Learning Sentinel inc

Question

HelloI am looking for advise, not sure what I am doing wrong 🙂 I am learning how to create incidents in Sentinel.so I created detection rule looking for Suspicious Encoded Powershell, then I back to my&nbsp; to VM and run encoded PowerShell command and i cant see any incident in sentinel... I also check defender i have a few indecent regarding this activity. Why i cant see any incident in sentinel?&nbsp;&nbsp;I used this rule:github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Threat%20Hunting%20Cases/Suspicious%20Encoded%20Powershell.md&nbsp;Ps: is possible to add screenshots here?&nbsp;&nbsp;&nbsp;&nbsp;

pingmetiwce · Answer

maybe is something with connectors (which connector i need to connect?)

clive_watson · Answer

pingmetiwce&nbsp;1. You can paste in a screenshot or attach a file here. When you create a message or REPLY - there is an "Open Full Text Editor" link to press2. Do you have the DeviceProcessEvents Table connected from the "Microsoft 365 Defender (preview)" connector?&nbsp; Note, Raw events like this are billable (the Alerts are free), so keep that in mind if you start to ingest these.&nbsp;&nbsp;

pingmetiwce · Answer

Clive_Watson&nbsp;thanks for your answers. I have this connector enabled. I would like to add screenshots but I have this message :&nbsp;You do not have permission to upload images.&nbsp;

jonhed · Answer

pingmetiwce&nbsp;Did you configure the "Connect incidents &amp; alerts", within the Microsoft 365 Defender data connector?You mentioned that incidents appear in Microsoft 365 defender and not in Sentinel, so it sounds like the detection rule was created in Microsoft 365 defender (Custom detection rule) and not in Sentinel (Analytics rule).&nbsp;

Forum Discussion

Learning Sentinel inc

4 Replies

Resources