User Profile
mikhailf
Steel Contributor
Joined Jun 16, 2021
User Widgets
Recent Discussions
Re: Alert tuning for Custom detection rules
We’re trying to set up an alert tuning rule for some of our custom detection alerts. The rule itself is straightforward: it should automatically resolve alerts based on the alert name and a few additional conditions. However, it doesn’t seem to work. I came across this thread: Alert Tuning (formerly Alert Suppression) Issues | Microsoft Community Hub. Unfortunately, the article linked there doesn’t mention anything about custom detections. Does anyone know whether alert tuning still doesn’t support custom detection alerts?66Views0likes0CommentsMicrosoft Sentinel - Alert suppression
Hello Tech Community, Working with Microsoft Sentinel, sometimes, we have to suppress alerts based on information about UPN, IP, hostname, and other. Let's imagine we need to suppress 20 combinations of UPN, IP hostname. Sometimes, sometimes, the suppressions fields should be empty or should be wildcarded (meaning it can be any value in the log that should be suppressed). What is the best way to suppress alerts? - Automation rules - seems not flexible and works only with entities. - Watchlist with "join" or "where" operator - good option, but doesn't support * (wildcard) - Hardcoded in KQL - not flexible, especially when you have SDLC processes Please, your ideas and advice.662Views0likes2CommentsAnti-malware policy doesn't block files
Hello Microsoft Community, We have recently found that Anti-malware policy doesn't block files that are set to be blocked by the policy. For example, when we send an *.ics file with a cmd/exe/jse/rdp and other files inside of the ics, the email is not blocked and is delivered to users. We did several tests with external security vendor by sending real malwares, ransomwares and exploits attached to the ics and all of them passed the filtering system. Is anyone aware of the issue? Doesn't MDO scans nested files?! This has happened with a few tenants. Those tenants have Microsoft E5 licenses.Cross-workspace incident management
Hello Techcommunity, We are looking for a solution to manage incidents in several Sentinel workspaces within the same tenant. 1. We reviewed Azure Lighthouse and it seems to be working only for cross-tenant management 2. We saw the option to mark the workspaces we want to monitor and click on "View incidents" 3. We also considered building the dashboard in a Workbook Could you please say if there is any other option to have a unified dashboard for managing incidents from several Sentinels within the same tenant?302Views0likes0CommentsRe: Salesforce to Sentinel Integration
Hello Prasanthdas545, Yes, first, you need to deploy the Function App. Second, you need to configure Environment variables in that Function App (check here how it looks like: Configure function app settings in Azure Functions | Microsoft Learn) These variables should contain info about the connection to Salesforce (URLs, API keys, etc.). To obtain those variables from Salesforce you need to create an application on Salesforce. This part is the trickiest and we did it with Salesforce team. Unfortunately, I don't have any videos of the process.1.3KViews0likes0CommentsRe: Salesforce to Sentinel Integration
Hello Prasanthdas545 , The fastest way is to deploy the Function App offered by Sentinel (in the Salesforce connector menu). Before that you need to create an application on the SalesForce side (we did it with their support). And the last, the events that you receive from SalesForce depend on the type of license you have.2.9KViews0likes2CommentsExport data from Log Analytics Workspace to Storage Account
Hello community, Could you please recommend a solution to migrate data from Log Analytics Workspace (1 table) to Storage Account? There are about 70 million rows that should be exported. The continuous export is not the solution here. We were thinking about a Logic App but there is too much data.447Views0likes1CommentRe: CommonSecurityLog and DCR Table Tranformation
Hello HA13029, Try the 4th step from here: (2) Filter & Split Firewall/CEF logs into multiple Sentinel tables (analytics/basic tier) to save in ingestion costs | LinkedIn You can transform the logs in the DCR. Just edit it and add the KQL you mentioned in your question. It should work well.1.2KViews0likes1Comment"Dynamics 365 CRM" app is identified as "PowerApps - apps.powerapps.com"
Hello community, We have an interesting occasion with Dynamics 365 CRM app in Sign-in logs. When a user logs into the Dynamics app, we see "PowerApps - apps.powerapps.com" in the Sig-in logs in Entra ID. Support engineer from Microsoft explained it as service dependencies. Conditional Access service dependencies - Microsoft Entra ID | Microsoft Learn We see that there is a dependency with Project, but not with Power Automate (could be missed in Microsoft article?). Does anybody here have a similar behavior? We found it while working on conditional access policy for Dynamics.431Views0likes0CommentsRe: Conditional Access and Intune Protection policy
Hello JosvanderVaart, I managed to log into Outlook, however it didn't work with MS Teams. I got the error message that the app should be protected with an Intune policy. In my environment the App Protection policy is applied for All Microsoft apps (and I believe Teams is a part of this). It also didn't work for Microsoft OneDrive app. "The app must be protected with an Intune policy before you can access company data. Please contact your IT help desk for more information". How is it supposed to work?1.2KViews0likes2CommentsConditional Access and Intune Protection policy
Hello Community, This question is about Conditional Access and Intune Application Protection policy. What if I have a Conditional Access policy that requires app protection policy applied on devices to access resources using Microsoft Apps (Outlook, Word, Excel, SharePoint, etc.). What happens when I have a new user created and this user is trying to log into an app on his phone? The new user won't get the App Protection policy until he logs in however, he can't log in because he has no app protection policy enabled. Could anybody send me a reference or tell about his/her experience?Solved1.7KViews1like5CommentsWindows Server 2012 ESU - Key Activation
Hello Community, Could anyone here help me to understand how Windows Server 2012/R2: Extended Security Updates work? We purchased the Multiple Activation Key (MAK) and tried to activate it on our Windows servers but it showed that the key is invalid. Tryed to deploy and activate the ESU MAK add-on key by using Slmgr.vbs or VAMT tool but it didn't work. Tried to open a case for Microsoft via Services Hub (microsoft.com) It didn't allow to open a case via the portal but only by phone. Called by phone, but the robot on the other side didn't forward us to a human and only disconnected the call. So we are stuck. No activation, no updates, no support. But the money was spent. 🙂
Recent Blog Articles
No content to show