Member: YanivSh | Microsoft Community Hub

Recent Discussions

Re: Apply metadata to logs to distinguish source
Ofer_Shezaf thanks for adding me. indeed i added Github issue to solve this issue https://github.com/Azure/Azure-Sentinel/issues/925 will update once it will publish
Aug 03, 2020 Place Microsoft Sentinel
2.4KViews
1like
0Comments
Re: Get entities for a Sentinel Incidient by API
SanderWannet please: "98b974fd-cc64-48b8-9bd0-3a209f5b944b", // Alert related entities "27f76e63-c41b-480f-bb18-12ad2e011d49", // Bookmark related entities "a77992f3-25e9-4d01-99a4-5ff606cc410a", // Account related alerts "4a014a1b-c5a1-499f-9f54-3f7b99b0a675", // AzureResource related alerts "f74ad13a-ae93-47b9-8782-b1142b95d046", // CloudApplication related alerts "80218599-45b4-4402-95cc-86f9929dd43d", // DNS related alerts "0f0bccef-4512-4530-a866-27056a39dcd6", // File related alerts "b6eaa3ad-e69b-437e-9c13-bb5273dd34ab", // FileHash related alerts "055a5692-555f-42bd-ac17-923a5a9994ed", // Host related alerts "58c1516f-b78a-4d78-9e71-77c40849c27b", // IP related alerts "b8407195-b9a3-4565-bf08-7b23e5c57e3a", // Malware related alerts "63a4fa2f-f89d-4cf5-96a2-cb2479e49731", // Process related alerts "d788cd65-a7ef-448e-aa34-81185ac0e611", // RegistryKey related alerts "3a45a7e3-80e0-4e05-84db-b97bd1ae452b", // RegistryValue related alerts "7b61d5e2-4b66-40a7-bb0f-9145b445104e", // URL related alerts "4daeed0e-0e74-4f2d-990c-a958210e9dd7", // IoTDevice related alerts "504ea455-3bf7-47ef-8555-dc747b465f99", // Account related bookmarks "e36c2ceb-4caf-4919-8433-d61dbc3e294a", // Host related bookmarks "6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a", // IP related bookmarks "855ea9fe-2fdd-4890-8daa-c895c136eef3", // URL related bookmarks
Jun 04, 2020 Place Microsoft Sentinel
11KViews
0likes
5Comments
Re: Get entities for a Sentinel Incidient by API
SanderWannet currently the only way to achieve this is by: 1. Getting the system alert id by running the relation API call get: https://management.azure.com/subscriptions/xxxxx-5731-4780-8f96-2078ddxxxx/resourceGroups/cxp-azuresecurity/providers/Microsoft.OperationalInsights/workspaces/CXP/providers/Microsoft.SecurityInsights/Incidents/803f3d58-a406-4953-a1df-953143313a74/relations?api-version=2019-01-01-preview in my example the system alert id value located here 2. run a POST request on entities API with the system Alert ID based on the first phase where the expansionId is constant for get all entities Post https://management.azure.com/subscriptions/xxxxxxx-5731-4780-xxxx-2078dd96fd96/resourceGroups/cxp-azuresecurity/providers/Microsoft.OperationalInsights/workspaces/CxP/providers/Microsoft.SecurityInsights/entities/fc4faf6f-03b7-3c57-6892-100a0f960f9d/expand?api-version=2019-01-01-preview body { "expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b", } This days product team are debating on how to make this process more user friendly with less calls. happy to share once we will have final decision.
Jun 01, 2020 Place Microsoft Sentinel
11KViews
1like
10Comments
Re: Email data parsing
Thijs Lecomte this is two different method that works with the same exchange API. if dealing with transferring a lot of data, function will be more cost effective. logic app has its own advantages, like debugging.
Apr 13, 2020 Place Microsoft Sentinel
1.8KViews
0likes
0Comments
Re: Audit-Failed Events not reaching Workspace
if you are seeing the event 4625 in the event viewer from one machine that sending other events i will recommend that you will open support ticket Neil2020
Apr 13, 2020 Place Microsoft Sentinel
2.6KViews
0likes
1Comment
Re: Audit-Failed Events not reaching Workspace
based on your pic the workspace is not define to collect security event at-all, because it is not on standard tier (paid). please show how the sentinel security event collector define? it must be connected and the log level must be at-least as minimal
Apr 13, 2020 Place Microsoft Sentinel
2.5KViews
0likes
4Comments
Re: Audit-Failed Events not reaching Workspace
Neil2020 if the workspace is shared between ASC and sentinel you can configure the log level ( minimal\command\full) only on one side: ASC or sentinel. https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events can you please share print screen from the defintion on the security event connector (on sentinel side) and the ASC workspace setting (under settings). see relevant pic from sentinel configuration
Apr 13, 2020 Place Microsoft Sentinel
2.5KViews
0likes
6Comments
Re: Email data parsing
Aalekh Also we can add @Jon Nordström azure function that is more cost effective and tested in large scale https://github.com/OfficeDev/O365-ActivityFeed-AzureFunction/tree/master/Sentinel/msgtrace here is the data schema
Apr 13, 2020 Place Microsoft Sentinel
1.8KViews
0likes
2Comments
Re: Unable to integrate suse linux (azure VM) on azure sentinel
Jayesh_D123 yes this is the same agent ( MMA\Azure monitor) You can see here the SUSE linux is supported https://github.com/microsoft/OMS-Agent-for-Linux#supported-linux-operating-systems this is the urls that you need to enable in the FW\proxy https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent#network-firewall-requirements
Dec 26, 2019 Place Microsoft Sentinel
1.3KViews
0likes
0Comments
Re: Integration with WAZUH (OSSEC)
This product support CEF output https://documentation.wazuh.com/3.10/user-manual/reference/ossec-conf/syslog-output.html?highlight=cef So you should use sentinel CEF connector https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format https://techcommunity.microsoft.com/t5/Azure-Sentinel/Azure-Sentinel-The-Syslog-and-CEF-source-configuration-grand/ba-p/803891
Oct 01, 2019 Place Microsoft Sentinel
11KViews
0likes
0Comments
Re: How to check if Sentinel is enabled for a subscription (programmatic access)
You can check for a specific log analytics workspace if the sentinel log analytics solutions installed. By running this REST call https://docs.microsoft.com/en-us/rest/api/loganalytics/workspaces/listintelligencepacks And look in the resource this solution name: "name": "SecurityInsights", "enabled": true, "displayname": "Security Insights"
Sep 28, 2019 Place Microsoft Sentinel
3.8KViews
0likes
0Comments

User Profile

YanivSh

User Widgets

Recent Discussions

Re: Apply metadata to logs to distinguish source

Re: Get entities for a Sentinel Incidient by API

Re: Get entities for a Sentinel Incidient by API

Re: Email data parsing

Re: Audit-Failed Events not reaching Workspace

Re: Audit-Failed Events not reaching Workspace

Re: Audit-Failed Events not reaching Workspace

Re: Email data parsing

Re: Unable to integrate suse linux (azure VM) on azure sentinel

Re: Integration with WAZUH (OSSEC)

Re: How to check if Sentinel is enabled for a subscription (programmatic access)

Recent Blog Articles

What’s New? – Security Copilot Azure logic app Connector

What's New: MDTI Intel Reporting Dashboard and Workbook

What's New: APIs in Microsoft Graph

New ingestion-SampleData-as-a-service solution, for a great Demos and simulation

Learning with the Microsoft Sentinel Training Lab

Non-interactive logins: minimizing the blind spot

Microsoft Sentinel Incident Bi-directional sync with ServiceNow

Sending enriched Microsoft Sentinel alerts to 3rd party SIEM and Ticketing Systems

Using Azure Security Center API for Workflow Automation

Gain visibility for CVE-2020–0601 with Azure security center recommendation across your tenant.