Learning Sentinel inc

pingmetiwce · ‎Oct 07 2022

Hello
I am looking for advise, not sure what I am doing wrong :) I am learning how to create incidents in Sentinel.

so I created detection rule looking for Suspicious Encoded Powershell, then I back to my to VM and run encoded PowerShell command and i cant see any incident in sentinel... I also check defender i have a few indecent regarding this activity. Why i cant see any incident in sentinel?

I used this rule:
github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Threat%20Hunting%20Cases/Suspicious%20Encoded%20Powershell.md

Ps: is possible to add screenshots here?

pingmetiwce · ‎Oct 07 2022

maybe is something with connectors (which connector i need to connect?)

Clive_Watson · ‎Oct 07 2022

@pingmetiwce

1. You can paste in a screenshot or attach a file here. When you create a message or REPLY - there is an "Open Full Text Editor" link to press

2. Do you have the DeviceProcessEvents Table connected from the "Microsoft 365 Defender (preview)" connector? Note, Raw events like this are billable (the Alerts are free), so keep that in mind if you start to ingest these.

pingmetiwce · ‎Oct 07 2022

@Clive_Watson

thanks for your answers. I have this connector enabled. I would like to add screenshots but I have this message : You do not have permission to upload images.

Jonhed · ‎Oct 09 2022

@pingmetiwce
Did you configure the "Connect incidents & alerts", within the Microsoft 365 Defender data connector?

You mentioned that incidents appear in Microsoft 365 defender and not in Sentinel, so it sounds like the detection rule was created in Microsoft 365 defender (Custom detection rule) and not in Sentinel (Analytics rule).

Learning Sentinel inc

Learning Sentinel inc

Re: Learning Sentinel inc

Re: Learning Sentinel inc

Re: Learning Sentinel inc

Re: Learning Sentinel inc

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Learning Sentinel inc