User Profile
leoszalkowski
Brass Contributor
Joined Oct 01, 2019
User Widgets
Recent Discussions
Microsoft Graph API missing data
I'm using the Graph API to try to query the incidents in Sentinel, however not all of the data is populating properly. The data that is especially useful for the purpose of this API call is the following, yet they are all appearing as null. When in reality, they should be populated. Fields appearing as null: ClosedDateTime Comments Assigned Status2.2KViews0likes3CommentsAzure AD/Activity logs not connecting to new workspace
We recently migrated regions in Azure and reconfigured the logs to send to the new workspace. However, the AzureAD/Activity logs still say they're connected to the old workspace and no logs are being sent to the new workspace. Everything is turned off and unchecked in the old Sentinel connector. The diagnostic setting in AzureAD is configured to the new Sentinel workpsace, and the connector is enabled and boxes are checked for the logs. The connector is still showing as disconnected though.3.6KViews0likes2CommentsASC Alert Connector
We have the Azure Security Center connector enabled to receive the alerts and it shows that the connector is enabled. However, the datatype SecurityAlert (ASC) is showing as disconnected and we have not received any logs. The Analytic rule for ASC is also created and enabled. There is a security alert, so it should appear in the SecurityAlert schema but there's nothing. Are we missing a step here?2.2KViews0likes2CommentsNew Mapping Entities
Is there a road map for when new map entities will be added to alerts? We have a few playbooks set up for New Accounts created, and currently we're just using the Hosts entity as a placeholder for the "InitiatedBy" entity. These playbooks generate tickets for our company, however we've been having some issues with the Initiated not being associated with the correct TargetResource. I've tried a few workarounds and I get one of the following: One InitiatedBy is associated with all TargetResources, when in reality there's multiple Initiators. Each InitiatedBy is associated with every TargetResource, which creates numerous duplicate tickets with incorrect information. I've also tried the new Alert Aggregation tool to group by the "Host" placeholder mapped entity, but results in the same issue as above.1.5KViews0likes1CommentAnother playbook issue
As of Sunday, the previous issue of the playbooks not running was mitigated and all had returned to normal functionality. Today, a new issue arose. Alerts are triggering on all of the playbooks that are currently enabled. No errors found within the playbooks. All playbooks are assigned properly. Anyone else experiencing this issue?1.4KViews0likes4CommentsRe: Extracting Additional Data for E-mail Alert via Playbook
pho30 I did something similar with one of my logic apps. I had to create custom expressions using "triggerbody()?" in order to extract some of the other fields. This link may be helpful: https://docs.microsoft.com/en-us/azure/logic-apps/workflow-definition-language-functions-reference4.4KViews1like2CommentsRe: Sentinel alerts stopped running playbooks
Also having the same issue across 3 tenants. Problem started for us around 9am EST on the 31st. I can run them manually within the Incident details page, but triggers are failing if I run them in the Logic App page. After some digging around in the logic app code, I looked at the raw output of the block that's failing I found that the header is not populating correctly and the body is not populating at all.5.9KViews0likes2CommentsRe: Sentinel Playbook Issue
Quick update.. (still no solution) I did some more digging into this issue. Within the playbook error, it's looking like the playbook block that's throwing the error is not getting the correct output. I went back through the run history and noticed the raw outputs are drastically different. It is receiving different header information and no body information.4.5KViews0likes4CommentsRe: Sentinel Playbook Issue
I get the 404 Not Found on the Get Incident block of my logic app. When I try to diagnose the issue using the Logic App Diagnose and Solve Problems tool, I get this error: "The detector couldn't identify the subscription, resource group or workflow specified in the URL. Please check your link."4.6KViews0likes5Comments
Recent Blog Articles
No content to show