Fetching alerts from Sentinel using logic apps
Hello everyone, I have a requirement to archive alerts from sentinel. To do that I need to do the following: Retrieve the alerts from Sentinel Send the data to an external file share As a solution, I decided to proceed with using logic apps where I will be running a script to automate this process. My questions are the following: -> Which API endpoints in sentinel are relevant to retrieve alerts or to run kql queries to get the needed data. -> I know that I will need some sort of permissions to interact with the API endpoint. What type of service account inside azure should I create and what permissions should I provision to it ? -> Is there any existing examples of logic apps interacting with ms sentinel ? That would be helpful for me as I am new to Azure. Any help is much appreciated !
Zscaler Private Access Solution not receiving data
EDIT: Solved by switching to a default Ubuntu VM. No idea what exactly it is about default Ubuntu that makes it work. We have been trying to get the logs from Zscaler Private Access connected to our Sentinel instance, with 0 success so far. We've followed the instructions on the data connector page perfectly, but there simply isn't any data from Zscaler coming into Sentinel and we cannot figure out why - We've installed the Log Analytics (OMS) agent successfully. We can see a Heartbeat coming in and even the syslog of the machine. This should prove the connection between the VM and Sentinel is working - We've placed the VM in the same subnet as the ZPA log receivers, opened the correct ports and firewall rules and we can see traffic on our VM coming from the log receivers via tcpdump. This should prove the connection between Zscaler and the VM working - We can't find any errors in the OMS agent logs. It seems to load the provided zpa.conf file correctly. - We triple checked all the steps, every step is taken correctly But there are no ZPA logs in Sentinel I've searched around and there seem to be multiple people (even in the reviews section of the solutions) running into issues with this, but there are no solutions posted anywhere Did anyone have any luck with getting this solution to work? And can you share how you did it?Create a report that contains Alerts and raw events
Hello, is there a way to autoamtically create a report in sentinel that contains security incidents and alerts as well as the raw events that triggered these alerts and be able to send it somewhere for archival purposes? Any help is much appreciated !
Qualys Vulnerability management integration with Function app
Hello, I have deployed Qualys VM with sentinel by Azure function app. I am not getting any error, function app is working fine. I am getting blank output: Furthermore, I have not added any filter parameter in environment variables and don't have any idea what could be added here. Since the output is blank Qualys data connector is showing status disconnected. If anyone can help me out please comment below. TIAFetch security events with their underlying log entries
Hello, I am trying to extract all the alerts generated by sentinel including the events that triggered that alert. I have the following query: SecurityIncident | summarize arg_max(TimeGenerated, *) by IncidentName | where ClassificationComment !has "Automatically closed, as the incident is not in scope for monitoring." | where CreatedTime >= startofday(ago(1d)) and CreatedTime < startofday(now()) | sort by CreatedTime | mv-expand AlertIds | extend AlertId = tostring(AlertIds) | join (SecurityAlert | where StartTime >= startofday(ago(30d)) and StartTime < startofday(now()) | summarize arg_max(TimeGenerated, *) by SystemAlertId | project-rename AlertId = SystemAlertId) on AlertId Is this enough to achieve what I need or is there any changes that needs to be made ?Can we deploy Bicep through Sentinel repo
Hi there, Im new here, but 😅.... With the problem statement being "Deploying and managing sentinel infrastructure through git repository. I had looked into Sentinel Repository feature which is still in Preview. With added limitations of not being able to deploy watchlists or custom log analytical functions ( custom parsers ). There is also a limitation of deploying only ARM content My guess would be that the product folks at msft are working on this 😋 My hypothesized (just started the rnd, as of writing this) options would be to Fully go above and beyond with Bicep; Create bicep deployment files for both the rules as well as their dependencies like LAW functions, watchlists and the whole nine yards. Need to write pipelines for the deployment. The CI/CD would also need extra work to implement Hit that sweet spot; Deploy the currently supported resources using sentinel repo and write a pipeline to deploy the watchlists using Bicep. But not sure if this will be relevant to solutions to clients. When the whole shtick is that we are updating now so we dont have to later. Go back to the dark ages: Stick to the currently supported sentinel content through ARM & repo. And deploy the watchlists and dependencies using GUI 🙃 I will soon confirm the first two methods, but may take some time. As you know, I may or may not be new to sentinel...or devops.. But wanted to kick off the conversation, to see how close to being utterly wrong I am. 😎 Thanks, mal_sec
GITHUB - AI Sentinel attack simulation
The recent support for Model Context Protocol (MCP) with Claude Desktop has opened the door for some really useful testing capability with Sentinel and emerging threats. I'm happy to share with the community a GitHub project that demonstrates the use of MCP against current exploits to generate simulated attack data that can be used with testing migrated ASIM alert rules. MCP allows for up-to-date exploits to be queried... ... and with AI prompting, simulated attack events can be created against our Sentinel test environments. Which results in a simulated attack based on the exploit being referenced. This is really useful for testing the migration of our Sentinel alert rules to ASIM! The full code and details about the project are available here: https://laurierhodes.info/node/175
Sentinel IP for WEST EUROPE
Hi. I have this issue, where I have Sentinel and need the data connector setup for accessing Github. If my github Org do have IP Allow list enabled this do not work. So I need to find the IP's that the Connector talks out from Azure / Sentinel with when hitting the github service so I can whitelist those. If I take the IP scopes for Sentinel they are quite extensive and it cannot be that I need to whitelist every single Azure monitor/sentinel IP just to get those that Sentinel uses to talk to an API, but how can I find the needed IP's Or is there another way to get Audit logs from Github when there is IP restrictions enabled on the Github organization (in a github cloud enterprice setup)Sentinel query KQL with variables
Hello! I need to use variables as parameters of functions in Sentinel Logs. I have: let t = "Syslog"; let name = "my-Sentinel"; let id = "abc123"; Well, if do this, it works fine: table("Syslog") table(t) workspace("my-Sentinel").table("Syslog") workspace("my-Sentinel").Syslog But i need to work this: worskpace(name).table(t) or let x=strcat("workspace('", name, "')"); let y=strcat("table('", t, "')"); x.y In general seems that the function workspace() doesent work with a variable as parameter, but the function table() if alone it works: workspace("my-Sentinel") -> YES workspace(n) -> NO table("Syslog") -> OK table(t) -> OK Any idea how to make it works? In particulary to do this: workspace(name).table(t) Thanks!!!
