User Profile
PrashTechTalk
Brass Contributor
Joined Jan 13, 2020
User Widgets
Recent Discussions
Azure Sentinel Power BI Real time Reporting
Hi, I am trying to implement Realtime reporting at PowerBi using Azure Sentinel data but not able to get a way forward. Although I can create power report using export power bi query from sentinel workspace the data isn't refreshed on a real time basis due to limitation on data set refresh cycles. Appreciate if someone can answer this. pls note: the requirement is for Realtime data refresh on power bi datasets using azure sentinel logs to be specific security alerts. Thanks.6.9KViews0likes1CommentMicrosoft Defender ATP Azure Sentinel Connector omits lot of important Alert information
Hi It is sad to see Microsoft defender ATP Connector at Azure Sentinel does not get all the required alert information as compared to Graph API. Details like User information, IP Information, Threat Category & Threat Family are omitted. Building any custom playbook to get these data is additionally charged although ingestion of Microsoft data is free. Connector needs improvement. ThanksAzure Sentinel Workbook & Azure Dashboard Sharing to external B2B guest users
Hi, I am trying to share Azure Sentinel Workbooks (custom) & as well as Azure Dashboards to external guest users i.e. Azure B2B user accounts but not able to share it. I get error even after of assigning appropriate RBAC roles (mostly tried Azure Log analytics Reader, Azure Sentinel Reader & Reader) at different levels. Please note: This sharing is for external B2B users. Appreciate your response. Thanks.Solved4.5KViews0likes6CommentsRe: Brownfield Sentinel implementation
"Needless to say we need the data in the existing OMI workspace for other purposes also" If you can separate the security and non security data ingestion why do you need security data on your OMI workspace ? Its a duplication of data spread across workspaces. Ingestion into Sentinel enabled workspace is for security analysis.. any other data ingestion not only adds higher cost and retention but will pose lot of challenges like Noise, false positives, query performance issues, alerting etc.. mainly impacts mean time to triage & incident closure. It is good to Ingest what is needed into a new sentinel enabled workspace and make use of sentinel specific RBAC.1.4KViews0likes3CommentsRe: Data Connectors / Ingest capabilities for PowerBI/Apps to Azure Sentinel?
Options 1: If you are already using MCAS get it connected to Power BI and use MCAS connector. Ensure you turn on auditing. Option 2 : Build a custom connector use the O365 Management API preferably though a function App over Logic Apps.4.5KViews0likes2CommentsRe: Analytic rule query frequency
The least minimum you can schedule a rule is 5mins. Sentinel does not support 1 minute and it is a not real time. There are a few points to consider. 1. Handling the noise, so make sure your rule is effective 2. Performance and cost of running the rule 3. Reduce the watchover period and size of the data 4. Take advantage of the Azure Playbooks or automation. 5. If you do not want the rule to be a scheduled on keep this as a hunting query for a manual run. Lastly may i know what is the use case you were looking for a rule to run every minute ?4.8KViews0likes1CommentRe: Need to Deploy Azure Sentinel
Its always good to start with the UI and quick start template covers it. At later stage if you want to go through automated deployment do take a visit this link https://techcommunity.microsoft.com/t5/azure-sentinel/deploying-and-managing-azure-sentinel-as-code/ba-p/113192 If you are good or interested with PowerShell scripts make use of AzSentinel PowerShell module for scripting.1.2KViews0likes0CommentsRe: Bruteforce Qurey
There are many ways to achieve this. If it is for AAD then this should work and is generic for any application access that uses AAD accounts. let timeframe = <set the time frame window>; let threshold = <set max failures>; SigninLogs | where TimeGenerated >= ago(timeframe) | where ResultType in ("50126", "50074") | summarize min(TimeGenerated), max(TimeGenerated), FailedLogonCount = count() by ResultType, UserDisplayName , UserPrincipalName,AlternateSignInName,IPAddress | where FailedLogonCount >= threshold2.3KViews0likes0CommentsRe: Configure syslog from two different sources
Both logs can be sent on poet 514. Did you go to though the Azure Sentinel built-in connector for Cisco Meraki which is still in preview and its documentation? though this is for reporting the link below should get some info on your port related question. https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP%2C_and_API1.8KViews0likes0CommentsRe: New Blog Post | What’s New: Azure Sentinel Update Watchlist UI Enhancements
Appreciate the feature. Along with import through CSV its good to have import linked to a GitHub or OneDrive file managed centrally it will ease maintenance and can keep track specially when you have many workspaces when working though azure lighthouse.787Views0likes0CommentsRe: Azure Sentinel Automation (Preview) - Issue with Permission assignment
Adding more details to those scenarios. Scenario #1 I never mentioned I am the owner through Azure Lighthouse instead I am the guest user existing in the primary tenant. Scenario 2. Already assigned the Azure Sentinel Automation Contributor through Azure Lighthouse template deployment as stated earlier in my message.12KViews0likes1CommentRe: Azure Sentinel Automation (Preview) - Issue with Permission assignment
Javier-Soriano - I noticed an intresting one here. Scenario 1: Unable to see Manage Permission Link Although being a owner of the azure subscription and adding logic app contributor role to my user id within the customer tenant. I am not able to see the Manage Permission link at the sentinel automation rule. Why cant one edit the permission in this case ?? Do you expect the user to have Azure Sentinel Contributor role other than owner and logic app contributor. ?? Scenario 2: Able to see Manage Permission Link but cannot modify. With Azure lighthouse after including delegation of Azure Security Insights with Azure Sentinel Contributor role from the service provider tenant I am able to check its permission but not change it, this is acceptable as I am NOT in the service provider tenant and with Azure Lighthouse a user can max have a contributor role.12KViews0likes5CommentsRe: Azure Sentinel Automation (Preview) - Issue with Permission assignment
Perfect. Very same response from your support team as well on this issue. Good to highlight this at the documentation or may have improved from the time the this issue was raised. There are two main scenarios when managing cross-tenant automation rules: • Automation rule created in the customer tenant is configured to run a playbook located in the service provider tenant. This approach is normally used to protect intellectual property in the playbook. Nothing special is required for this scenario to work. Just grant permissions to the relevant resource group where the playbook is located via Manage playbook permissions menu as explained here. • Automation rule created in the customer tenant is configured to run a playbook located in the customer tenant. Used when there is no need to protect intellectual property. For this scenario to work, permissions to execute the playbook need to be granted to Azure Sentinel in both tenants. In the customer tenant, you grant them via Manage playbook permissions menu as explained here. To grant the relevant permissions to the service provider tenant, you need to include the Azure Security Insights app in your Azure Lighthouse delegation template with the Azure Sentinel Automation Contributor role. The scenario looks like this:12KViews0likes7Comments
Recent Blog Articles
No content to show