User Profile
GBushey
Former Employee
Joined Aug 18, 2022
User Widgets
Recent Discussions
Re: Azure Activity connector
Not sure how long you have waited to see if it is connected but it can take a while (like an hour) before it will show up. Also, keep in mind that it determines if it is connected by querying the table, AzureActivity, in this case. If you do not have any activity for a while, the query will not return anything so it will appear to be disconnected. This is the situation in my demo environment right now.1.3KViews0likes2CommentsRe: What's New: Tags column is now available in Azure Sentinel incidents page!
They are referred to as "labels" in the REST API documentation. I have an example with them in my Sentinel development EBook: https://garybushey.com/2023/11/27/programming-book-version-1-0-finally-ready/3.4KViews0likes2CommentsRe: Sentinel missing Entra ID risky user
The data connector will populate the ADDUSerRIskEvents table, like you just saw. If you look at the "Microsoft Entra ID" data connector, you will see the listing of tables that it will populate. The only way you would be notified about the event is if you have an Analytic Rule to query this table for the event.998Views0likes1CommentRe: Bulk Closure of old Incidents via PowerShell
Like Rod mentioned, it may be the total amount of rules you are trying to work with that is causing the issue. I have not looked at the code for "Get-AzSentinelIncident" but the REST API only returns 50 items at one time by default. You could call the REST API directly and then use the "nextLink" that gets returned as the "skipToken" for the next call and iterate through your 8K incidents that way. https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/list?tabs=HTTP1.4KViews0likes1CommentRe: uninstall syslog connector inside Sentinel
I think, but have not tried, that if you change your workspace's keys that should do it. I do not believe the keys get automatically updated in the syslog servers. Just beware that other connectors or APIs may be using those keys as well1.3KViews1like1CommentRe: Best Time Field to Query Security Incidents
tipper1510 If you are unaware, Sentinel will create a new row in the "SecurityIncidents" table each time an incident has been modified. Therefore, if you look at the first time an incident shows up in the table, the TimeGenerated and the CreatedTime should be the same. After that the TimeGenerated will be the time that the row was crearted, but the CreatedTime will stay the same. So, the answer would be it depends. You can look for the maximum TimeGenerated for a given Incident number to make sure you have the latest changes but if you just look for the CreatedTime, you could end up with multiple rows. Hope that makes sense.1.9KViews1like0Comments
