURL field (in CommonSecurityLog) from a Fortigate FW with URL Haus live feeds. The query does not produce any errors but it doesn't match anything. let ThreatFox = externaldata(URL: string ) ["https://threatfox.abuse.ch/export/csv/recent/"] with (format="txt", ignoreFirstRecord=True); let ThreatFoxUrl = ThreatFox | where URL contains "url" | extend URL = replace_string(URL, "\"", "") | extend parse_csv(URL) | extend URL = URL[2]; CommonSecurityLog | where RequestURL has_any (ThreatFoxUrl) The following query is working fine with HASH let MalwareBazaarMISP = externaldata(SHA256: string) ["https://bazaar.abuse.ch/export/txt/sha256/recent"] with (format="txt", ignoreFirstRecord=True); let SHA256Regex = '[a-f0-9]{64}'; let MaliciousSHA256 = materialize ( MalwareBazaarMISP | where SHA256 matches regex SHA256Regex | distinct SHA256 ); DeviceProcessEvents | where SHA256 has_any (MaliciousSHA256) Rehards, HA
Solved
HA13029
Copper Contributor
Feb 14, 2025
analytics
KQL
146Views
0likes
7Comments
SecurityIncident access from Sentinel tenants
Hello, My company's business model follows the Sentinel MSP with visibility to Customer Sentinel via Lighthouse. All the incidents from across the Customer Sentinels are located on the Sentinel MSP (since the detection rules reside on the Sentinel MSP). Although it might not be the usual MSP model (hosting incidents in the MSP Sentinel), we want to provide visibility to our Customers regarding their Incidents (with all updates) in a dashboard. Is there a possibility we can have a solution for this?
Solved
un1claudiu
Copper Contributor
Feb 06, 2025
Dashboards
siem
163Views
0likes
5Comments
Query to Fetch Sentinel Admin Activities from Sentinel
Hello, I would like to know if there is a specific query available to fetch Sentinel admin activities directly from Sentinel itself. Thank you!
Solved
Rayen
Copper Contributor
Jan 13, 2025
data collection
KQL
Log Data
siem
76Views
0likes
1Comment
Fetch Sentinel admin activity
Hello, I would like to know if there is a specific query available to fetch Sentinel admin activities directly from Sentinel itself. Thank you!
Solved
Rayen
Copper Contributor
Jan 13, 2025
analytics
data collection
Log Data
monitoring
playbooks
59Views
0likes
1Comment
ARM template for deploying a workbook template to Microsoft Sentinel
Hello, I am attempting to deploy an ARM Template (execution using PowerShell) for any Analytic Rule to a Microsoft Sentinel instance. I have been following this link: https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-automate#next-steps. I am struggling with ensuring the Workbook is deployed to the Microsoft Sentinel workbook gallery and NOT the Azure Monitor one. The link includes a sample ARM template where you can add <templateData> (JSON code), which represents the workbook you wish to deploy. I get it working to deploy to the Azure Monitor workbook gallery but not for it to be present in the Microsoft Sentinel one. Jason
Solved
JMSHW0420
Iron Contributor
Dec 16, 2024
analytics
automation
Workbooks
936Views
0likes
15Comments

Resources

Tags

siem422 Topics
KQL291 Topics
data collection232 Topics
Log Data211 Topics
analytics154 Topics
azure149 Topics
automation140 Topics
integration127 Topics
kusto118 Topics
playbooks117 Topics