Forum Widgets
Latest Discussions
GITHUB - AI Sentinel attack simulation
The recent support for Model Context Protocol (MCP) with Claude Desktop has opened the door for some really useful testing capability with Sentinel and emerging threats. I'm happy to share with the community a GitHub project that demonstrates the use of MCP against current exploits to generate simulated attack data that can be used with testing migrated ASIM alert rules. MCP allows for up-to-date exploits to be queried... ... and with AI prompting, simulated attack events can be created against our Sentinel test environments. Which results in a simulated attack based on the exploit being referenced. This is really useful for testing the migration of our Sentinel alert rules to ASIM! The full code and details about the project are available here: https://laurierhodes.info/node/175Laurie_RhodesDec 21, 2024Brass Contributor59Views1like1CommentWhy maximum supported DataFlow count is 10 in DCR?
Is there any technical reason why a DCR can support maximum 10 dataflows? There are already 10 ASim tables. If we want to combine standard tables with ASim tables in one DCR, that is currently not possible. It makes the process complicated. Also is that the same reason why designated ASim table count is currently 10? :)yusufozturkDec 21, 2024Copper Contributor4Views0likes0CommentsARM template for deploying a workbook template to Microsoft Sentinel
Hello, I am attempting to deploy an ARM Template (execution using PowerShell) for any Analytic Rule to a Microsoft Sentinel instance. I have been following this link: https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-automate#next-steps. I am struggling with ensuring the Workbook is deployed to the Microsoft Sentinel workbook gallery and NOTthe Azure Monitor one. The link includes a sample ARM template where you can add <templateData> (JSON code), which represents the workbook you wish to deploy. I get it working to deploy to the Azure Monitor workbook gallery but not for it to be present in the Microsoft Sentinel one. JasonSolvedJMSHW0420Dec 29, 2024Iron Contributor163Views0likes15CommentsCannot access aka.ms/lademo
Hello team, I am Nikolas. I am learning KQL for Microsoft Sentinel. As far as I know, we can access the aka.ms/lademo for demo data. However I cannot access the demo. I tried using VPN, access page from many other devices with different IP address different account. But it does not work. Can you help to confirm if this link is still accessible. I can access the resource last week, but not this week. I am looking forward to hearing from you.SolvedNikolasMSDec 21, 2024Copper Contributor121Views1like2CommentsHow to integrate Beyond Trust Logs With Sentinel
Hi All, How to integrate Beyond Trust Logs With Sentinel, do we have a data connector? As checked, there is not data connector for this. please let me know and also what are the logging level required at beyond trust side.Sand_Sentinel87Dec 20, 2024Copper Contributor24Views0likes1CommentUsing Playbook_ARM_Template_Generator
Hi, Trying to use the Playbook_ARM_Template_generator where a user assigned managed identity is used for connections. The generator doesn't seem to strip this out and then complains on deployment. Anyone had any success with this? Many thanks, Timtipper1510Dec 19, 2024Brass Contributor11Views0likes0CommentsSentinel IP for WEST EUROPE
Hi. I have this issue, where I have Sentinel and need the data connector setup for accessing Github. If my github Org do have IP Allow list enabled this do not work. So I need to find the IP's that the Connector talks out from Azure / Sentinel with when hitting the github service so I can whitelist those. If I take the IP scopes for Sentinel they are quite extensive and it cannot be that I need to whitelist every single Azure monitor/sentinel IP just to get those that Sentinel uses to talk to an API, but how can I find the needed IP's Or is there another way to get Audit logs from Github when there is IP restrictions enabled on the Github organization (in a github cloud enterprice setup)zazhDec 18, 2024Copper Contributor8Views0likes0CommentsIs there a way to use or convert YARA rule to Sentinel KQL query for detections
I have noticed that most malware detections are released in YARA language and Sentinel does not have baked in support for YARA rule. Keen to understand how others are dealing with this situation.deepak198486Dec 18, 2024Copper Contributor7.9KViews1like3CommentsInvestigation Insights Workbook IP address Search
Is there a way to roll back to a previous version of the investigation insights workbook? The new workbook from the content hub no longer allows you to enter an IP address without selecting entities and then IP addressees from the entity list. This was really useful when wanting to just search on an IP address that was suspect and related IOCs, Account sign in etc. Please provide suggestions for either rolling back the Investigation Insights workbook or other ways to achieve the same.danny_grassoDec 18, 2024Brass Contributor43Views0likes3CommentsMicrosoft Defender Vulnerability Management Data in Sentinel
Anyone know when Microsoft Defender Vulnerability Management data will be available in Microsoft Defender XDR connector in Sentinel? If it won't be available soon, what is the best way to collect Vulnerability Management data to Sentinel? ThanksJamesY650Dec 18, 2024Copper Contributor19Views0likes1Comment
Resources
Tags
- siem391 Topics
- KQL272 Topics
- Data Collection216 Topics
- Log Data195 Topics
- Analytics137 Topics
- azure131 Topics
- integration119 Topics
- automation119 Topics
- kusto112 Topics
- playbooks105 Topics