Forum Discussion

pingmetiwce's avatar
pingmetiwce
Copper Contributor
Oct 07, 2022

Learning Sentinel inc

Hello I am looking for advise, not sure what I am doing wrong 🙂 I am learning how to create incidents in Sentinel. so I created detection rule looking for Suspicious Encoded Powershell, then I bac...
detection
microsoft defender for endpoint
monitoring
soar
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Oct 07, 2022

pingmetiwce 

1. You can paste in a screenshot or attach a file here. When you create a message or REPLY - there is an "Open Full Text Editor" link to press

2. Do you have the DeviceProcessEvents Table connected from the "Microsoft 365 Defender (preview)" connector?  Note, Raw events like this are billable (the Alerts are free), so keep that in mind if you start to ingest these.

 

 

pingmetiwce's avatar
pingmetiwce
Copper Contributor
Oct 07, 2022

Clive_Watson 


thanks for your answers. I have this connector enabled. I would like to add screenshots but I have this message : You do not have permission to upload images.

 

  • Jonhed's avatar
    Jonhed
    Steel Contributor
    Oct 09, 2022

    pingmetiwce 
    Did you configure the "Connect incidents & alerts", within the Microsoft 365 Defender data connector?


    You mentioned that incidents appear in Microsoft 365 defender and not in Sentinel, so it sounds like the detection rule was created in Microsoft 365 defender (Custom detection rule) and not in Sentinel (Analytics rule).