User Profile

Sergei2435

Brass Contributor

Joined 5 years ago

11 Posts

View All Badges

User Widgets

Recent Discussions

Duplicate logs XDR
Will I get duplicate logs if I enable XDR connector and MDE, MDI, MDO, MDCA connectors separately in Sentinel? Thanks
Apr 10, 2024 Place Microsoft Sentinel
Data Collection
449Views
0likes
2Comments
Cloudflare to Sentinel
We use the MS Cloudflare connector (Function) and Cloudflare Logpush to Azure to onboard Cloudflare logs into Sentinel. Logs are being ingested into the storage account container without any issues. We restricted the storage account to Cloudflare IPs to make the storage account secure and meet compliance requirements. Immediately after the restriction was added, the function app stopped talking to the storage account and started throwing authentication errors. Whitelisting function IPs didn't make any difference. In our opinion, scaling the function app plan from consumer to premium and enabling Vnet integration will resolve the issue. By default, the function is deployed via an arm template in a consumer plan. I would greatly appreciate any suggestions or thoughts you might have.
Solved
Nov 30, 2023 Place Microsoft Sentinel
azure
Data Collection
integration
Log Data
siem
2.8KViews
0likes
2Comments
SignIn Office Location
Hi, I am trying to develop a query which determines how many users sign in from each office around the country. For the location of each office, I have the latitude and longitude. The following was my initial approach: 1. Create a table with the office name, latitude and longitude 2. Generate geohash value 3. Generate geohash value for sign-in geocoordinates in the SignIn table 4. Join two tables on geohash value let Office = datatable(Office:string, longitude:real, latitude:real) [ "Durham", double(-78.90213775634764),35.99591827392578, "LondonStrand", double(-0.016599999740719796),51.58330154418945, "NYNEW", double(-0.7399736916),40.75118126 ] | extend geohash = geo_point_to_geohash(longitude, latitude); //Office let SignIn=SigninLogs | extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude) | extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude) | extend geohash = geo_point_to_geohash(latitude_, longitude__); Office | join kind=inner SignIn on geohash When I try to get geohash from SignIn logs, I receive an error. I'm a bit lost now after hitting a brick wall for so long. Any suggestions would be greatly appreciated. Possibly another approach? Many Thanks
Jun 17, 2022 Place Microsoft Sentinel
KQL
kusto
1.1KViews
0likes
3Comments

Groups

Recent Blog Articles

Re: Integrating open source threat feeds with MISP and Sentinel
Thank you very much for the article. How do we specify to which workspace the logs should be sent? What if we have more than one Sentinel instance? Thanks
Jun 21, 2022 Place Microsoft Sentinel Blog
0likes
0Comments