Recent DiscussionsMost RecentNewest TopicsMost LikesSolutionsTagged:TagRe: Google CLoud Platform integration into Azure Sentinel MaheshUTP : best to raies (or vote up) for your request on https://aka.ms/MicrosoftSentinelFeedback Re: Central whitelist on Azure Sentinel Mohamadislam : seems like a platform hickup. I hope the link is now visible. Re: Central whitelist on Azure Sentinel Jafar1970 : you can find a detailed writeup on how to implement white listing, watch lists and enrichment in this blog post: Implementing Lookups in Azure Sentinel ~ Ofer Re: Playbook (Logic App) - trigger - When Azure Sentinel incident creation rule was triggeredStarted rolling out gradually to public preview today. Should be 100% rolled out in two weeks.Re: Searching by more than one field when using a watch list ChristopherKerry This is what I really find challenging with Splunk. Queries are absolutely unreadable. The SPL example you brought is fast to write to the initiated but does make any sense logically, making it impossible to understand if you are not a Splunk Guru. In KQL you have to be explicit, and readable, but I don't think makes the optimization different. Re: Sending logs from one tenant to a different tenant Sentinel instance pavankemi: First, it would be a large effort to just not use Lighthouse. However, any future support for cross tenant collection will also use Lighthouse (though reverse Lighthouse). So the contractual issues will have to be resolved. Re: Need Help With Azure Onboarding msef280 : the challenge is that there is no such thing as a Sentinel license. The cost is based on actual use. As a result, we obviously need someone with the right permissions to onboard Sentinel and essentially approve the charges. Same as for example creating a VM on Azure: it costs, so someone with the right permissions is needed to create it. Re: Sending logs from one tenant to a different tenant Sentinel instance pavankemi : - I would use Azure functions and not Logic Apps, as Logic Apps cost may become prohibitive. - It is not a simple project. We have customers doing that, but there is an inherent effort both in the custom connectors and modifying queries to work with it. Also, with custom connectors free sources are no longer free. To try to best help: why do you need to move all data to a central tenant? Re: Exclude IN Azure SentinelHow about this? SecurityIncident | extend product = tostring(AdditionalData.alertProductNames[0]) | where product !in ("Microsoft Cloud App Security") | extend summarizeby = iff(product == "Azure Sentinel", Title, product) | summarize count() by summarizeby | sort by count_Re: Windows 2003 events in SentinelAzure Sentinel currently doesn't support WEF, though this is planned. Meanwhile, you can use 3rd party alternatives such as NXlog to translate to Syslog or WinLogBeat and Logstash to a custom log.Re: Azure Sentinel with ASC and exsiting workspace avirat20 To the specific question about ASC and Azure Sentinl: you should use the same workspace. ASC itself does not use the workspace, and the value stems from Sentinel features. What you may want to do, is split none security data to a seperate workspace for cost reasons. This would imply dual homing. Re: Azure Sentinel for On premises without MMA agent kausiktsi : as CliveWatson stated, remove collection is currently possible only for Linux and other systems supporting Syslog (which would exclude Windows). See here for details. Remote collection for Windows is planned in the near future. Re: Loop through array in KQL LodewykV : to look throuhg an array, use mv-apply. Sometimes not exactly looping, mv-expand is sometimes more useful. GaryBushey Re: WEF forwarding to Azure Security Centre / Log AnalyticsI am not sure about the compete plans for the AMA. I focus on the Security use cases. Specifically for WEF, yet, as stated above, it would be supported by the AMA.Re: Sentinel Connectors - Flat files, ODBC, IBMi AzureHacki : For databases, in case your database is on-prem rather than a cloud service, I think that the best option would be Logstash. It might also be a good alternative for files. For IBM, it seems that iSeries supports CEF (see here). Also, zSecure supports CEF as outlined in what's new for zSecure V2.3.0 Re: Playbook (Logic App) - trigger - When Azure Sentinel incident creation rule was triggered PrashTechTalk : I am not aware that the private preview does not work. That said, the feature will be supported as part of a larger motion to enhance Sentinel automation, called automatoin rules, which is entering private preview as we speak. Re: Adding playbooks to Microsoft Security out-of-the-box alert rule templates Manvie : still in private preview, I hope we are getting closer to going public. We made major changes based on private preview input. Re: WEF forwarding to Azure Security Centre / Log Analytics AdamPRD : We have decided to move a head with the Azure Monitor Agent (AMA) version, and the current Log Analytics Agent (MMA) version will not become public. Re: Multiple Log analytic workspace and rules cklonger : GaryBushey's answer is the best practice. However: - It is recommended, by Sentinel and by Log Analytics, to keep all logs in a centralized worksapce. - You can run a rule across worksapces using cross-workspace queries, however you will have to modify the built in rules and some features such as investigation are limited with such rules. Re: Close MCAS alert via API Luizao_f , Pranesh1060 : note that incident synchronizatoin with all Microsoft 365 defender sources is already in private preview.
Recent Blog ArticlesNewest TopicsMost LikesTagged:TagWhat’s new: Find the Sentinel content you need using AI search Overview Getting value from Microsoft Sentinel and the Microsoft Unified Security Operations Platform requires deploying the right solutions. Microsoft and our partners offer hundreds of solutions ...Whats New: Bicep Support in Microsoft Sentinel Repositories We are thrilled to announce a significant enhancement to the Microsoft Sentinel Repositories feature: support for Bicep templates. This update empowers security teams and DevOps professionals to mana...New! Normalization is now built-in Microsoft Sentinel Use ASIM in every query you create to cover all your data. Azure Sentinel Information Model Fall Release: Speed & Ease ASIM adds simple deployment, speed optimized parsers, an updated network schema, and Sysmon support. What's new: ASIM File Activity schema Find traces of malware and ransomware also in cloud storage. What's new: ASIM Authentication, Process, Registry and enhanced Network schemas Cross source detection, better EDR support, easier to use and more. What's new: Azure Sentinel Information Model DNS Schema and normalized content now public Learn more about ASIM, and how to get Azure Sentinel's value over all of your DNS sources, built-in or custom. Handling false positives in Azure Sentinel No detection rule is perfect. Learn how to handle false positives in Azure Sentinel. The Ninja Training 2021 edition is out! Azure Sentinel moves forward and so is its Ninja training! The FAQ companion to the Azure Sentinel Ninja training This live blog post provides answers to common Azure Sentinel questions. To make it easy to navigate, it is ordered by the Ninja training modules.
MicrosoftMicrosoftMicrosoftMicrosoft
