User Profile
Mprossau
Copper Contributor
Joined 3 years ago
User Widgets
Recent Discussions
Adjust permitted content types in Front Door Premium WAF
Hi, I am tuning a Front Door Premium WAF policy for a web app which has just been deployed. I am seeing multiple hits on rule PROTOCOL-ENFORCEMENT-920420 due to a context type of text/html being received. Matching traffic I have reviewed so far is all legitimate and should not be blocked. How can I adjust the permitted content types? cheers, Michael486Views0likes0CommentsRequired data for DNS Anomalies
Hi, I am starting to work with Anomalies in my Sentinel deployment. I have a large volume of DNS data ingested via the Windows DNS Events via AMA connector. So far I haven't seen any anomalies trigger against it. Is this connector able to supply data for use in the two Anomaly models? The page here Anomalies detected by the Microsoft Sentinel machine learning engine | Microsoft Learn just mentions they need 'DNS Events'. When I look in my Sentinel deployment it only lists 'Windows DNS via Legacy Agent' as the data source. cheers, Michael382Views0likes0CommentsStoring Logic App Connector api keys in Key vault
Hi, I am starting to learn deploying playbooks with Microsoft Sentinel. Question is on the storage on API keys for Logic Apps connectors. Can these be stored inside an Azure Key Vault - if so how? I can use a Logic App to get secrets out of a key vault without issue. I can’t see how to use that secret against the connector. I also can’t see an obvious way from the connector api page in order to do that. Cheers, Michael745Views0likes0CommentsPermissions issue with Run-MDEAntivirus playbook
Hi, I am having a permissions issue with getting the playbook template ‘Run-MDEAntivirus’ working. So far I have: Given Microsoft Sentinel permissions to run playbooks in the correct Resource Group. Deployed the Playbook template from Sentinel (as at January 2023) with a system assigned managed identity. Used Powershell to grant the managed identity permissions ‘Machine.Scan’, ‘Machine.ReadWrite.All’ and ‘Machine.Read.All’ Dropped an EICAR file on a host and watched the playbook trigger as expected. Steps using the Sentinel connector inside the Logic app work (these all have green tickets and contain the expected data). The first MDE step ‘Machines - Get a Single Machine’ fails with a 403 error. Message it returns is ‘Missing application roles. API required roles: Machine.Read.All,Machine.ReadWrite.All, application roles ‘Machine.Scan’. I am not clear where I need to add those privileges. My understanding is the Logic App is using the wdatp-Run-MDEAntivirus API connection which in turn is using the Managed Identity (that has the right privileges). Any suggestions on what to do next would be welcome. Cheers, Michael2KViews1like2Comments
Recent Blog Articles
No content to show