User Profile
Pranesh1060
Brass Contributor
Joined Oct 17, 2019
User Widgets
Recent Discussions
Assigning alerts/incidents in Sentinel to a specific team/user/group.
Hi Guys, Is there a way to assign a particular incident coming in from different sources to a team/user/group instead of the admin going to the portal and assigning it to himself? Considering our team size, the requirement is to have respective SMEs take care of the incidents coming from their respective sources. For eg: Incidents coming from MCAS to be assigned to XYZ, incidents coming from AADIP to ABC and so on either by using playbook or by any other means. Also, is there a way to pin/export a dashboard of sorts to the homepage of Sentinel to see the number of incidents resolved/inprogress and new to be refreshed from time to time? Thanking in anticipationExcessive lookup queries from DNS
Hello Experts, From last 2 weeks or so we have been getting a lot of DNS lookup queries and events are being generated since the endpoints are trying to connect to random suspicious domains via the DNS servers to the internet . The number of events started to change drastically from 7th of this month. In addition to that, we have been getting alerts from ASC on Sentinel saying that endpoints are trying to connect to random suspicious domains/sinkhole domains and at times we are also getting alerts saying that network intrusion signature activation has been detected. However there are no alerts from MDATP or any other tool related to this activity. We have tried troubleshooting this on our own and as well as with MS, till now we haven't found anything. There was an article saying that the updates for the month of July contained 2 zero day vulnerabilities w.r.t to DNS servers and a registry change would be required, which we are in process of deployment. We checked this internally as well and has been confirmed that no additional logging has been enabled for on DNS. Has anyone here faced this issue? Any help would be appreciated. Thanking in anticipationUnable to access Sentinel Incidents Blade
Hi, We have not been able to access the incidents blade in Sentinel since yesterday. No changes were made from our end and also all the other blades are available for us. Raised this with the support no update yet, raising this here to check if anyone faced this problem earlier and what was done to resolve it. Error: Cannot read properties of undefined (reading 'name')Integrating Anomali TI data with Sentinel
Hello Experts, As we all might already be aware that we can connect to various TI feeds from Sentinel, using the TAXII data connectors. We would very much like to go ahead and integrate it with Anomali, however had a few questions if I may ask 1) In the TAXII data connector we are connecting to specific Collection IDs to get the data from Anomali. Is the time period considered by default or Anomali just provides us with whatever info it has? If there are thousands of records they all will be ingested into the workspace. 2) Per my understanding new TI data will be ingested into the TI table as and when it is available. What is the size of each record and will connecting to multiple ids increase the amount of storage substantially? Any leads on this would be appreciated. https://docs.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-taxiiO365 Management Activity API
Hello Experts, As you might already be aware of the amount of logs that are available to search in the security and compliance center are a tad bit limited and in order to be able to get more information related to an activity O365 management activity api is actually recommended. I have a requirement to fetch some logs related to PowerApps to get a log/alert when an on-prem data gateway connection is established/edited/deleted. I followed the office 365 api article(https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference) and was able to fetch all the logs for the last 1 day using the Audit.general category. However I was unable to find any log related to the data gateway connection. I remember a new connection was created and deleted by a team member. I am looking at all the logs that belong to the workload "PowerApps". Is there something else that needs to be done or a different category altogether where this log might be stored?Re: Close MCAS alert via API
Luizao_f We do have the connector available which can update the alert directly in MDATP and perform other operations like Run AV scan, Collect packages for investigation etc etc. The action you are looking for is update alert. Maybe you can use the same logic to split and isolate the alert id and then close it.Re: Close MCAS alert via API
Luizao_f Hello, This is what I've been doing from my end and it seems to be working fine. Please give it a try and see how it goes. Where MCASTenant is the name of the tenant. Make sure that you have a token for authorization. I assume that you are well aware as to how the token has to be generated. Make no changes value of the header should be (Token followed the token generated). In case you do not know how to generate a token here's the link(https://docs.microsoft.com/en-us/cloud-app-security/api-tokens) Add this to your Body where Href is the alert id generated in MCAS. For testing copy the id from Sentinel incident and try to execute, at a later stage pass this as a variable. Hope this works for you!!.Re: Excessive lookup queries from DNS
majo01 That post was written in a hurry, let me try to post the exact scenario 1) Random requests are getting generated from endpoint machines trying to connect to random suspicious domains. This has caused a surge in the number of requests made by endpoints via DNS servers to internet. 2) These alerts are getting generated from ASC and since it is connected with Sentinel, alerts are getting replicated. Using the DG algorithm we come across a new domain every time there is a new alert. Now the question here is we do not have alerts from any other security tools, we tried scanning the machines but the results came clean. Not all the alerts are from one location or one particular endpoint. Just wanted to know, if anyone here has faced something of this kind or probably would have suggestions as to how we can tackle these alerts. If there were any changes that were recently made on ASC that we are not aware of.Azure Sentinel + Zscaler
Hi, We have successfully connected Sentinel with Zscaler and so far the logs that are getting ingested into the workspace are more or less the urls that are getting allowed/blocked. Is there anything else that needs to be done to get more logs or any documentation that could help us do it? If it not too much to ask can a status of the machine active/inactive, last connected time etc be ingested as well so that we can create a playbook for the respective IT teams to take action on it? Any help wrt to this will be on great help to us! ThanksUnable to update the alert in Security Graph using HTTP connector
Hi, We are trying to get requests for security alerts using the http connector available in Logic apps. We are querying the Graph Explorer API using the GET method and we are able to get the requested results. However when we try to update the alert using the PATCH method, by changing some values like assigned to, comments, tags, vendor information etc and run the trigger it fails with one message: message": "Request body has invalid content for property closedDateTime". As far as closedDateTime is concerned we tried with utcNow(), utcNow('D') but it fails. Did anyone here manage to update the alerts without errors? Any leads wrt to this will really be helpful.Re: Get full data into Playbook
Thijs Lecomte This is something I have done and probably you could do. Entities and Extended properties are JSON parameters. Using the data operations connector parse these parameters. You could get the JSON schema from the entities/extended properties logs. Almost all of the times the scheduled query is available in the Extended properties. By parsing you will convert JSON into String and take the Query parameter out. Initialize the variable naming it as XYZ and use Query with a time period(this is must). Using Azure Log Analytics run this initialized variable and you should be good to go.. Seems like a lot of pain but works just fine.Re: Extracting Additional Data for E-mail Alert via Playbook
pho30 Hi Sean, apart from the pre-defined values you can add other values by parsing the JSON parameter. All the parameters in the alert are to be converted into string. I've used this logic in my case. "Everytime an alert is triggered, using data operations connectors click on parse json, take the predefined value available in the alert For eg: "Extended properties" or "Entities" and click on sample payload to generate sample schema. From the logs copy the exact parameter and paste it in the sample schema, it will automatically generate a new schema for you. You can then make use of these values as per your requirement to either send an email or create a ticket in SNOW. Hope this helps!!Defender ATP Connector in Logic Apps-Azure Sentinel
Hi, I see that there is a connector available for Defender ATP while creating a new playbook in Sentinel. However I am not sure how exactly does it work. I haven't come across any use cases for that. Is it in any way related to Sentinel or is it just for Logic Apps? As we know in DATP multiple alerts constitutes of 1 incident, so when you create an analytical rule in Sentinel for DATP, it usually comes up with more than 3 results of which two of them are same and belong to the same hostname with the same info. So it makes it a bit difficult to create tickets in SNOW for them because you never know how many tickets will get created automatically. Is there a way around it to ignore the duplicate alerts and take only 1 alert? P.S: The second part of the post is the actual requirement, first part is to see if the connector can be leveraged to fulfill the requirement.Re: Assigning alerts/incidents in Sentinel to a specific team/user/group.
GaryBushey Hi Gary, thanks for your response. However when playbooks are getting triggered for a scheduled alert, is there a possibility to hard code the name of the administrator or a team directly? Like for every MCAS scheduled alert the incident owner should be me.
