Recent Discussions
Dedicated cluster for Sentinels in different tenants
Hello I see that there is a possibility to use a dedicated cluster for a workspace in the same Azure region. What about workspaces that reside in different tenants but are in the same Azure region? Is that possible? We are utilizing multiple tenants, and we want to keep this operational model. However, there is a central SOC, and we wonder if there is a possibility to utilize a dedicated cluster for cost optimization.Issue connecting Azure Sentinel GitHub app to Sentinel Instance when IP allow list is enabled
Hi everyone, I’m running into an issue connecting the Azure Sentinel GitHub app to my Sentinel workspace in order to create our CI/CD pipelines for our detection rules, and I’m hoping someone can point me in the right direction. Symptoms: When configuring the GitHub connection in Sentinel, the repository dropdown does not populate. There are no explicit errors, but the connection clearly isn’t completing. If I disable my organization’s IP allow list, everything works as expected and the repos appear immediately. I’ve seen that some GitHub Apps automatically add the IP ranges they require to an organization’s allow list. However, from what I can tell, the Azure Sentinel GitHub app does not seem to have this capability, and requires manual allow listing instead. What I’ve tried / researched: Reviewed Microsoft documentation for Sentinel ↔ GitHub integrations Looked through Azure IP range and Service Tag documentation I’ve seen recommendations to allow list the IP ranges published at //api.github.com/meta, as many GitHub apps rely on these ranges I’ve already tried allow listing multiple ranges from the GitHub meta endpoint, but the issue persists My questions: Does anyone know which IP ranges are used by the Azure Sentinel GitHub app specifically? Is there an official or recommended approach for using this integration in environments with strict IP allow lists? Has anyone successfully configured this integration without fully disabling IP restrictions? Any insight, references, or firsthand experience would be greatly appreciated. Thanks in advance!Webinar Rescheduled: AI-Powered Entity Analysis in Sentinel's MCP Server
Hi folks! The webinar: AI-Powered Entity Analysis in Sentinel's MCP Server which was previously scheduled for: January 13th, 2026, has been rescheduled to: January 27th, 2026, at 9:00 AM PT. Please delete the old invite from your calendar and find the new one at aka.ms/securitycommunity. We apologize for the inconvenience and hope to see you there!Sentinel to Defender webinar series CANCELLED, will be rescheduled at a later date.
The Sentinel to Defender webinar series has been cancelled. Please visit aka.ms/securitycommunity to sign up for upcoming Microsoft Security webinars and to join the mailing list to be notified of future sessions. We apologize for any inconvenience.
Ingest IOC from Google Threat Intelligence into Sentinel
Hi all, I'm string to ingest IOCs from Google Threat Intelligence into Sentinel. I follow the guide at gtidocs.virutotal.com/docs/gti4sentinel-guide API KEY is correct. PS: I'm using standard free public API (created in Viru Total) Managed Identitity has been configured using the correct role. When I run the Logic APP, I received an HTTP error 403 "code": "ForbiddenError", "message": "You are not authorized to perform the requested operation" What's the problem ?? Regards, HAModernize security operations to secure agentic AI—Microsoft Sentinel at Ignite 2025
Security is a core focus at Microsoft Ignite this year, with the Security Forum on November 17, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners. Join us in San Francisco, November 17–21, or online, November 18–20, to learn what’s new and what’s next across SecOps, data, cloud, and AI—and how to get more from the Microsoft capabilities you already use. This year, Microsoft Sentinel takes center stage with sessions and labs designed to help you unify data, automate response, and leverage AI-powered insights for faster, more effective threat detection. Featured sessions: BRK235: Power agentic defense with Microsoft Sentinel Explore Microsoft Sentinel’s platform architecture, graph intelligence, and agentic workflows to automate, investigate, and respond with speed and precision. BRK246: Blueprint for building the SOC of the future Learn how to architect a modern SOC that anticipates and prevents threats using predictive shielding, agentic AI, and graph-powered reasoning. LAB543: Perform threat hunting in Microsoft Sentinel Dive deep into advanced threat hunting, KQL queries, and proactive investigation workflows to sharpen your security operations. Explore and filter the full security catalog by topic, format, and role: aka.ms/Ignite/SecuritySessions. Why attend: Ignite is your opportunity to see the latest innovations in Microsoft Sentinel, connect with experts, and gain hands-on experience. Sessions will also touch on future directions for agentic AI and unified SOC operations, as outlined in Microsoft’s broader security roadmap. Security Forum (November 17): Kick off with an immersive, in‑person pre‑day focused on strategic security discussions and real‑world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Connect with peers and security leaders through these signature security experiences: Security Leaders Dinner—CISOs and VPs connect with Microsoft leaders. CISO Roundtable—Gain practical insights on secure AI adoption. Secure the Night Party—Network in a relaxed, fun setting. Register for Microsoft Ignite >Data Connectors Storage Account and Function App
Several data connectors downloaded via Content Hub has ARM deployment templates which is default OOB experience. If we need to customize we could however I wanted to ask community how do you go about addressing some of the infrastructure issues where these connectors deploy storage accounts with insecure configurations like infrastructure key requirement, vnet intergration, cmk, front door etc... Storage and Function Apps. It appears default configuration basically provisions all required services to get streams going but posture configuration seems to be dismissing security standards around hardening these services.
Single Rule for No logs receiving (Global + Per-device Thresholds)
Hi everyone, I currently maintain one Analytics rule per table to detect when logs stop coming in. Some tables receive data from multiple sources, each with a different expected interval (for example, some sources send every 10 minutes, others every 30 minutes). In other SIEM platforms there’s usually: A global threshold (e.g., 60 minutes) for all sources. Optional per-device/per-table thresholds that override the global value. Is there a recommended way to implement one global rule that uses a default threshold but allows per-source overrides when a particular device or log table has a different expected frequency? Also, if there are other approaches you use to manage “logs not received” detection, I’d love to hear your suggestions as well. This is a sample of my current rule let threshold = 1h; AzureActivity | summarize LastHeartBeat = max(TimeGenerated) | where LastHeartBeat < ago(threshold)Security in Hybrid & Multi-Cloud Environments
Just completed a project on securing hybrid and multi-cloud environments. I explored the challenges of managing security across Azure, AWS, GCP, and on-prem, and how tools like Microsoft Sentinel help bring centralized visibility. Security isn’t one-and-done — it’s a continuous process of monitoring, automation, and enforcing least privilege.
Multi-trigger Playbooks & Renamed Triggers
Hello Sentinel enthusiasts, In some cases, deploying a playbook with multiple triggers is a much easier solution than having 9 playbooks which do the same thing. In the specific example I'm going for I have developed a playbook which requires the user to change their password within a certain amount of time. We want to have the ability to have three triggers for the playbook - incident, entity and http (for external orchestration platforms) - then we also want to have the option for it to be instant, or within a configurable number of days/hours (1day, 7days). In this situation the native way would be to have 9 playbooks in total - seems like a big amount for a simple action. I attempted to initially develop these playbooks with all three triggers in a base template which is deployed using bicep - success. But what do you know, at first, I could only see the playbook in the automation playbook list saying "Sentinel Action" but I couldn't trigger it from an actual incident or entity. Turns out this was because I had given the trigger a different display name than the default. This specific case seems a bit odd to me because the underlying data is the same, nonetheless - not a huge issue, change the display name to the default and voila. My next surprise was when I realised that the Sentinel UI will only pick up the first trigger to run a playbook. i.e. if I define an entity trigger first then an incident trigger, I cannot see it appear to trigger for an incident and vice versa. So, I set on a mission and was able to create a chromium extension which will modify the resource response - to duplicate a playbook once for every trigger it has (only in the azure portal PWA) and what do I know - everything works perfectly as if it was fully supported. It would be great if these UI bugs could be fixed as they seem pretty trivial and don't seem to require a major change, considering it is solely a frontend bug - especially if I can create an extension which resolves the issue. Obviously, this is not an ideal scenario in production. Garnering some support to have this rectified would be great and it would also be cool to hear people's opinions on this ~SebS1 Data Connector malfunctioning?
I am utilizing the S1 codeless data connector available in the content hub. It would seem that only a few tables are actually populating with data now. Threats and Alerts are no longer being captured. Is anyone else experiencing this? Any work arounds available? Any suggestions would be much appreciated!CCP ProofPoint and Zscaler
Hi, I have ProofPoint and Zscaler Data Connector which appear to show as Deprecated. Logs are still flowing via native Azure Function uninterrupted. Per PP - CCP is suggested approach to replace Zscaler - No replacement method but I assume this will also require CCP Has anyone created CCP for these and successfully deployed these solutions?
Retrieving MailAddress from Entity for Logic App
I'm trying to put together a logic app that will reset a users password and also send them an email notifying them why their password was reset. The logic app triggers off a sentinel incident. The users email address I need to send to is from the Entities properties of the Sentinel incident. How can I extract the users email address? Its in the "MailAddress" property of each Entity. I believe Im going to have to parse it out of the JSON result but need some guidance if that is the case. Appreciate any help.
Log Analytics Workspace - ThreatIntelIndicators
Morning! I have been working on migrating some of our tenant analytic rules to use the new TI ThreatIntelIndicators table. However, I noticed the following: When querying against the new table, I get these values in a tenant log workspace When I do the same query in another tenant logs workspace, I get this result back If I expand the query to grab last 7 days, I get results back but they are wildly different from what I see from one tenant to another. I can find big and small discrepancies in the logs I see. I still can't find the connector on the connectors page (When I filter them out by data type). I can see the one that is being used for the soon to be decommissioned table. As far as I understand, the connector is not going to be changed per se, just how we access the logs from any given log analytics workspace. I'm expecting to see the same values across my log workspaces since it comes from the same connector, and provided by MS, or is this ingestion of TI logs tenant scope and each one has different settings? I couldn't find something that tells me this in the docs. Or is this part of the rollout problems we are expecting to see? Thanks!
Unknown Behaviour Involving GroupsService in OfficeActivity
I have spotted a few hundred events with the following KQL query in my environment. This is the result of one of the entries. It looks like a regular legitimate behaviour by Microsoft but I don't seem to find any documentation about it. Can anyone share the insight of it? Thank you!AMPLS Restrictions Preventing Outbound API Calls in Logic Apps – Any Workarounds?
Hi everyone, I’m encountering an issue where Azure Monitor Private Link Scope (AMPLS) restrictions are preventing Azure Logic Apps from making any outbound API calls, even to Microsoft-owned outbound IP addresses. One specific problem is that when running KQL queries inside a Logic App, the Azure Monitor connector fails because it attempts to access Microsoft outbound IPs, which are blocked by AMPLS restrictions. Since this is happening within Logic Apps itself, I don’t have direct control over these outbound calls. Has anyone found a workaround to allow Logic Apps to function correctly while keeping AMPLS in place? Would Private Endpoints, VNET Integration, or any other configuration help resolve this? Any insights or solutions would be greatly appreciated!Juniper SRX 340 logs not read by rsyslog
I have configured Juniper SRX 340 Junos logs to be forwarded to a centralized syslog server before reaching Microsoft Sentinel. I can see the Juniper logs on the syslog server while doing a TCPDUMP but, the same logs are not ready by rsyslog. The same syslog server is also receiving the logs from Cisco ASA. The rsyslog is able to read the ASA logs with no issues and further forward them to Sentinel through AMA agent. I don't have any filters applied in rsyslog.conf file and I'm capturing everything (*.*) all syslog facility and severity to a log file but, still the Juniper logs are not recognized by rsyslog. Please help on resolving this issueBug in stand-alone MS Sentinel MITRE tactics
I setup a new Analytic rule where I had selected multiple tactics/techniques combinations. When I create an incident from that rule, only one of the tactics/techniques actually show up in the stand-alone MS Sentinel UI as well as in the SecurityIncident table. It isn't even the first one I selected; it is the last one. I did double check the Analytic rule and all the tactics/techniques are selected. If I look at the incident using the MS Sentinel REST API, it does show that all the tactics/techniques are there as well as if I look in the M365 portal (I have my MS Sentinel instance linked). Heck, even the Graph Query will show them all (after expanding the incident to show the alerts as well). Has anyone noticed this recently? Is it a bug or another new "feature"?
Recent Blogs
- March brings a set of updates to Microsoft Sentinel focused on helping your SOC automate faster, onboard data with less friction, and detect threats across more of your environment. This month's up...Mar 04, 2026
- Threat hunting in Microsoft Sentinel goes beyond relying on scheduled analytics rules. It’s about proactively asking better questions of your data to uncover stealthy or emerging attacker behavior be...Feb 27, 2026
