Forum Widgets
Latest Discussions
SecurityIncident access from Sentinel tenants
Hello, My company's business model follows the Sentinel MSP with visibility to Customer Sentinel via Lighthouse. All the incidents from across the Customer Sentinels are located on the Sentinel MSP (since the detection rules reside on the Sentinel MSP). Although it might not be the usual MSP model (hosting incidents in the MSP Sentinel), we want to provide visibility to our Customers regarding their Incidents (with all updates) in a dashboard. Is there a possibility we can have a solution for this?Solvedun1claudiuFeb 06, 2025Copper Contributor62Views0likes5CommentsARM template for deploying a workbook template to Microsoft Sentinel
Hello, I am attempting to deploy an ARM Template (execution using PowerShell) for any Analytic Rule to a Microsoft Sentinel instance. I have been following this link: https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-automate#next-steps. I am struggling with ensuring the Workbook is deployed to the Microsoft Sentinel workbook gallery and NOT the Azure Monitor one. The link includes a sample ARM template where you can add <templateData> (JSON code), which represents the workbook you wish to deploy. I get it working to deploy to the Azure Monitor workbook gallery but not for it to be present in the Microsoft Sentinel one. JasonSolvedJMSHW0420Dec 16, 2024Iron Contributor382Views0likes15CommentsCannot access aka.ms/lademo
Hello team, I am Nikolas. I am learning KQL for Microsoft Sentinel. As far as I know, we can access the aka.ms/lademo for demo data. However I cannot access the demo. I tried using VPN, access page from many other devices with different IP address different account. But it does not work. Can you help to confirm if this link is still accessible. I can access the resource last week, but not this week. I am looking forward to hearing from you.SolvedNikolasMSDec 06, 2024Copper Contributor180Views1like2CommentsAutomating label downgrade email notifications
I've been asked to investigate scheduling a query to run once a day that searches for label downgrade activities and sends an email with a list of events to the user's manager (according to the AD attribute). The thinking is, the manager is more likely to know if the files that are being downgraded are sensitive, personal or inconsequential and can alert us if they are sensitive and we need to investigate further. I have a KQL query that provides the results, I have created an analytics rule that runs the query every 24 hours and generates an alert, but when it comes to the Playbook i'm not sure how/if I can extract the fields/attributes from the results so I can use them to generate the email(s). I want the manager to only get the results for the people in their team/department, not the results for everyone in the company, so I would expect separate emails will be sent to each manager daily, rather than the same email going to multiple managers. Is what I am trying to do feasible, and if so, am I going about it the right way? Any advice appreciated.SolvedCameron_StephensNov 01, 2024Copper Contributor205Views0likes7CommentsIssue in Uninstallation of AMA for Arc Enabled Windows server
Dear Community, As a troubleshooting, I want to uninstall the AMA agent from Azure arc enabled server, I tried "Uninstall" from Azure arc machine - Extension - Uninstall but it went into "Deleting" state for 2 days. Then i tried uninstallation using the Powershell but again it went to "deleting" state. I tried removing and adding the Machine to and from DCR and Azure Arc again and then tried again still it shows deleting state only. So, i tried uninstallation direct from server using command azcmagent extension remove --name AzureMonitorWindowsAgent the got the below error, From my test machine i copied the "HandlerManifest.json" file and put in the same folder where error is showing above, Json file has this content as shown below Now after this i tried "azcmagent extension remove --name AzureMonitorWindowsAgent" command again and got the error, Please help in uninstalling this AMA agent. Thanks, MaheshSolvedJohnWickXVOct 29, 2024Copper Contributor197Views0likes2Commentsazure lighthouse Query
Hi All, I am in the process of creating the ARM template to deploy the Azure light house in our environment. I am pretty new to this platform. Request everyone support to understand the design and concept of Sentinel. As far as I am aware to deploy the Multi-tenant, we require to set up the Azure Light house. On referring the KB article, to create the ARM template, there was an field called "Delegated scope" where we need to choose either "subscription" or "resource" group. I would like to understand the difference between them. Kindly supportSolvedvenkataramanan6224Sep 30, 2024Copper Contributor400Views0likes2CommentsKQL query to ignore placeholders
Hi Team, Can you please provide me a query to ignore account filed that has "-\- "SolvedNimantha_DeshappriyaSep 27, 2024Copper Contributor362Views0likes2CommentsDefine workbook export parameter default value
I have a number of Sentinel workbook queries where I click on a value in the 1st query which is then exported as a parameter to be used in a 2nd query. This is working great except when the workbook is first loaded, because I haven't clicked on anything in the 1st query, the 2nd query displays the following error. How can I specify a default value to satisfy the query until I click on a value? Query could not be parsed at ')' on line [2,21] Token: ')' Line: 2 Position: 21 The first 2 lines of the 2nd query look like this: let ActivityType = dynamic({AType}); CloudAppEvents | where... Any help to resolve this error is appreciated.SolvedCameron_StephensAug 20, 2024Copper Contributor473Views0likes2Comments
Resources
Tags
- siem400 Topics
- KQL276 Topics
- Data Collection221 Topics
- Log Data199 Topics
- Analytics140 Topics
- azure135 Topics
- automation123 Topics
- integration121 Topics
- kusto113 Topics
- playbooks107 Topics